Reset Search



KB44530 - Defining Azure-SAML attributes with custom expressions

« Go Back


Last Modified Date7/7/2020 10:21 AM
Defining Azure SAML Attributes with custom expressions
Problem or Goal

SAML User attributes can also be mapped to Roles at the PSA Box. This would make it easier for providing more flexible and granular access control rules over the SAML subject. This can be done as follows: 

  • Go to Users >> User Realms >> SAML Realm 

  • Click on Role Mapping 

  • Click on New Rule 

  • Select Custom Expressions beside Rule based on text, and click on Update 

  • Enter a name beside Name section 

  • Click on the Expressions button 

  • A new popup will be opened, with the Expressions creation procedure 

  • Enter a name in the Name section 

  • Under the Expressions Dictionary, select userAttr.<auth-attr> or samlMultiValAttr.<auth-attributes>  Select an operator (preferably =) 

  • Click on Insert Expression 


Some of the attributes are shown below. "Azure-SAML" below is the name of the SAML auth server.

Example 1:  Based on group

[email protected]Azure-SAML.{http://schemas\.microsoft\.com/ws/2008/06/identity/claims/groups} = ('d699401f-9c8f-4be4-8291-af8429577196')    

The value is the group ID taken from the azure portal. 

Example 2: Based on object id 

userAttr.{http://schemas\.microsoft\.com/identity/claims/objectidentifier} = ('da1a21cb-1162-42f4-892e-b93cc6a95395')  

The value is the object id taken from the azure portal. 

Example 3: Based on user 

[email protected]Azure-SAML = "[email protected]" or [email protected] = "*"   

  Where Azure-SAML is the Auth Server Name 

 Example 4: Using samlMultiValAttr to define  

samlMultiValAttr.userPrincipalName = '[email protected]’ 

samlMultiValAttr.mail = ' [email protected] ' 

samlMultiValAttr.postalCode = '100011'  

If your receiving an expression error or to check what attributes to defined take policy trace 

Policy trace log file for review.  

Navigate to Maintenance >> Troubleshooting >> Policy Tracing >> Enter the username (generally it would be in email address format or enter the appropriate one), Realm name >> Check the first three check boxes >> Start recording >> Replicate the issue >> Stop recording >> Update >> Save logs as.



Related Links 
Attachment 1
Created BySyed Saqlain



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255