3.5.2.2 Assignments with template strings

Set mapping rules for the external IdP and Ops I in the [Identity Provider Mapping] window. Using template strings to assign values allows you to specify mapping targets even if the group, role, and attributes in Ops I do not perfectly match the values of conditions, Claim (for OIDC), or attributes (for SAML). As a result, you can set mapping targets that meet various conditions in one operation without having to register multiple mappings.

This section describes the following items:

Description rules and examples
Errors in template descriptions
Common mistakes

(1) Description rules and examples

When assigning values by using template strings, you can use directives, output expressions, conditional expressions, operators, string functions, and sequence functions.
In the following, “var” represents a variable, “str” represents a string, and “list” represents a sequence.

[Directives]

The available directives are as follows:

(Table) Available directives

Directive	Description	Example
<#-- Comment -->	Writing a comment	<#-- Comment -->
<#if>...</#if> <#if>...<#elseif>...<#else>...</#if>	Conditional branching	<#if>...<#elseif>...<#else>...</#if>
<#assign var = "A">	Defines the variable	<#assign var = "A">
<#list items as item>...</#list>	Defines individual processing for values in a list	<#list items as item>...</#list>

[Output expressions]

The available output expressions are as follows:

(Table) Available output expressions

Output expression	Description	Example
${}	Outputs variables	${}

[Conditional expressions]

The available conditional expressions are as follows:

(Table) Available conditional expressions

Conditional expression	Description	Example
var??	Checks whether the variable exists	var??
var?has_content	Checks whether the variable exists and whether its value is not empty	var?has_content

[Operators]

The available operators are as follows:

(Table) Available operators

Operator	Description	Example
==	Equal to	==
!	Negation	!
!=	Not equal	!=
\|\|	Or	\|\|
&&	And	&&
lt	<(Less than)	lt
lte	<=(Equal to or less than)	lte
gt	>(Greater than)	gt
gte	>=(Equal to or greater than)	gte

[String functions]

The available string functions are as follows:

(Table) Available string functions

String function	Description	Example
str?c_lower_case	Converts to lowercase	str?c_lower_case
str?c_upper_case	Converts to uppercase	str?c_upper_case
str?replace("A", "B")	Replaces string A with string B	str?replace("A", "B")
str?split("A")	Splits the specified string at A, and outputs as a list	str?split("A")
str?date("yyyy-MM-dd")	Converts the string to date type, and compares dates by using the operator lt or gt	str?date("yyyy-MM-dd")
str?number	Converts the string to a numeric type	str?number
str?trim	Deletes the leading and trailing spaces	str?trim
str?contains("A")	Checks whether the string contains A	str?contains("A")
str?starts_with("A")	Checks whether the string starts with A	str?starts_with("A")
str?ends_with("A")	Checks whether the string ends with A	str?ends_with("A")
str?matches("A")	Checks whether the string is the regular expression of the format of A	str?matches("A")

[Sequence (array, list) functions]

The available sequence functions are as follows:

(Table) Available sequence functions

Sequence function	Description	Example
list?seq_contains("A")	Checks whether the sequence contains specific element A	list?seq_contains("A")
list?join("A")	Combines sequence elements with A, and outputs a single string	list?join("A")

[authn_info]

When specifying information on the external IdP side, you can use authn_info, where information of the external IdP side is stored.
The user information available in authn_info and its method of use differ between SAML and OIDC. The characteristics of authn_info in SAML and OIDC are as follows:

①For SAML:

You can use information contained in attributes.
You need to specify which element in the array to reference, by using an index.

Example: When the external Idp's "preferred_username" information is equal to "test_user"
<#if authn_info["preferred_username"][0]=="test_user">

Tips
Because the storage order from the external IdP side is unknown, we recommend that you use ?seq_contains().

②For OIDC:

You can use properties included in the user information obtained from the ID token or the UserInfo endpoint.

Example: When the external Idp's "preferred_username" information is equal to "test_user"
<#if authn_info["preferred_username"]=="test_user">

Notes Notes

When setting "Customer" as a user attribute, specify the customer ID.
Do not create multiple mapping configurations for a single attribute.
Because the mapping order is indeterminate, attribute settings might not result in the intended values.
Specify the hierarchical structure of keys by using bracket notation.
Example: Upper-level hierarchy [lower-level hierarchy]
You can specify multiple group attributes and role attributes. In this case, separate the specified values with line breaks. Also, do not specify multiple user attributes, because you will never need to specify more than one user attribute.
The maximum number of characters that can be specified in a template is 10,000.
The maximum number of characters that can be output in a template is 10,000. If more than 10,000 characters are output, an error message will appear and you will no longer be able to log in. If this happens, the Ops I security administrator will need to review and modify the template string with a focus on the loop processing.
The leading and trailing spaces will be deleted.
Inside a directive, enclose strings with double quotation marks (") or single quotation marks (').
Outside a directive, do not enclose strings with double quotation marks (") or single quotation marks ('). If you use quotation marks, there might be a risk of unintended assignments.
The value returned from authn_info might be of string type rather than numeric type. If a string-type value is returned, operations that can be performed on numeric types will not be available.
Do not use the output expression "${}" within a directive.

