JordanJ.26599 (Customer) asked a question.
Group Attributes regex IF/THEN
I have a service provider that needs the "securitylevel" attribute sent in the assertion with a value of only "1" or "2". We plan on having users assigned to an AD security group to separate the access level (i.e. spseclevel1 and spseclevel2). In previous apps, I would just map the SP attribute "securitylevel" to a value on our side with a "contains spseclevel". The issue is that this SP can only accept a numerical value. I am hoping to use regex on my side to say IF matches spseclevel1 then use "1" ANDIF spseclevel2 then use "2". Is it possible to use this logic in a group attribute statement?
I was able to work out a fix. Since the attribute statement will not accept regular expression, you can use per-app attributes/mappings to create the desired effect.
Under Profile Editor, select the app you wish to create the mapping. Click Add Attribute and give the attribute a unique name (i.e. SecLevel), mark as required, rest of the value can be default.. Then click Mappings, Okta User to <app>, then user a regular expression to create the mapping. For my situation, I used isMemberOfGroupName("SomeApp_SecLevel_1") ? "1":"2" and mapped it to my new attribute, SecLevel.
Within the SSO build for the app, under the attribute statement, I added the vendor attribute which mapped back to appuser.SecLevel. This now produces a “1” or a “2” value that is passed into the assertion for that required attribute.
Further work is needed on my end for the expression once the AD Security groups are created to evaluate further is not a member of that AD group but the hard part is done for now.