Samples
Use these sample expressions to build attribute mappings with the PingOne expression builder.
Sample user model
The examples in this section use the following model:
{
"user": {
"name": {
"given": "John",
"family": "Doe"
},
"role": "SA",
"memberOfGroupNames": ["Admin", "User"],
"groupDNs": [
"CN=Devs,CN=Users,DC=malibu,DC=gl,DC=lab",
"CN=Admins,CN=Users,DC=malibu,DC=gl,DC=lab"
]
}
}
Expression | Result |
---|---|
|
FirstName |
|
User |
|
1 |
|
true |
|
['USER'] |
|
|
Expression | Result |
---|---|
|
FirstName, LastName |
|
John, Doe |
Expression | Result |
---|---|
|
JDoe |
Expression | Result |
---|---|
|
[test] |
Expression | Result |
---|---|
|
Friday, 01 January; 10:15 AM |
Expression | Result |
---|---|
|
John Doe, Software Architect |
Expression | Result |
---|---|
|
[ "ADMIN", "USER" ] |
Expression | Result |
---|---|
|
[ "CN=Admin,DC=example,DC=com", "CN=User,DC=example,DC=com" ] |
Expression | Result |
---|---|
|
[ "Devs", "Admins" ] |
Accessing property names with non-alphanumeric characters
If a property name contains any characters other than alpha-numeric characters and underscores (_
), use the map access format instead of dot notation.
The examples in this section use the following model:
{
"providerAttributes": {
"full-name": "John Doe",
"http://www.schema.com/samples/userId": "jdoe00",
"Email Address": "johndoe00@test.com"
},
"custom-attributes": {
"email": "johndoe00@test.com"
}
}
Expression | Result |
---|---|
|
John Doe |
Expression | Result |
---|---|
|
jdoe00 |
Expression | Result |
---|---|
|
johndoe00@test.com |
Expression | Result |
---|---|
|
johndoe00@test.com |
Sample expression for virtual server IDs
This section outlines how to use an expression to safeguard against misuse of virtual server IDs (VSIDs) between the identity provider (IdP) and the application, which acts as the service provider (SP). VSIDs allow your PingOne environment to identify itself differently for different purposes. You can define VSIDs on the Configuration tab of the SAML application.
When multiple VSIDs are defined in a SAML application, the application has multiple versions of the Initiate Single Sign-On URL, one for each respective VSID. You can obtain the URLs on the Overview tab for the application by selecting the applicable VSID in the Display Virtual Server ID list. Learn more about defining VSIDs in Editing an application - SAML.
Example scenario
You can create a SAML application and define three VSIDs for Who’s at Work (the IdP) and Widget (the SP) for the following purposes:
- Development
-
-
Who’s at Work entity ID:
urn:widget:us:whosatwork:sso:dev
(VSID #1) -
Widget entity ID:
https://whosatwork.widget.com
-
- Testing
-
-
Who’s at Work entity ID:
urn:widget:us:whosatwork:sso:test
(VSID #2) -
Widget entity ID:
https://whosatwork.widget.com
-
- Production
-
-
Who’s at Work entity ID:
https://sso.whosatwork.com
(VSID #3, default) -
Widget entity ID:
https://whosatwork.widget.com
-
When you select one of the VSIDs on the Overview tab for the application, the Initiate Single Sign-On URL changes because the selected VSID is embedded in the URL.
You can use an expression to prevent unauthorized access and ensure only users from a certain department, such as the Engineering department, can connect to Widget (the SP) for development and testing purposes while allowing users from all departments to connect for production use.
When using multiple VSIDs to distinguish groups of users within one environment, such as different PingOne populations, you can add validation rules to make sure one group of users can’t use SSO using the VSID for another group of users. To prevent unauthorized access, you can use the following example expression to fulfill the saml_subject
attribute on the Attribute Mappings tab of the application:
( (context.requestData.virtualServerId eq 'urn:widget:us:whosatwork:sso:dev' and user.population.id eq '560b3182-c947-4b53-9621-afbe8dbc2488') or (context.requestData.virtualServerId eq 'urn:widget:us:whosatwork:sso:test' and user.population.id eq '560b3182-c947-4b53-9621-afbe8dbc2488') or (context.requestData.virtualServerId eq 'https://sso.whosatwork.com') )? user.username : null
In this example, the expression allows all users to access Widget for production purposes and ensures only users whose PingOne user records are associated with a particular population can access Widget for development and testing purposes. The expression can also be used to validate other conditions, such as group membership.
If one of the conditions is met, PingOne populates the saml_subject
attribute with the user’s username in PingOne. If none of the conditions are met, PingOne determines that saml_subject
is null and rejects the request. A SAML assertion can’t be generated without this required attribute.