Use of federated credential expressions - Identity as a Service

IDaaS includes a built-in expression engine for Machine-to-Machine (M2M) federated credentials. Use expressions to define trust conditions for federated credential providers and validation conditions for application federated credentials—for example, when a target application requires parameters that need transformation, concatenation, or logical evaluation.

An expression consists of two core components:

Component	Description
Model	Provides data fields for client properties, PKCS#7 credentials, Private Certificate Authority (PCA) credentials, and OpenID Connect (OIDC) credentials
Function	Executes logical operations on model field values

Key concepts

Field access syntax

Access model fields using dot notation: <model>.<fieldname>. For nested fields, chain the path: cert.issuer.CN.

If a JSON key contains special characters such as a period (.), hyphen (-), or underscore (_), enclose the key in single quotation marks:

pkcs7.payload.jsonData.'instance-id'
pkcs7.payload.jsonData.'region-id'
jwt.claims.'kubernetes.io'.namespace

Expression scope

Each model applies to a specific credential type:

Model	Access prefix	Applies to
Client	`client.`	All credential types
PKCS#7	`pkcs7.`	PKCS#7 trust conditions and validation
PCA	`cert.`	PCA trust conditions and validation
OIDC	`jwt.`	OIDC trust conditions and validation
CertificateObject	`cert.`	Certificate chain validation (within PKCS#7)

Data models

Client model

Access client properties using client.<fieldname>.

Field	Type	Description
`clientId`	String	The client ID of the application
`applicationFederatedCredentialId`	String	The ID of the application federated credential
`activeSubjectUrn`	String	Reserved. Generated from the field mapping of `applicationFederatedCredential`. Cannot be used in expressions.

PKCS#7 model

Access PKCS#7 fields using pkcs7.<fieldname>. This model applies to trust conditions for PKCS#7 federated trust sources and validation conditions for PKCS#7 federated credentials.

Field	Type	Description
`payload`	Object	The PKCS#7 payload object
`data`	String	The original content extracted from the PKCS#7 signature
`jsonData`	JSON object	The parsed JSON object when the payload content is in JSON format. For available fields, see Alibaba Cloud PKCS#7 fields and AWS PKCS#7 fields.
`certificates`	List\<CertificateObject\>	The certificate chain included in the PKCS#7 signature. For field details, see CertificateObject model.
`signingTime`	Long	The signature timestamp in seconds (UNIX). Returned only when the federated identity provider is Amazon Web Services.

PCA model

Access PCA certificate fields using cert.<fieldname>. This model applies to trust conditions for PCA federated trust sources and validation conditions for PCA federated credentials.

Field	Type	Description
`serialNumber`	String	The certificate serial number in hexadecimal format, lowercase, without colons. If the most significant bit is 1, a leading zero (`00`) is prepended per ASN.1 DER encoding rules.
`issuer`	CertificateSubjectObject	The certificate issuer. Access subfields using `issuer.<attribute>`, for example, `cert.issuer.CN`.
`subject`	CertificateSubjectObject	The certificate subject. Access subfields using `subject.<attribute>`, for example, `cert.subject.C`.
`fingerprint`	String	The certificate fingerprint in SHA256 format, lowercase, without colons
`notBefore`	Long	The start of the certificate validity period. UNIX timestamp in seconds.
`notAfter`	Long	The end of the certificate validity period. UNIX timestamp in seconds.
`ca`	Boolean	Whether the certificate is a certification authority (CA) certificate. This is an X.509 v3 extension field.
`certificateCaIssuerUrl`	String	The CA issuer URL
`subjectKeyIdHex`	String	The subject key identifier
`signatureOid`	String	The signature algorithm OID. For example: `1.2.840.113549.1.1.11 (SHA256withRSA)`

For the serialNumber field, if the most significant bit of the leftmost byte is 1, ASN.1 DER encoding adds a leading 0x00 byte to ensure the value is parsed as a positive integer. For example, dd0ec2ccc305a652 becomes 00dd0ec2ccc305a652, while 6d5a2816af467f40d38be7280f6e974f114a061e remains unchanged.

OIDC model

Access OIDC fields using jwt.<fieldname>. This model applies to trust conditions for OIDC federated trust sources and validation conditions for OIDC federated credentials.

Field	Type	Claim type	Description
`iss`	String	Issuer	The URL of the authorization server that issued the token. Access using `jwt.iss`.
`sub`	String	Subject	The unique identifier of the entity (user or service). Access using `jwt.sub`.
`aud`	List\<String\>	Audience	The intended recipient, usually a resource server identifier or client ID. The `aud` claim is an array—access elements by index: `jwt.aud[0]`.
`jti`	String	JWT ID	The unique identifier of the token, used to prevent replay attacks
`exp`	Long	Expiration	The token expiration time. UNIX timestamp in seconds.
`nbf`	Long	Not before	The earliest time the token is valid. UNIX timestamp in seconds.
`iat`	Long	Issued at	The time the token was issued. UNIX timestamp in seconds.
`claims`	Map	All claims	All claims in the token. Access individual claims using `jwt.claims.<key>`.

