Usage of JUEL in SAML Assertion Configuration
search cancel

Usage of JUEL in SAML Assertion Configuration


Article ID: 41038


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



We are configuring a SAML assertion and as part of the assertion
configuration we need to transform a value of a user attribute from
the directory. We are using the type as expression and wanted the
following. If the value of a user attr1 is "value1" or "value2" or
"value3" or "value3", then the assertion attribute should contact the
value x if not y. Now using JUEL we are say

How can we specify this for a or conditional(if attr1's has "value1"
or "value2" or "value3" or "value4") ?




In all the environments where JUEL expressions are available.




In this case below expression was given:


This seems to be invalid because this is an IF statement and it is
missing the value for attribute value1 to match with. The correct
syntax would be:

  #{attr1["value1"] == 'some value' ?"x":"y"}

This means if value1 attribute for the asserting user is equal to
"some value" then create an assertion attribute, give it a value X and
add to assertion else create the assettion attribute and give it a
value Y.

To have multiple attributes matched you can use AND operator like the
below syntax:

  #{attr["value1"] && attr["value2"] && attr["value3"] == 'xyz' ? 'X' : 'Y'

This means if value1 = value2 = value3 = xyz then create an assertion
attribute and put X into it else put Y into it.

If you like to use an OR operator, then the expression will be as

  #{attr["value1"] == 'xyz' || attr["value2"] == 'abc' || attr["value3"] == '123' ? 'X' : 'Y'.

NOTE: Creating JUEL expression is out of scope of support. You can try
above syntax and see if it works. If it does not then please contact
CA services


Additional Information


To check if the JUEL expression was correctly evaluated or not, you
will have to enable the Fed_Server component in the profiler on policy
server management console. Run a test transaction and check the below
example log lines in the smtracedefault log:

  [04/11/2016][11:37:48][4932][cf5bf8b2-5888bcb4-1299085b-bfd62fc2-90930b22-2a1][][processExpressionEvaluation][][][][][][][][Expression before evaluation: #{attr["value1"] == 'xyz' || attr["value2"] == 'abc' || attr["value3"] == '123' ? 'X' : 'Y' : 

  [04/11/2016][11:37:48][4932][cf5bf8b2-5888bcb4-1299085b-bfd62fc2-90930b22-2a1][][processExpressionEvaluation][][][][][][][][Return value: X][3984][11:37:48.399][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

After the "Return value" check to see if you get the expected