Problem Description: I had the requirement of asserting a single claim (role) to the SP based on a hierarchy of roles on my end and the challenge was to find the right JUEL expression to do this.A user can have multiple roles on the idp's user store but only a single claim should be passed based on the highest applicable role to the SP.
I could not find anything on how to use a nested JUEL expression in a SAML 2.0 partnership.
Solution:
Now, whenever you have an attribute in your user store which is multi-valued Siteminder will render it as A^B^C^D with the caret (^).
First off I created virtual attribute mappings on the user directory object to filter for values to leverage conditionally.
This is done by using expressions while creating a virtual attribute mapping in your user directory object on the admin UI. An example is described here--> Juel Expressions in SAML Assertions
I created a Virtual Attribute A to filter for the value X, B for Y and so on and so forth. Then I arrived at the expression below which would perform a nested bit-wise operation:
#{attr["A"] == 'X' ? 'Admin' : attr["B"] == 'Y' ? 'Exec' : attr["C"] == 'Z' || attr["D"] == 'V' ? 'Staff' : attr["L"] == 'W' ? 'Secretary' : 'NULL'}
which works like...
If role=X pass 'Admin'
Else If role=Y pass 'Exec'
Else If role=Z or V pass 'Staff''
Else if role=W pass 'Secretary'
Else pass NULL.
The expression above fulfilled my requirement.
This is nice article Raghav. I had a similar usecase and I did not wanted to write an AGP as it is more development effort and instead I was struggling to write an expression because of our custom requirement. JUEL is always helpful in these kind of scenarios and your article gives the right information on how we can make most of JUEL expressions.
I hope in 12.7 CA has fixed the text limit in the Expression field that way we can write larger expressions.