Raghav Nijhara

Creating a Nested JUEL Expression to pass a Single role to the SP based on a hierarchy

Blog Post created by Raghav Nijhara on Feb 9, 2018

Problem Description: I had the requirement of asserting a single claim (role) to the SP based on a hierarchy of roles on my end and the challenge was to find the right JUEL expression to do this.A user can have multiple roles on the idp's user store but only a single claim should be passed based on the highest applicable role to the SP. 


I could not find anything on how to use a nested JUEL expression in a SAML 2.0 partnership. 




Now, whenever you have an attribute in your user store which is multi-valued Siteminder will render it as A^B^C^D with the caret (^).  


First off I created virtual attribute mappings on the user directory object to filter for values to leverage conditionally.  



This is done by using expressions while creating a virtual attribute mapping in your user directory object on the admin UI. An example is described here--> Juel Expressions in SAML Assertions 


I created a Virtual Attribute A to filter for the value X, B for Y and so on and so forth. Then I arrived at the expression below which would perform a nested bit-wise operation:


#{attr["A"] == 'X' ? 'Admin' : attr["B"] == 'Y' ? 'Exec' : attr["C"] == 'Z' || attr["D"] == 'V' ? 'Staff' : attr["L"] == 'W' ? 'Secretary' : 'NULL'}


which works like... 


If role=X pass 'Admin'

Else If role=Y pass 'Exec'

Else If role=Z or V pass 'Staff'' 

Else if role=W pass 'Secretary' 

Else pass NULL. 


The expression above fulfilled my requirement.