It is possible to use Java EL expressions in place of attribute values. This enables more complicated techniques available in Java EL syntax for building attribute values, such as concatenation of strings.
The convention used in this Java EL API documentation is:
For top level attributes:
- attributeName [AttributeType]
Description of the attribute and its contents.- propertyName [PropertyType]
Description of the property. - methodName(Parameter1Type parameter1Name,…) [ReturnType]
Description of the method.
- propertyName [PropertyType]
For top level functions:
- prefix:functionName(Parameter1Type parameter1Name,…) [ReturnType]
Description of the function
Readable variables
Authorization Policy provides a number of variables whose properties can be read, but not written into. The variables are:
Variable | Description |
---|---|
user | Contents depend on the type of the user directory.
|
method | Contains all the attributes defined by the authentication method, after attribute mapping (see section 2.3) is applied.
|
prefix | Contains the collection of all authorizer implementations registered in Ubisecure SSO, with their prefixes as keys.[PS1] [AÅ2] |
username | Contains the properties of the user in the user directory. Changes to nameID variable are not reflected in this variable.
|
sso | Contains the following properties.
|
response | Contains the following properties originating from a SAML 2 authentication response.
|
Examples of use:
Get user’s CN attribute in the user directory and concatenate it with string ‘@example.com’. Both expressions are equivalent.
${user.cn}@example.com or ${user.cn[0].concat('@example.com')}
Sends the name of the current template used
${sso.template}
Sends the currently selected user interface locale
${sso.locale}
Sends the currently selected user description decrypted
${server.decrypt(user.description)}
Modifiable variables
Authorization Policy contains two variables, nameID and attribute, which allow modifications to their underlying models.
nameID [NameIDBuider]
(SAML only) The nameID element of the SAML Assertion to be sent to the application.Variable Description value(String s) [NameIDBuider]
Set the value of the nameID. format(String s) [NameIDBuider]
Set the format of the nameID. Valid values are: - UNSPECIFIED
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
- EMAILADDRESS
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
- X509SUBJECTNAME
urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName
- WINDOWSDOMAINQUALIFIEDNAME
urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName
- KERBEROS
urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos
- ENTITY
urn:oasis:names:tc:SAML:2.0:nameid-format:entity
nameQualifier(String s) [NameIDBuider]
Set the nameQualifier of the nameID. spNameQualifier(String s) [NameIDBuider]
Set the spNameQualifier of the nameID. spProvidedID(String s) [NameIDBuider]
Set the spProvidedID of the nameID. - UNSPECIFIED
attribute [AttributeBuilder]
The attribute in current authorization policy context, which will be sent to the application.Variable Description name(String s) [AttributeBuilder]
Set the name of the attribute. Note that this overrides the setting in authorization policy itself. values(String s) [AttributeBuilder]
Add a value for the attribute. nameFormat(String s) [AttributeBuilder]
Set the nameFormat of the attribute. Valid values are: - UNSPECIFIED
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified
- URI
urn:oasis:names:tc:SAML:2.0:attrname-format:uri
- BASIC
urn:oasis:names:tc:SAML:2.0:attrname-format:basic
friendlyName(String s) [AttributeBuilder]
Set the friendlyName of the attribute. authnContext [AuthnContextBuider]
(SAML only) The nameID element of the SAML Assertion to be sent to the application.Variable Description authnContextDeclRef(String s) [AuthnContextBuider]
Set the value of the AuthnContextDeclRef element. authnContextClassRef(String s) [
AuthnContextBuider
]Set the value of the AuthnContextClassRef element. authenticatingAuthority(List<String> s) [
AuthnContextBuider
]Set the values of the AuthenticatingAuthority elements. - UNSPECIFIED
Examples of use:
Set a value manager to attribute role.
${attribute.name('role').values('manager')}
Set user.cn
[PS4] [AÅ5] as the value of the nameID, x509subject
as its format and user.directory.name
as its nameQualifier. This example shows how the methods can be chained.
