It is possible to use Java EL expressions in place of attribute values. This enables more complicated techniques available in Java EL syntax for building attribute values, such as concatenation of strings.

The convention used in this Java EL API documentation is:

For top level attributes:

attributeName [AttributeType]
Description of the attribute and its contents.
- propertyName [PropertyType]
  Description of the property.
- methodName(Parameter1Type parameter1Name,…) [ReturnType]
  Description of the method.

For top level functions:

prefix:functionName(Parameter1Type parameter1Name,…) [ReturnType]
Description of the function

Readable variables

Authorization Policy provides a number of variables whose properties can be read, but not written into. The variables are:

Variable	Description

Variable	Description
`user`	Contents depend on the type of the user directory. LDAP: Contains all the attributes of the user’s entry in the directory, for example `user.cn` or `user[‘cn’]` resolves to the cn attribute of user in an LDAP user directory. SQL: Contains all the attributes defined by UbiloginAuthorizer view.
`method`	Contains all the attributes defined by the authentication method, after attribute mapping (see section 2.3) is applied. Additionally, in case the Authorization Policy is registered to an OAuth2 –application, the method bean exposes following built-in attributes: grant_type The grant_type of the authentication request that was used for obtaining the token. refresh_token_iat If grant_type is refresh_token then this contains the create time of refresh_token.
`prefix`	Contains the collection of all authorizer implementations registered in Ubisecure SSO, with their prefixes as keys.[PS1] [AÅ2]
`username`	Contains the properties of the user in the user directory. Changes to nameID variable are not reflected in this variable. `value [String]` `handle [String]` `format [String]` `nameQualifier [String]` `spNameQualifier [String]` `spProvidedID [String]`
`sso`	Contains the following properties. `id [String]` – SSO session ID. This should never be sent to an application as plain text. Instead sha1 digest should be used to create a transient session id, like `${sha1.text(sso.id).uuid}` `locale [String]` – Value of the current UI locale. `template [String]` – Name of the current UI template.
`response`	Contains the following properties originating from a SAML 2 authentication response. `authnContextDeclRef [String]` - The value of the AuthnContextDeclRef element in the SAML 2 Assertion. `authnContextClassRef [String]` - The value of the AuthnContextClassRef element in the SAML 2 Assertion. `authenticatingAuthority [List<String>]` - The values of the AuthenticatingAuthority elements in the SAML 2 Assertion.

Examples of use:

Get user’s CN attribute in the user directory and concatenate it with string ‘@example.com’. Both expressions are equivalent.

${user['cn']}@example.com or ${user.cn[0].concat('@example.com')}

Sends the name of the current template used

${sso.template}

Sends the currently selected user interface locale

${sso.locale}

Sends the currently selected user description decrypted

${server.decrypt(user.description)}

Modifiable variables

Authorization Policy contains two variables, nameID and attribute, which allow modifications to their underlying models.

nameID [NameIDBuider]
(SAML only) The nameID element of the SAML Assertion to be sent to the application.

attribute [AttributeBuilder]
The attribute in current authorization policy context, which will be sent to the application.

authnContext [AuthnContextBuider]
(SAML only) The nameID element of the SAML Assertion to be sent to the application.

Examples of use:

Set a value manager to attribute role.

Expression language API - SSO

Readable variables

Modifiable variables