Smart card idpUser expressions
When creating a Smart card identity provider, you must specify one of the attributes of idpuser as the value of the IdP Username field. This value is then used to look up the associated user. The IdP Username field can also contain an Okta Expression Language expression. When IdP Username contains an expression, the result of evaluating the expression is then used to match users. This page describes the process of creating and testing expressions before using them with a Smart card identity provider.
Topics
Before you begin
- Ensure that a smart card identity provider has been previously created as described in Add a Smart Card Identity Provider.
Create test attribute
A test attribute is used to create and validate the result of the expression. Using a test attribute avoids overwriting actual data.
To add a test attribute:
- Sign in to your Okta org as an admin.
- Select Directory > Profile Editor.
- In the Profile Editor pane, select the Users tab and then Identity Providers.
- Open the previously created Smart card identity provider by clicking its name.
The profile editor will open previously created identity providers profile page. - In the Attributes section, click Add Attribute.
- In the Add Attribute dialog enter:
Field Value Display name An appropriate name such as Test Attribute. Variable name An appropriate variable name such as testAttribute. - Ensure that the attribute type is string and click Save.
Develop expression
Using the previously added attribute develop an expression:
The expression must:
- Return a string.
- Evaluate to a single value.
- Match against the identity provider Match against field.
- Select Mappings or
- Select Directory > Profile Editor.
- Select Identity Providers.
- Select the previously created identity provider.
- Click Mappings.
- Enter the expression which represents the value of the attribute value.
For example to return content before at sign (@) from email address:
String.substringBefore(appuser.subjectAltNameEmail, "@")).See the Expressions for details and examples of expressions.Test examples must use appuser in place of idpuser. idpuser is not available during testing.
appuser should only be used for testing and contains all currently supported idpuser fields.
When using this expression in an identity provider always substitute idpuser for all instances of appuser. - Click Save Mappings. If required, correct any expression errors.
- In the preview section, select an appropriate user and click Enter.
- Examine the result to ensure that the expression returned the expected value. Repeat as required.
- When complete click Exit Preview.
- Copy the finished expression for use in the identity provider.
- Click Cancel.
- The test attribute can now be deleted.
Specify expression as idpUser
- In the navigation pane, select Security > Identity Providers.
- In the row containing the PIV smart card identity provider click Configure > Configure Identity Provider.
- In the IdP Username field select the current contents and paste the replacement value.
- Click Update Identity Provider.