...
If the script is specified within the scope of an
<AttributeRule>
element then the script has to be Mapper, returning aSet
<
IdPAttributeValue
>
, which is added to the permit or deny list for the attribute in question.If the script is specified within the scope of a
<PolicyRequirementRule>
element then the script has to be a PolicyRule (returning aBoolean
), which defines whether the rule is active or not.
...
Script Context
The following variables are defined within the script:
Name | Type | Description |
---|---|---|
filterContext | The AttributeFilter context provides some information about the request, and a mechanism to navigate to other contexts in the tree | |
profileContext | The root context for the request | |
attribute (Matcher Only) | The attribute being filtered | |
custom | Object | Contains whatever was provided by the |
subjects | Array of Subject | The Subjects associated with this authorization. Note that these will only be present if the attribute resolution has been associated with an Authentication (and so this will not work for back channel requests). |
Reference
Localtabgroup | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
Expand | ||||||||||||
| ||||||||||||
|
Expand | ||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||
The script has the following variables defined: Name Type Description filterContext The AttributeFilter context provides some information about the filter operation profileContext The root context for the request attribute (Matcher Only) The attribute being filtered custom Object Contains whatever was provided by the subjects | The Java Subject(s) associated with this filtering operation. Note that these will only be present if the attribute resolution preceding this was associated with an authentication event (and so this will not work for back channel requests).Array of Subject |
Examples
This simple rule just adds the first value of the attribute "mail" to its permit list:
...