Some of the attributes are shown below. "Azure-SAML" below is the name of the SAML auth server.
Example 1: Based on group
[email protected]Azure-SAML.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/groups} = ('d699401f-9c8f-4be4-8291-af8429577196')
The value is the group ID taken from the azure portal.
Example 2: Based on object id
userAttr.{http://schemas\.microsoft\.com/identity/claims/objectidentifier} = ('da1a21cb-1162-42f4-892e-b93cc6a95395')
The value is the object id taken from the azure portal.
Example 3: Based on user
[email protected]Azure-SAML = "[email protected]" or [email protected] = "*"
Where Azure-SAML is the Auth Server Name
Example 4: Using samlMultiValAttr to define
samlMultiValAttr.userPrincipalName = '[email protected]’
samlMultiValAttr.mail = ' [email protected] '
samlMultiValAttr.postalCode = '100011'
If your receiving an expression error or to check what attributes to defined take policy trace
Policy trace log file for review.
Navigate to Maintenance >> Troubleshooting >> Policy Tracing >> Enter the username (generally it would be in email address format or enter the appropriate one), Realm name >> Check the first three check boxes >> Start recording >> Replicate the issue >> Stop recording >> Update >> Save logs as.