Smart card idpUser expressions

When creating a Smart card identity provider, you must specify one of the attributes of idpuser as the value of the IdP Username field. This value is then used to look up the associated user. The IdP Username field can also contain an Okta Expression Language expression. When IdP Username contains an expression, the result of evaluating the expression is then used to match users. This page describes the process of creating and testing expressions before using them with a Smart card identity provider.

Topics

Before you begin

Create test attribute

A test attribute is used to create and validate the result of the expression. Using a test attribute avoids overwriting actual data.
To add a test attribute:

  1. Sign in to your Okta org as an admin.
  2. Select DirectoryProfile Editor.
  3. In the Profile Editor pane, select the Users tab and then Identity Providers.
  4. Open the previously created Smart card identity provider by clicking its name.
    The profile editor will open previously created identity providers profile page.
  5. In the Attributes section, click Add Attribute.
  6. In the Add Attribute dialog enter:
    FieldValue
    Display nameAn appropriate name such as Test Attribute.
    Variable nameAn appropriate variable name such as testAttribute.
  7. Ensure that the attribute type is string and click Save.

Develop expression

Using the previously added attribute develop an expression:

The expression must:

  • Return a string.
  • Evaluate to a single value.
  • Match against the identity provider Match against field.

  1. Select Mappings or
    1. Select DirectoryProfile Editor.
    2. Select Identity Providers.
    3. Select the previously created identity provider.
    4. Click Mappings.
  2. Enter the expression which represents the value of the attribute value.
    For example to return content before at sign (@) from email address:
    String.substringBefore(appuser.subjectAltNameEmail, "@")).

    Test examples must use appuser in place of idpuser. idpuser is not available during testing.
    appuser should only be used for testing and contains all currently supported idpuser fields.
    When using this expression in an identity provider always substitute idpuser for all instances of appuser.

    See the Expressions for details and examples of expressions.
  3. Click Save Mappings. If required, correct any expression errors.
  4. In the preview section, select an appropriate user and click Enter.
  5. Examine the result to ensure that the expression returned the expected value. Repeat as required.
  6. When complete click Exit Preview.
  7. Copy the finished expression for use in the identity provider.
  8. Click Cancel.
  9. The test attribute can now be deleted.

Specify expression as idpUser

  1. In the navigation pane, select SecurityIdentity Providers.
  2. In the row containing the PIV smart card identity provider click ConfigureConfigure Identity Provider.
  3. In the IdP Username field select the current contents and paste the replacement value.
  4. Click Update Identity Provider.

Related topics

Add a Smart Card Identity Provider

Expressions