Because aud is an array, always access it by index. To validate a single audience value: Equals(jwt.aud[0], "example_aud"). To validate against multiple values, use Or(). Validate the aud field in the trust source trust condition rather than in the federated credential validation condition.

CertificateObject model

The CertificateObject model represents individual certificates in a PKCS#7 certificate chain. Access fields using cert.<fieldname>. This model applies to certificate chain validation, certificate property validation, and certificate validity period checks.

Field	Type	Description
`serialNumber`	String	The certificate serial number in hexadecimal format, lowercase, without colons
`issuer`	CertificateSubjectObject	The certificate issuer
`subject`	CertificateSubjectObject	The certificate subject
`fingerprint`	String	The certificate fingerprint in SHA256 format, lowercase, without colons
`notBefore`	Long	The start of the certificate validity period. UNIX timestamp in seconds.
`notAfter`	Long	The end of the certificate validity period. UNIX timestamp in seconds.
`ca`	Boolean	Whether the certificate is a CA certificate. X.509 v3 extension field. Values: `true` or `false`.
`certificateCaIssuerUrl`	String	The CA issuer URL
`subjectKeyIdHex`	String	The subject key identifier
`signatureOid`	String	The signature algorithm OID. For example: `1.2.840.113549.1.1.11 (SHA256withRSA)`.

CertificateSubjectObject fields

The CertificateSubjectObject model provides structured access to X.509 distinguished name attributes:

Field	Abbreviation	Type	Description
`commonName`	CN	String	The common name of the certificate entity, typically a server hostname or individual name
`country`	C	String	The two-letter ISO country or region code (for example, `US` or `CN`). Multiple values separated by `/`.
`organization`	O	String	The full name of the organization. Multiple values separated by `/`.
`organizationalUnit`	OU	String	The department or unit within the organization (for example, `IT` or `Security`). Multiple values separated by `/`.
`state`	ST	String	The state or province. Multiple values separated by `/`.
`locality`	L	String	The city or region. Multiple values separated by `/`.
`domainComponent`	DC	String	The domain name component (for example, `example.com`). Multiple values separated by `/`.
`serialNumber`	—	String	A unique identifier within the organization
`distinguishedNameQualifier`	—	String	Disambiguates entities with the same name
`title`	T	String	The job title (for example, `Manager`)
`surname`	—	String	The surname
`givenName`	—	String	The given name
`initials`	—	String	The initials
`pseudonym`	—	String	An alias
`generationQualifier`	—	String	A generation suffix (for example, `Jr.` or `III`)
`oidMap`	—	Map\<String, Object\>	OID map object

Functions

For a full list of available functions, see Function description.

Expression examples

Trust conditions for federated trust sources

Trust conditions determine whether IDaaS trusts a federated identity provider when credentials are presented.

PCA

*Scenario: Match the issuer CN of the uploaded certificate*

Syntax: Equals(cert.issuer.CN, "<common-name>")

// Example certificate issuer: C=cn, ST=sichuan, L=chengdu, O=example, OU=test, CN=test
Equals(cert.issuer.CN, "test")

*Scenario: Check whether the certificate is a CA certificate*

Syntax: Equals(cert.ca, <true|false>)

Equals(cert.ca, true)

OIDC

*Scenario: Validate the subject claim in a Kubernetes service account token*

Syntax: Equals(jwt.sub, "<subject-value>")

Equals(jwt.sub, "test")

*Scenario: Validate both the issuer and audience simultaneously*

Syntax: And(Equals(jwt.iss, "<issuer-url>"), Equals(jwt.aud, "<audience>"))

And(Equals(jwt.iss, "https://example.com"), Equals(jwt.aud, "test_aud"))

PKCS#7

PKCS#7 federated trust sources do not require a trust condition expression.

Validation conditions for federated credentials

Validation conditions run after trust is established and verify that the credential matches the expected properties. IDaaS provides quick configuration modes that auto-generate basic validation expressions.

PCA

*Scenario: Validate by common name (Certificate Mode)*

Syntax: Equals(cert.subject.CN, "<common-name>")

// Auto-generated when Certificate Mode is selected and CN is "example".
Equals(cert.subject.CN, "example")

*Scenario: Validate multiple issuer fields (Client Certificate Field Expression Validation Mode)*

Syntax: And(Equals(cert.issuer.<attr>, "<value>"), ...)

// Validate the country or region, city, and province in the certificate issuer.
// Example issuer: C=cn, ST=sichuan, L=chengdu, O=example, OU=test, CN=test
And(Equals(cert.issuer.C, "cn"), Equals(cert.issuer.L, "chengdu"), Equals(cert.issuer.ST, "sichuan"))

*Scenario: Validate by serial number*

Certificate serial numbers are stored in lowercase hexadecimal without colons. Use StringReplace() to strip colons before comparing.

