Adding dynamic application attributes
Dynamic application attributes are attributes which are based on an expression rather then a specific field or value. A example of a dynamic attribute might be a value representing a end users full name, which must be constructed from other elements such as "First name", followed by a space, followed by "Last name" or something similar. Access Gateway can be used to send the result of a dynamic attribute
Its beneficial to develop and test your expression before adding a new dynamic attribute.
To develop and test a dynamic attribute:
- Sign in to your Okta org as an admin.
- Select Directory > Profile Editor.
- Select the application which requires the new dynamic attribute.
- In the attributes section, click Add Attribute.
- Add a String based attribute, entering appropriate Display and Variable names.
- Click Save.
- Click Mappings.
- Click Okta to <application name>.
- Enter the expression which represents the value of the dynamic attribute value.
For example: String.toUpperCase(user.firstName + " " + user.lastName).
See the Expressions section for details on creating expressions.
- In the preview section, select an appropriate user and click Enter.
- Examine the result.
Correct any expression errors and repeat as required.
- When complete click Exit Preview.
- Copy the finished expression for use in the Add a new dynamic attribute section.
- Click Cancel.
- The test attribute can now be deleted.
- Navigate to the Access Gateway Admin UI console.
- From the Topology tab or the Applications tab, open the application.
- Select the Attributes pane.
The list of known attributes for the application displays and is similar to:
. . .
- Click Add () in the attribute list header.
The New Attribute dialog box appears. You may need to scroll the list as new attributes are added at the bottom of the page.
- From the Data Source drop-down box, select an IDP .
Computed attributes can only be used with IDP as a data source.
- From the Type drop-down box, select the appropriate target type, either Header or Cookie.
- In the Name field, enter the name for the header or cookie value expected by the protected Web Resource.
- Select the value in the Field field, and using the delete key, delete its contents.
Note the error This field is required, will be displayed and can be ignored.
- Enter an dynamic attribute expression.
For example: String.toUpperCase(user.firstName+"_"+user.lastName)
Expressions for dynamic attributes must be added by typing the expressing into the Field field and then hitting enter.
Expressions cannot be cut and pasted into this field.
- Click Okay when complete.
You can use expressions to concatenate attributes, manipulate strings, convert data types, and more. Expressions within attribute definitions let you construct wholly new values before they are added to headers or cookies.
Okta supports a subset of Spring Expression Language (SpEL) functions.
Expressions are combinations of:
- Variables - These are the elements found in your Okta user profile. Examples include user followed by any of the fields listed. For example, user.firstName, user.lastName, user.email and a host of others. Note that the list of fields is case sensitive, and that firstName is not the same as firstname or FirstName. For a complete list of user variables sign in to your Okta org and navigate to Directory > Profile Source > Okta Profile.
- Operations - used to concatenate or otherwise operate on variables. In the example given "+", the plus sign, concatenates two objects together.
- Functions - used to modify or manipulate variables to achieve a desired result. In the example given, String.toUpperCase returns an all upper case version of its provided input.
For a complete list see Functions in the Okta Expression Language.
Testing computed attributes is most easily done using the Access Gateway sample header application.
To test an expression:
- Add a example header application by following the instructions for Add a sample header application.
- Modify the application as described in the section Add a new dynamic attribute.
- In an incognito or equivalent window connect to Access Gateway as Admin, navigate to the test application and select Goto > SP Initiated.
- Login as required.
- Examine the result of the computed field.
An incognito browser window it used to avoid page caching which can in some instances cause unexpected or stale results.