Modify attributes with expressions

Expressions within mappings let you modify attributes before they are stored in Okta or sent to apps.

Expressions allow you to concatenate attributes, manipulate strings, convert data types, and more. Okta supports a subset of the Spring Expression Language (SpEL) functions. For a comprehensive list of the supported functions, see Okta Expression Language. All functions work in UD mappings.

While some functions (namely string) work in other areas of the product (SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IdP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on an app, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated. 2.0 Template attributes and custom username formats for example), not all do.

Expressions are useful for maintaining data integrity and formats across apps. For example, you might want to use an email prefix as an username, bulk replace an email suffix, or populate attributes based on a combination of existing ones (for example, displayName = lastName, firstName).

  1. On the Okta AdminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page. Console, click Directory > Profile Editor.
  2. Select Mappings for the application, directory, or identity provider (IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.).
  3. Enter an expression in the Choose an attribute or enter an expression field.
  4. Preface the variable name(s) with the corresponding object or profile.

a. source refers to the object on the left:

b. user refers to the Okta user profile:

  • Can only be used in the Okta to App mapping.
  • Example: user.firstName

c. appUser (implicit reference) refers to the in-context app (not Okta user profile):

  • Can only be used in the App to Okta mapping.
  • Example: appUser.firstName

d. appUserName (explicit reference) refers to a specific app by name:

  • Can be used in either Okta to App or App to Okta mappings.
  • Is used to reference an app outside the mappings.
  • Example:google.nameGivenName
  • If multiple instances of an app are configured, additional app user profiles that follow the first instance are appended with an underscore and a random string.
  • Example:google, google_<random string 1>, google_<random string 2>
  1. To find instance and variable names use the profile editor:

a. On the Okta Admin Console, click Directory > Profile Editor.

b. Select Profile for the app, directory, or IDP and note the instance and variable name.

  1. Click Save Mappings and Apply updates now.