Rules for configuring SAML Attribute Statements - Identity as a Service

This topic describes the rules for configuring Security Assertion Markup Language (SAML) Attribute Statements and provides configuration examples.

SAML value description

Type	Value	Description
Variable	user.username	The username.
	user.displayName	The display name.
	user.phone (expired)	The mobile phone number that does not include the country code and has expired.
	user.phoneNumber	The mobile phone number that does not include the country code.
	user.email	The email address.
	user.status	The status of the user. Valid values: enabled disabled
	user.primaryOrganizationalUnitId	The ID of the primary organization to which the user belongs.
	ObjectToJsonString(user.organizationalUnits)	The information about the organization to which the user belongs. The value is a JSON array string.
	ArrayJoin(ArrayMap(user.organizationalUnits, __item.organizationalUnitId), ",")	The IDs of the organizations to which the user belongs. The value is a JSON array string.
	ObjectToJsonString(user.groups)	The information about the group to which the account belongs. The value is a JSON array string.
	ArrayJoin(ArrayMap(user.groups, __item.groupId), ",")	The IDs of the groups to which the account belongs. The value is a JSON array string.
	ArrayJoin(ArrayMap(user.groups, __item.groupExternalId), ",")	The external IDs of the groups to which the account belongs. The value is a JSON array string.
	ObjectToJsonString(user.customFields)	The information about all extended fields. The value is a JSON array string.
	user.customFieldMap.$fieldname$.fieldValue	The value of an extended field.
	appUser.username	The application account.
Constant	Enclose constants in double quotation marks ("").
Expression	An advanced feature. You can flexibly concatenate and change values by using expressions. For more information, see Advanced expressions for account fields.

Examples of SAML expressions

Example: user object

{
  ...
  "customFieldMap": {
        "place": {
            "fieldName": "place",
            "fieldValue": "beijing"
        },
        "age": {
            "fieldName": "age",
            "fieldValue": "18"
        }
    },
    "identityProviderUserMap": {
        "idp_m2gngriuenktdkxxxxxx": {
            "identityProviderId": "idp_m2gngriuenktdkxxxxxx",
            "identityProviderType": "ding_talk",
            "identityProviderExternalId": "corp_1234xxxxxxx",
            "identityProviderUserId": "b2ed5fc0xxxxx"
        }
    },
    "organizationalUnits": [
        {
            "organizationalUnitId": "ou_sdfadtaaxxxxxx",
            "organizationalUnitName": "AD",
            "primary": false
        },
        {
            "organizationalUnitId": "ou_werttxxxxxx",
            "organizationalUnitName": "name_002",
            "primary": true
        }
    ],
    "primaryOrganizationalUnitId": "ou_werttxxxxxx",
    "customFields": [
        {
            "fieldName": "place",
            "fieldValue": "beijing"
        },
        {
            "fieldName": "age",
            "fieldValue": "18"
        }
    ],
    "groups": [
        {
            "groupId": "group_jp6al4sn4n4wjgjxxxxxx",
            "groupName": "group1",
            "groupExternalId": "group_jp6al4sn4n4wjgjxxxxxx"
        },
        {
            "groupId": "group_vavikcxewkf5h3oxxxxxx",
            "groupName": "group2",
            "groupExternalId": "group_vavikcxewkf5h3oxxxxxx"
        }
    ],
  ...
}

Configuration example of SAML interface

Example of SAML parsing results

The following SAML response is returned after the organizationalUnits field in Attribute Statements is parsed by using the ObjectToJsonString(user.organizationalUnits) expression.

<saml2:Attribute Name="organizationalUnits" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
    [{"organizationalUnitId":"ou_sdfadtaaxxxxxx","organizationalUnitName":"AD","primary":false},{"organizationalUnitId":"ou_werttxxxxxx","organizationalUnitName":"name_002","primary":true}]
  </saml2:AttributeValue>
</saml2:Attribute>

The following SAML response is returned after the organizationalUnitIds field in Attribute Statements is parsed by using the ArrayJoin(ArrayMap(user.organizationalUnits, __item.organizationalUnitId), ",") expression.

<saml2:Attribute Name="organizationalUnitIds" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
    ou_sdfadtaaxxxxxx,ou_werttxxxxxx
  </saml2:AttributeValue>
</saml2:Attribute>

The following SAML response is returned after the groups field in Attribute Statements is parsed by using the ObjectToJsonString(user.groups) expression.

<saml2:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
    [{"groupId":"group_jp6al4sn4n4wjgjxxxxxx","groupName":"group1","groupExternalId":"group_jp6al4sn4n4wjgjxxxxxx"},{"groupId":"group_vavikcxewkf5h3oxxxxxx","groupName":"group2","groupExternalId":"group_vavikcxewkf5h3oxxxxxx"}]
  </saml2:AttributeValue>
</saml2:Attribute>

The following SAML response is returned after the groupIds field in Attribute Statements is parsed by using the ArrayJoin(ArrayMap(user.groups, __item.groupId), ",") expression.

<saml2:Attribute Name="groupIds" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
    group_jp6al4sn4n4wjgjxxxxxx,group_vavikcxewkf5h3oxxxxxx
  </saml2:AttributeValue>
</saml2:Attribute>

The following SAML response is returned after the groupExternalIds field in Attribute Statements is parsed by using the ArrayJoin(ArrayMap(user.groups, __item.groupExternalId), ",") expression.

<saml2:Attribute Name="groupExternalIds" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
    group_jp6al4sn4n4wjgjxxxxxx,group_vavikcxewkf5h3oxxxxxx
  </saml2:AttributeValue>
</saml2:Attribute>

The following SAML response is returned after the grouIdArray field in Attribute Statements is parsed by using the SamlArray(ArrayMap(user.groups, __item.groupId)) expression.

<saml2:Attribute Name="grouIdArray" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xsd:string">
    group_jp6al4sn4n4wjgjxxxxxx
  </saml2:AttributeValue>
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
    group_vavikcxewkf5h3oxxxxxx
  </saml2:AttributeValue>
</saml2:Attribute>

The following SAML response is returned after the customFields field in Attribute Statements is parsed by using the ObjectToJsonString(user.customFields) expression.

<saml2:Attribute Name="customFields" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xsd:string">
    [{"fieldName":"place","fieldValue":"beijing"},{"fieldName":"age","fieldValue":"18"}]
  </saml2:AttributeValue>
</saml2:Attribute>

The following SAML response is returned after the age field in Attribute Statements is parsed by using the user.customFieldMap.age.fieldValue expression.

<saml2:Attribute Name="age" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
  <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">
    18
  </saml2:AttributeValue>
</saml2:Attribute>