${nameID.value(user.cn).format(‘x509subjectname’).nameQualifier(user.directory.name)}
[PS3]
Set user.cn
concatenated with @example.com
as the value of nameID and emailaddress as its format.
${nameID.value(user.cn[0].concat('@example.com')).format('emailaddress')}
Returns the givenName concatenated with a whitespace character and the user surname.
${user.givenName[0].concat(' ').concat(user.sn[0])}
Returns “true” if the user has the absolute CustomerID role Users/OrganizationMainUser
. Otherwise “false” is returned.
${eidm['roles'].contains('Users/OrganizationMainUser') ? 'true' : 'false'}
Returns “true” if the user status in Ubisecure CustomerID is 'Enabled' (='1'). Otherwise a null value is returned. This is useful if you also add the specified attribute to the list of required attributes. Then only enabled users can get access to the service.
${eidm['user.status'].contains('1') ? 'true' : null}
Returns “useradmin” if the user has the absolute CustomerID role Users/OrganizationMainUser
. Otherwise “normaluser” is returned.
${eidm['roles'].contains('Users/OrganizationMainUser') ? 'useradmin' : 'normaluser'}
Forwards AuthnContext from inbound SAML2 response (i.e. received by SSO) to outbound SAML2 response (i.e. sent by SSO).
${authnContext.authnContextDeclRef(response.authnContextDeclRef).authnContextClassRef(response.authnContextClassRef).authenticatingAuthority(response.authenticatingAuthority)}
Helper variables
sha1 [DigestBuilder]
Helper for building SHA1 digest.Variable Description text(String input) [DigestBuilder]
Append input string to digest builder. bytes(byte[] input) [DigestBuilder]
Append input bytearray to digest builder. guid [UUID]
Convert digest to GUID. uuid [UUID]
Convert digest to UUID. sha256 [DigestBuilder]
Helper for building SHA256 digest.Variable Description text(String input) [DigestBuilder]
Append input string to digest builder. bytes(byte[] input) [DigestBuilder]
Append input bytearray to digest builder. guid [UUID]
Convert digest to GUID. uuid [UUID]
Convert digest to UUID.
Examples of use:
Create SHA256 digest of SSO Session ID and convert the digest to UUID.
${sha256.text(sso.id).uuid}
Functions
Function | Description |
---|---|
xss:html(String input) [String] | Encode input string for HTML. |
xss:url(String input) [String] | Encode input string for URL. |
xss:js(String input) [String] | Encode input string for JavaScript. |
xss:json(String input) [String] | Encode input string for JSON. |
c14n:text(String input) [String] | Encode input string for Text Node in Canonical XML. |
c14n:attr(String name, String input) [String] | Encode input string for Attribute Node name in Canonical XML. |
base64:encode(byte[] input) [String] | Base64 encode input bytearray. |
| md5 encode input bytearray. (Requires SSO 6.9 or newer) |
| UUID/GUID encode bytearray. Array’s length must be 16 bytes. |
utf8:bytes(string input) [byte[]] | UTF8 encode input string and convert to byte array. |
digest:sha1(byte[] input) [byte[]] | SHA1 digest of input bytearray. |
digest:sha256(byte[] input) [byte[]] | SHA256 digest of input bytearray. |
re:replace(String input, String regex, String replacement) [String] | Replaces the first substring of input string that matches the given regular expression with the given replacement. |
Examples of use:
${base64:encode(utf8:bytes(user.uid))} or ${base64:encode(utf8:bytes(user['uid'][0]))}
Base64 encode user.uid
. Because base64:encode()
function requires a bytearray as input parameter, and user.uid
is String, it needs to be converted to bytearray using utf8:bytes()
.
Migration from old expressions to Java EL
All the authorization policy expressions in the old format can be converted to Java EL format. The conversion rules are:
Old Expression | Java EL format |
---|---|
user:property | ${user.property} or ${user['property']} |
user:property;binary | ${user['property;binary']} or ${encode:base64(user['property;binary'][0])} |
user:../property | ${user.parent.property} |
method:property | ${method.property} |
text:Literal value | Literal value |
prefix:xyz | ${prefix['xyz']} |