Expression language API - SSO

It is possible to use Java EL expressions in place of attribute values. This enables more complicated techniques available in Java EL syntax for building attribute values, such as concatenation of strings.

The convention used in this Java EL API documentation is:

For top level attributes:

  • attributeName [AttributeType]
    Description of the attribute and its contents.
    • propertyName [PropertyType]
      Description of the property.
    • methodName(Parameter1Type parameter1Name,…) [ReturnType]
      Description of the method.

For top level functions:

  • prefix:functionName(Parameter1Type parameter1Name,…) [ReturnType]
    Description of the function

Readable variables

Authorization Policy provides a number of variables whose properties can be read, but not written into. The variables are:

VariableDescription
userContents depend on the type of the user directory.
  • LDAP: Contains all the attributes of the user’s entry in the directory, for example user.cn or user[‘cn’] resolves to the cn attribute of user in an LDAP user directory.
  • SQL: Contains all the attributes defined by UbiloginAuthorizer view.
methodContains all the attributes defined by the authentication method, after attribute mapping (see section 2.3) is applied.
  • Additionally, in case the Authorization Policy is registered to an OAuth2 –application, the method bean exposes following built-in attributes:
    • grant_type
      The grant_type of the authentication request that was used for obtaining the token.
    • refresh_token_iat
      If grant_type is refresh_token then this contains the create time of refresh_token.
prefix Contains the collection of all authorizer implementations registered in Ubisecure SSO, with their prefixes as keys.[PS1] [AÅ2]
usernameContains the properties of the user in the user directory. Changes to nameID variable are not reflected in this variable.
  • value [String]
  • handle [String]
  • format [String]
  • nameQualifier [String]
  • spNameQualifier [String]
  • spProvidedID [String]
sso Contains the following properties.
  • id [String] – SSO session ID. This should never be sent to an application as plain text. Instead sha1 digest should be used to create a transient session id, like ${sha1.text(sso.id).uuid}
  • locale [String] – Value of the current UI locale.
  • template [String] – Name of the current UI template.
response

Contains the following properties originating from a SAML 2 authentication response.

  • authnContextDeclRef [String] - The value of the AuthnContextDeclRef element in the SAML 2 Assertion.
  • authnContextClassRef [String] - The value of the AuthnContextClassRef element in the SAML 2 Assertion.
  • authenticatingAuthority [List<String>] - The values of the AuthenticatingAuthority elements in the SAML 2 Assertion.

Examples of use:

Get user’s CN attribute in the user directory and concatenate it with string ‘@example.com’. Both expressions are equivalent.

  • ${user['cn']}@example.com or ${user.cn[0].concat('@example.com')}

Sends the name of the current template used

  • ${sso.template}

Sends the currently selected user interface locale

  • ${sso.locale}

Sends the currently selected user description decrypted

  • ${server.decrypt(user.description)}

Modifiable variables

Authorization Policy contains two variables, nameID and attribute, which allow modifications to their underlying models.

  • nameID [NameIDBuider]
    (SAML only) The nameID element of the SAML Assertion to be sent to the application.

    VariableDescription
    value(String s) [NameIDBuider]Set the value of the nameID.
    format(String s) [NameIDBuider]Set the format of the nameID. Valid values are:
    • UNSPECIFIED ­
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
    • EMAILADDRESS ­
      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • X509SUBJECTNAME ­
      urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
    • WINDOWSDOMAINQUALIFIEDNAME ­
      urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
    • KERBEROS ­
      urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
    • ENTITY ­
      urn:oasis:names:tc:SAML:2.0:nameid-format:entity
    nameQualifier(String s) [NameIDBuider]Set the nameQualifier of the nameID.
    spNameQualifier(String s) [NameIDBuider]Set the spNameQualifier of the nameID.
    spProvidedID(String s) [NameIDBuider]Set the spProvidedID of the nameID.
  • attribute [AttributeBuilder]
    The attribute in current authorization policy context, which will be sent to the application.

    VariableDescription
    name(String s) [AttributeBuilder]Set the name of the attribute. Note that this overrides the setting in authorization policy itself.
    values(String s) [AttributeBuilder]Add a value for the attribute.
    nameFormat(String s) [AttributeBuilder] Set the nameFormat of the attribute. Valid values are:
    • UNSPECIFIED
      urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
    • URI
      urn:oasis:names:tc:SAML:2.0:attrname-format:uri
    • BASIC
      urn:oasis:names:tc:SAML:2.0:attrname-format:basic
    friendlyName(String s) [AttributeBuilder]Set the friendlyName of the attribute.


    authnContext [AuthnContextBuider]
    (SAML only) The nameID element of the SAML Assertion to be sent to the application.

    VariableDescription
    authnContextDeclRef(String s) [AuthnContextBuider]Set the value of the AuthnContextDeclRef element.
    authnContextClassRef(String s) [AuthnContextBuider]Set the value of the AuthnContextClassRef element.
    authenticatingAuthority(List<String> s) [AuthnContextBuider]Set the values of the AuthenticatingAuthority elements.

Examples of use:

Set a value manager to attribute role.

  • ${attribute.name('role').values('manager')}

Set user.cn concatenated with @example.com as the value of nameID and emailaddress as its format.

  • ${nameID.value(user.cn[0].concat('@example.com')).format('emailaddress')}

Returns the givenName concatenated with a whitespace character and the user surname.

  • ${user.givenName[0].concat(' ').concat(user.sn[0])}

Returns “true” if the user has the exact match CustomerID role Users/OrganizationMainUser. Otherwise “false” is returned.

