Some of the attributes are shown below. "Azure-SAML" below is the name of the SAML auth server.
Example 1: Based on group
samlMultiValAttr@Azure-SAML.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/groups} = ('d699401f-9c8f-4be4-8291-af8429577196')
The value is the group ID taken from the azure portal.
Example 2: Based on object id
userAttr.{http://schemas\.microsoft\.com/identity/claims/objectidentifier} = ('da1a21cb-1162-42f4-892e-b93cc6a95395')
The value is the object id taken from the azure portal.
Example 3: Based on user
user@Azure-SAML = "user@pulsesecure.net" or user@Azure-SAML = "*"
Where Azure-SAML is the Realm Name
Example 4: Using samlMultiValAttr to define
samlMultiValAttr.userPrincipalName = 'user@pulsesecure.net’
samlMultiValAttr.mail = ' user@pulsesecure.net '
samlMultiValAttr.postalCode = '100011'
If your receiving an expression error or to check what attributes to defined take policy trace
Policy trace log file for review.
Navigate to Maintenance >> Troubleshooting >> Policy Tracing >> Enter the username (generally it would be in email address format or enter the appropriate one), Realm name >> Check the first three check boxes >> Start recording >> Replicate the issue >> Stop recording >> Update >> Save logs as.