Syntax: Equals(cert.serialNumber, StringReplace("<serial>", ":", ""))

// Serial number from the certificate: 6d:5a:28:16:af:46:7f:40:d3:8b:e7:28:0f:6e:97:4f:11:4a:06:1e (lowercase)
Equals(cert.serialNumber, StringReplace("6d:5a:28:16:af:46:7f:40:d3:8b:e7:28:0f:6e:97:4f:11:4a:06:1e", ":", ""))

// Serial number from the certificate: 6D:5A:28:16:AF:46:7F:40:D3:8B:E7:28:0F:6E:97:4F:11:4A:06:1E (uppercase)
// First convert to lowercase with ToLower(), then strip colons.
Equals(cert.serialNumber, StringReplace(ToLower("6D:5A:28:16:AF:46:7F:40:D3:8B:E7:28:0F:6E:97:4F:11:4A:06:1E"), ":", ""))

OIDC

*Scenario: Validate a Kubernetes service account (Kubernetes Mode)*

Syntax: And(Equals(jwt.claims.'kubernetes.io'.namespace, "<ns>"), Equals(jwt.claims.'kubernetes.io'.serviceaccount.name, "<sa>"), Equals(jwt.sub, "system:serviceaccount:<ns>:<sa>"))

// Auto-generated when Kubernetes Mode is selected with namespace "test" and service account "test".
And(
  Equals(jwt.claims.'kubernetes.io'.namespace, "test"),
  Equals(jwt.claims.'kubernetes.io'.serviceaccount.name, "test"),
  Equals(jwt.sub, "system:serviceaccount:test:test")
)

*Scenario: Validate a subject identity (Subject Identity Mode)*

Syntax: Equals(jwt.sub, "<subject-url>")

// Auto-generated when Subject Identity Mode is selected with subject "https://sub.example.com".
Equals(jwt.sub, "https://sub.example.com")

*Scenario: Validate a standard claim field (Claims Field Expression Validation Mode)*

Syntax: Equals(jwt.<field>, "<value>") or Equals(jwt.claims.<custom-field>, "<value>")

// Validate the jti field.
Equals(jwt.jti, "test_XXX")

// Validate a custom claim field named "customValue".
Equals(jwt.claims.customValue, "XXX")

*Scenario: Validate the audience claim*

The aud claim is an array. Access each value by index.

Syntax (single value): Equals(jwt.aud[0], "<audience>")

Syntax (multiple values): Or(Equals(jwt.aud[0], "<audience1>"), Equals(jwt.aud[1], "<audience2>"))

// Single audience value:
Equals(jwt.aud[0], "example_aud")

// Multiple audience values — passes if at least one matches:
Or(Equals(jwt.aud[0], "https://example.com"), Equals(jwt.aud[1], "https://example2.com"))

PKCS#7

*Scenario: Validate by ECS instance ID — Alibaba Cloud PKCS#7 (Specify ECS Instance Mode)*

Syntax: Or(Equals(pkcs7.payload.jsonData.'instance-id', "<id1>"), Equals(pkcs7.payload.jsonData.'instance-id', "<id2>"))

// Auto-generated when instance IDs "i-123" and "i-456" are specified.
Or(
  Equals(pkcs7.payload.jsonData.'instance-id', "i-123"),
  Equals(pkcs7.payload.jsonData.'instance-id', "i-456")
)

*Scenario: Validate by EC2 instance ID — AWS PKCS#7 (Specify ECS Instance Mode)*

Syntax: Or(Equals(pkcs7.payload.jsonData.instanceId, "<id1>"), Equals(pkcs7.payload.jsonData.instanceId, "<id2>"))

Or(
  Equals(pkcs7.payload.jsonData.instanceId, "i-123"),
  Equals(pkcs7.payload.jsonData.instanceId, "i-456")
)

*Scenario: Validate by region (Signature Value Expression Validation Mode)*

Syntax: Equals(pkcs7.payload.jsonData.'region-id', "<region>")

// Validate the region-id field in an Alibaba Cloud PKCS#7 signature.
Equals(pkcs7.payload.jsonData.'region-id', "cn-hangzhou")

Appendix

Alibaba Cloud PKCS#7 fields

These fields are available in pkcs7.payload.jsonData when the federated trust source is Alibaba Cloud.

Field	Type	Description
`instance-id`	String	The ECS instance ID
`region-id`	String	The region ID
`owner-account-id`	String	The Alibaba Cloud account ID
`audience`	Object	The audience object
`aud`	String	The custom input parameter provided when obtaining an Alibaba Cloud PKCS#7 signature. Accepts only the IDaaS instance ID (format: `idaas_XXX`).
`signingTime`	Long	The signature time. UNIX timestamp in seconds. Use this field to validate the signature time of the PKCS#7 payload.

AWS PKCS#7 fields

These fields are available in pkcs7.payload.jsonData when the federated trust source is Amazon Web Services.

Field	Type	Description
`instanceId`	String	The EC2 instance ID
`region`	String	The region ID
`accountId`	String	The AWS account ID

Identity as a Service:Use federated credential expressions