  • ${eidm['roles'].contains('Users/OrganizationMainUser')}

Returns “true” if the user status in Ubisecure CustomerID is 'Enabled' (='1'). Otherwise a null value is returned. This is useful if you also add the specified attribute to the list of required attributes. Then only enabled users can get access to the service.

  • ${eidm['user:status'].contains('1') ? 'true' : null}

Returns “adminuser” if the user has the exact match CustomerID role Users/OrganizationMainUser. Otherwise “normaluser” is returned.

  • ${eidm['roles'].contains('Users/OrganizationMainUser') ? 'adminuser' : 'normaluser'}

Return "adminuser" if the user has any CustomerID role containing text OrganizationMainUser. Otherwise "normaluser" is returned.

  • ${eidm['roles'].stream().anyMatch(r -> r.contains('OrganizationMainUser')).orElse(false) ? 'adminuser' : 'normaluser'}

Forwards AuthnContext from inbound SAML2 response (i.e. received by SSO) to outbound SAML2 response (i.e. sent by SSO).

  • ${authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority)}

When setting an attribute 'level-of-assurance', its value is based on the presence of a method attribute. In the example below, if there is no method attribute ‘any-method-attribute-name’ or it is empty, then the level-of-assurance will be set at a lower level of 2. If the method attribute ‘any-method-attribute-name’ is present and it is not empty, then the level-of-assurance will be set to a level of 3.

  • ${attribute.name('level-of-assurance').values(empty method['any-method-attribute-name'] ? '2' : '3')}

The following example will return a subset of all of the group memberships that a user has. It will look at only group memberships that start with CN=test_ and the extract only the CN of the role names based on a regular expression. For example, if the member belongs to the following groups: 

CN=test_user,OU=Test,CN=Ubilogin,DC=login,DC=smartplan,DC=com

CN=test_admin,OU=Test,CN=Ubilogin,DC=login,DC=smartplan,DC=com

CN=Accounting Users,OU=Accounting,OU=System,CN=Ubilogin,DC=login,DC=smartplan,DC=com

The following multivalue attribute value will be returned:

test_user

test_admin

  • ${user['ubiloginMemberOf'].stream().filter(str -> str.startsWith("CN=test_")).map(dn -> dn.replaceFirst("^CN=([^,]+).+$", "$1")).toList()}

When setting an attribute 'role', its value is based on the presence of a method attribute. In the example below, if there is no method attribute ‘administrator’ or it is empty, then the role will be set to "user". If the method attribute ‘administrator’ is present and it is not empty, then the role will be set to "admin".

  • ${attribute.name('role').values(empty method['administrator'] ? 'user' : 'admin')}

Helper variables

  • sha1 [DigestBuilder]
    Helper for building SHA1 digest.

    VariableDescription
    text(String input) [DigestBuilder]Append input string to digest builder.
    bytes(byte[] input) [DigestBuilder]Append input bytearray to digest builder.
    guid [UUID]Convert digest to GUID.
    uuid [UUID] Convert digest to UUID.
  • sha256 [DigestBuilder]
    Helper for building SHA256 digest.

    VariableDescription
    text(String input) [DigestBuilder] Append input string to digest builder.
    bytes(byte[] input) [DigestBuilder]Append input bytearray to digest builder.
    guid [UUID]Convert digest to GUID.
    uuid [UUID] Convert digest to UUID.

     

Examples of use:

Create SHA256 digest of SSO Session ID and convert the digest to UUID.

  • ${sha256.text(sso.id).uuid}

Functions

FunctionDescription
xss:html(String input) [String]Encode input string for HTML.
xss:url(String input) [String]Encode input string for URL.
xss:js(String input) [String]Encode input string for JavaScript.
xss:json(String input) [String]Encode input string for JSON.
c14n:text(String input) [String]Encode input string for Text Node in Canonical XML.
c14n:attr(String name, String input) [String]Encode input string for Attribute Node name in Canonical XML.
base64:encode(byte[] input) [String]Base64 encode input bytearray.

md5:encode(byte[] input) [String]

md5 encode input bytearray. (Requires SSO 6.9 or newer)

guid:encode(byte[] input) [String]

UUID/GUID encode bytearray. Array’s length must be 16 bytes.
utf8:bytes(string input) [byte[]]UTF8 encode input string and convert to byte array.
digest:sha1(byte[] input) [byte[]]SHA1 digest of input bytearray.
digest:sha256(byte[] input) [byte[]]SHA256 digest of input bytearray.
re:replace(String input, String regex, String replacement) [String]Replaces the first substring of input string that matches the given regular expression with the given replacement.

Examples of use:

${base64:encode(utf8:bytes(user.uid))}
or
${base64:encode(utf8:bytes(user['uid'][0]))}

Base64 encode user.uid. Because base64:encode() function requires a bytearray as input parameter, and user.uid is String, it needs to be converted to bytearray using utf8:bytes().

Migration from old expressions to Java EL

All the authorization policy expressions in the old format can be converted to Java EL format. The conversion rules are:

Old ExpressionJava EL format
user:property${user.property} or ${user['property']}
user:property;binary${user['property;binary']} or ${encode:base64(user['property;binary'][0])}
user:../property${user.parent.property}
method:property${method.property}
text:Literal valueLiteral value
prefix:xyz${prefix['xyz']}

This web page (including any attachments) may contain confidential, proprietary, or privileged information – not for disclosure without authorization from Ubisecure Inc. Copyright © 2024. All Rights Reserved.