ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Usage of JUEL in SAML Assertion Configuration

book

Article ID: 41038

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

We are configuring a SAML assertion and as part of the assertion
configuration we need to transform a value of a user attribute from
the directory. We are using the type as expression and wanted the
following. If the value of a user attr1 is "value1" or "value2" or
"value3" or "value3", then the assertion attribute should contact the
value x if not y. Now using JUEL we are say
#{attr1["value1"]?"x":"y"}. 

How can we specify this for a or conditional(if attr1's has "value1"
or "value2" or "value3" or "value4") ?

 

Environment

 

In all the environments where JUEL expressions are available.

 

Resolution

 

In this case below expression was given:

  #{attr1["value1"]?"x":"y"}

This seems to be invalid because this is an IF statement and it is
missing the value for attribute value1 to match with. The correct
syntax would be:

  #{attr1["value1"] == 'some value' ?"x":"y"}

This means if value1 attribute for the asserting user is equal to
"some value" then create an assertion attribute, give it a value X and
add to assertion else create the assettion attribute and give it a
value Y.

To have multiple attributes matched you can use AND operator like the
below syntax:

  #{attr["value1"] && attr["value2"] && attr["value3"] == 'xyz' ? 'X' : 'Y'

This means if value1 = value2 = value3 = xyz then create an assertion
attribute and put X into it else put Y into it.

If you like to use an OR operator, then the expression will be as
follows:

  #{attr["value1"] == 'xyz' || attr["value2"] == 'abc' || attr["value3"] == '123' ? 'X' : 'Y'.

NOTE: Creating JUEL expression is out of scope of support. You can try
above syntax and see if it works. If it does not then please contact
CA services

 

Additional Information

 

To check if the JUEL expression was correctly evaluated or not, you
will have to enable the Fed_Server component in the profiler on policy
server management console. Run a test transaction and check the below
example log lines in the smtracedefault log:

  [04/11/2016][11:37:48][4932][cf5bf8b2-5888bcb4-1299085b-bfd62fc2-90930b22-2a1][SAMLSPEntitlementGenerator.java][processExpressionEvaluation][][][][][][][][Expression before evaluation: #{attr["value1"] == 'xyz' || attr["value2"] == 'abc' || attr["value3"] == '123' ? 'X' : 'Y' : 

  [04/11/2016][11:37:48][4932][cf5bf8b2-5888bcb4-1299085b-bfd62fc2-90930b22-2a1][SAMLSPEntitlementGenerator.java][processExpressionEvaluation][][][][][][][][Return value: X][3984][11:37:48.399][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

After the "Return value" check to see if you get the expected
attribute.