PingOne

Samples

Use these sample expressions to build attribute mappings with the PingOne expression builder.

Sample user model

The examples in this section use the following model:

{
  "user": {
    "name": {
      "given": "John",
      "family": "Doe"
    },
    "role": "SA",
    "memberOfGroupNames": ["Admin", "User"],
    "groupDNs": [
      "CN=Devs,CN=Users,DC=malibu,DC=gl,DC=lab",
      "CN=Admins,CN=Users,DC=malibu,DC=gl,DC=lab"
    ]
  }
}
Literal expressions
Expression Result

'FirstName'

 
FirstName

"User"

 
User

1

 
1

true

 
true

{'USER'}

 
['USER']

{'firstName': 'John'}

 
{
    "firstName": "John"
}
String concatenation
Expression Result

'FirstName' + ', ' + 'LastName'

 
FirstName, LastName

user.name.given + ', ' + user.name.family

 
John, Doe
Generate a user alias by concatenating parts of first and last name
Expression Result

#string.substring(user.name.given, 0, 1)
#string.substring(user.name.family, 0, 4)

 
JDoe
Extract the domain name from an email address
Expression Result

#regex.findAllMatches('user01@test.com', '(?⇐@)[^.]+')

 
[test]
Output the date as a string in a certain format
Expression Result

#datetime.format('2021-01-01T10:15:00Z', 'EEEE, dd MMMM; h:mm a')

 
Friday, 01 January; 10:15 AM
Replace a value based on a predefined set of options
Expression Result

user.name.given + ' ' + user.name.family + ', ' + \{'PM': 'Product Manager', 'SA': 'Software Architect'}[user.role] ?: 'Unknown'

 
John Doe, Software Architect
Change the contents of memberOfGroupNames array to upper case
Expression Result

user.memberOfGroupNames.![#string.upperCase(#this)]

 
[
    "ADMIN",
    "USER"
]
Use string concatenation to transform the contents of memberOfGroupNames array to a group
Expression Result

user.memberOfGroupNames.!['CN=' + #this
',DC=example,DC=com']

 
[
    "CN=Admin,DC=example,DC=com",
    "CN=User,DC=example,DC=com"
]
Extract group names from an array of group DNs
Expression Result

user.groupDNs.![#regex.replaceAll(#this, '(CN=)(.?),.', '$2')]

 
[
    "Devs",
    "Admins"
]

Accessing property names with non-alphanumeric characters

If a property name contains any characters other than alpha-numeric characters and underscores (_), use the map access format instead of dot notation.

The examples in this section use the following model:

{
    "providerAttributes": {
        "full-name": "John Doe",
        "http://www.schema.com/samples/userId": "jdoe00",
        "Email Address": "johndoe00@test.com"
    },
    "custom-attributes": {
        "email": "johndoe00@test.com"
    }
}
Property names with hyphens or dashes
Expression Result

providerAttributes['full-name']

 
John Doe
Properties with URI or URL based names
Expression Result

providerAttributes['http://www.schema.com/samples/userId']

 
jdoe00
Property names with blank spaces
Expression Result

providerAttributes['Email Address']

 
johndoe00@test.com
Property roots with hyphens or dashes
Expression Result

#root['custom-attributes'].email

 
johndoe00@test.com

Virtual server IDs for SAML applications

When using virtual server IDs for SAML applications to connect to multiple environments in one connection, you can protect against unauthorized access by adding an attribute mapping using the expression builder to compare the virtual server ID invoked by the request against an attribute and populate a required attribute accordingly.

For example, for two populations accessing the same SAML application, you can make sure only authorized users can access the application by configuring a different virtual server ID for each population and adding an expression to the application, such as:

 (
 	(context.requestData.virtualServerId eq 'IdP1' and
  	user.population.id eq '<populationID1>')
   	or
 	(context.requestData.virtualServerId eq 'IdP2' and
  	user.population.id eq '<populationID2>')
 )? user.username : null

where IdP1 and IdP2 are the respective virtual server IDs, and populationID1 and populationID2 are example population IDs from Directory > Populations in the PingOne admin console.

If a user from the intended population (populationID1) accesses the application using an identity provider (IdP)-initiated single sign-on (SSO) URL for the virtual server ID configured for that population (IdP1), PingOne populates the saml_subject attribute with the username and redirects the browser with a SAML assertion to the application’s ACS endpoint. If a user uses an IdP-initiated SSO URL for the virtual server ID configured for a population to which they don’t belong, PingOne populates the saml_subject attribute with null and returns an error message. Learn more about using virtual server IDs in Editing an application - SAML.