This article presents example Authorization Policy configurations for some typical uses cases. For SSO Authorization Policy documentation, please refer to:
...
Name | Value | Example Data | Example Result |
---|---|---|---|
given_name | ${user['givenName'][0].toUpperCase()} | givenName=Michael | "MICHAEL" |
full_name | ${user['givenName'][0].concat(' ').concat(user['sn'][0])} | givenName=Michael, sn=Jones | "Michael Jones" |
is_employee | ${user['mail'][0].toLowerCase().endsWith('@ubisecure.com')} | mail=user.demo@customer.com | "false" |
email_domain | ${user['mail'][0].substring(user['mail'][0].indexOf('@')+1)} | mail=ubisecure.demo@example.com | "example.com" |
test_account | ${user['givenName'][0].toLowerCase().contains('application_test')} | givenName=Application_Test | "true" |
birthdate | ${method['urn:oid:1.2.246.21'][0].contains('-') ? "19".concat(method['urn:oid:1.2.246.21'][0].substring(4, 6)).concat("-").concat(method['urn:oid:1.2.246.21'][0].substring(2, 4)).concat("-").concat(method['urn:oid:1.2.246.21'][0].substring(0, 2)) : "20".concat(method['urn:oid:1.2.246.21'][0].substring(4, 6)).concat("-").concat(method['urn:oid:1.2.246.21'][0].substring(2, 4)).concat("-").concat(method['urn:oid:1.2.246.21'][0].substring(0, 2))} | 150990-304Y 100302A017X | 1990-09-15 2002-03-10 |
mobile | ${user['mobile'][0].startsWith('0') ? '+358'.concat(user['mobile'][0].substring(1)) : user['mobile'][0]} | 0401234567 +4422334456 | +358401234567 +4422334456 |
String values can also be modified by using regular expressions with the re:replace function, for example as follows:
...
Name | Value | Comment | Example Data | Example Result |
---|---|---|---|---|
${attribute.name("email").values(sha256.text('exampleAppString'.concat(user.telephoneNumber[0])).toString().concat('@example.com'))} | Generate a virtual email address formed by hashing user attributes. Here a hash is a made of application specific string concatenated together a custom userId that is stored in user.telephoneNumber. The email domain is added to the resulting string. | 123456 | 794f037115472dd0831df46a01e300a970507b6632a493915c8e1e59fa1a0d47@example.com | |
uidbase64 | ${base64:encode(utf8:bytes(user['uid'][0]))} | Base64 encode user.uid . Because base64:encode() function requires a bytearray as input parameter, and user.uid is String, it needs to be converted to bytearray using utf8:bytes() . | jsmith | anNtaXRo |
Role Based Access Control
...