I need to make some changes to the assertion attribute in federation partnership. I am trying to create the assertion attribute of type expression (Please find the attachment). I have tried to use the syntax of the expression mentioned in the below link but it never works.
I have tried concatination, Filter etc operations in the expression but it is not working.
Please let me know if you have implemented the expression type of the assertion attribute. Can you please share the syntax and any other details.
Thank you for your help.
Unfortunately, SAML assertion attributes use a completely different expression syntax known as Java Unified Expression Language (JUEL). I have found CA documentation for only simple JUEL expressions. See How to Configure Claims Transformation at the Asserting Party - CA Single Sign-On - 12.8 - CA Technologies Documentation.
The standard expression language cannot be used directly within a SAML partnership configuration. However, you can use it indirectly by creating a virtual user attribute on your user directory, and referencing that attribute by name in your assertion attributes or name ID, just as you would any other user attribute. Within the virtual user attribute's definition, you can use the standard expression language, or refer to a named expression which uses it. For safety and clarity, I prefer the latter approach of referencing a named expression, so that the user directory configuration does not need to be modified each time I update the expression.
Here are some related forum posts which you might find helpful.
Thank you for your reply. It is helpful.
I was going through the documentation for Named Expression and I saw the below note.
Note: Named expressions can only be used in application objects. Named expressions cannot be used in traditional security policies defined using domain objects like responses and rules.
But I went ahead and tried to create a Named Expression with the name #TestNamedExpression and tried to reference this expression while creating the assertion attribute in federation partnership. It is not working.
Yes, as per Documentation the NamedExpression can only be used in Application Objects and not in Domain Objects. So, if you create a NameExpression you need to reference those in Application Objects.
You cannot directly reference a named expression in a SAML partnership. Instead, modify the user directory which your partnership references. In the user directory, scroll to the Attribute Mapping List section at the bottom and create a user attribute mapping of type Expression. Within the Definition field, you can use expressions, or simply enter the named expression you would like to reference. When finished, save your change to the user directory.
Previously I erroneously called this attribute mapping a virtual user attribute. The named expression itself is the virtual user attribute, and the attribute mapping is defined in the user directory object. Only through an attribute mapping can you make use of the standard expression language and named expressions.
Now that the attribute mapping is defined as part of your user directory, you can use it in your SAML partnerships just like any other user attribute. The attribute type will be User Attribute, not Expression. For the Value of your assertion attribute, use the name of your attribute mapping, not the name of your named expression. For example, if I were to build a SAML partnership using the attribute mapping above, the Value field of my assertion attribute would be myAttribute.
Within the policy store, a SAML partnership uses various different objects including a backing affiliate domain, which is not an application. The Admin UI obfuscates these inner workings, but they can be seen in policy store XML and in XPS tools. Regardless, you can do all of the above within the Admin UI to customize the content of your assertion attributes or name ID.
I hope this helps clarify.
Hi Ankur & Daniel,
Thank you for your reply.
I have already tested by creating an attribute under attribute mapping list section of the user directory. It is working fine.
I was under the impression that the expression associated to the attribute created in Attribute Mapping List gets executed for every application, hence I was looking for other options as I don't want to impact the performance of all other applications as I just wanted to use this new attribute for only one application.
After testing, I have realized that the expression gets executed only when I access the application which is using this new attribute.
I hope your understating as same as what I have explained here.
Yes, that is my understanding. The expression will be executed only when someone accesses an application or SAML partnership which references that expression in order to generate a header or assertion.