[Statement examples]

The following shows examples using directives, output expressions, conditional expressions, operators, string functions, and sequence functions:

<#-- Comment -->

Adding the following comment: Output the role with a line break

<#-- Output the role with a line break -->
<#if authn_info["role"]??>
${authn_info["role"]?join("\n")}
</#if>

<#if>...<#elseif>...<#else>...</#if>

Assigning the “adminGroup1” role when the external IdP’s “id” is “1”, “adminGroup2” when the external IdP’s “id” is “2”, and “customerGroup” for all other cases

<#if authn_info["id"] == "1">
    adminGroup1
<#elseif authn_info["id"] == "2">
    adminGroup2
<#else>
    customerGroup
</#if>

<#assign var = "A">

Assigning the “portal_subscriber” role when the external IdP’s “department” is not the string “abc”

<#assign condition1 = authn_info["department"] == "abc">

<#if !condition1>
portal_subscriber
</#if>

<#list items as item>...</#list>

Checking each external IdP’s “role” information stored in list format, and assigning “user_admin” and “customer_admin” when part of the string contains “admin”

<#list authn_info["role"] as rolename>
    <#if rolename?contains("admin")>
        user_admin
        customer_admin
    </#if>
</#list>

${}

Assigning the “email” information as is when the “email” information on the external IdP side is not empty

<#if authn_info["email"]?has_content>
${authn_info["email"]}
</#if>

var??

Assigning the “idp_user” group when the external IdP is linked

<#if authn_info??>
idp_user
</#if>

var?has_content

Assigning the “email” information as is when the “email” information on the external IdP side is not empty

<#if authn_info["email"]?has_content>
${authn_info["email"]}
</#if>

Assigning the “portal_subscriber” role when “customer.group” in “groups” of the external IdP is the string “portal”

<#if authn_info["groups"]["customer.group"] == "portal">
portal_subscriber
</#if>

Assigning the “portal_subscriber” role when the external IdP’s “department” is not the string “abc”

<#assign condition1 = authn_info["department"] == "abc">

<#if !condition1>
portal_subscriber
</#if>

Assigning the “customer_group” group when the external IdP’s “customer” is not the string “123”

<#if authn_info["customer"] != "123">
customer_group
</#if>

Assigning the “portal_author” role when the external IdP’s “groups” list contains “group 1” or the “role” list contains “author”

<#if authn_info["groups"]?seq_contains("group 1") || authn_info["role"]?seq_contains("author")>
portal_author
</#if>

Assigning the “portal_site_admin” role when the external IdP’s “groups” list contains “group 2” and the “email” information is “abc.com”

<#if authn_info["groups"]?seq_contains("group 2") && authn_info["email"] == "abc.com">
portal_site_admin
</#if>

When the string-type “customer (customer code)” of the external IdP is a numeric value, converting it to numeric type, and assigning the “customer_group” group if the value is less than 2000

<#if authn_info["customer"]?number lt 2000>
customer_group
</#if>

lte

When the string-type “customer (customer code)” of the external IdP is a numeric value, converting it to numeric type, and assigning the “customer_group” group if the value is 2000 or less

<#if authn_info["customer"]?number lte 2000>
customer_group
</#if>

When the string-type “customer (customer code)” of the external IdP is a numeric value, converting it to numeric type, and assigning the “customer_group” group if the value is greater than 2000

<#if authn_info["customer"]?number gte 2000>
customer_group
</#if>

gte

When the string-type “customer (customer code)” of the external IdP is a numeric value, converting it to numeric type, and assigning the “customer_group” group if the value is 2000 or greater

<#if authn_info["customer"]?number gte 2000>
customer_group
</#if>

str?c_lower_case

Converting the external IdP’s “username” to lowercase, and assigning the “customer_admin” role when the value is equal to “hitachi_taro”

<#if authn_info["username"]?c_lower_case == "hitachi_taro">
customer_admin
</#if>

str?c_upper_case

Converting the external IdP’s “username” to uppercase, and assigning the “customer_admin” role when the value is equal to “HITACHI_TARO”

<#if authn_info["username"]?c_upper_case == "HITACHI_TARO">
customer_admin
</#if>

str?replace("A", "B")

Assigning a role with a name where the “hitachi” part of the name is replaced with “test” when “customer.group” in “groups” of the external IdP contains the string “hitachi”

<#if authn_info["groups"]["customer.group"]?contains("hitachi")>
${authn_info["groups"]["customer.group"]?replace("hitachi", "test")}
</#if>

str?split("A")

Treating the first separated value as the surname when the external IdP has the “name” information and the “name” value is not empty but is separated by " "

<#if authn_info["name"]?has_content && authn_info["name"]?contains(" ")>
${authn_info["name"]?split(" ")[0]}
</#if>

str?date("yyyy-MM-dd")

Assigning the “century_group” group when the external IdP’s date of birth information (stored in yyyy-MM-dd format) is earlier than January 1, 2000

<#if authn_info["birthday"]?date("yyyy-MM-dd") lt "2000-01-01"?date("yyyy-MM-dd")>
century_group
</#if>

str?number

<#if authn_info["customer"]?number gt 2000>
customer_group
</#if>

str?trim

Assigning the “idp_user” group when the external IdP’s customer information is not empty and its value is equal to 2000

<#if authn_info["customer"]?has_content && authn_info["customer"]?trim?number == 2000>
idp_user
</#if>

str?contains("A")

Assigning the “hitachi_group” group when the external IdP’s “email” information contains the string “hitachi”

<#if authn_info["email"]?contains("hitachi.com")>
hitachi_group
</#if>

str?starts_with("A")

Assigning the “itsm_admin” role when the external IdP’s “username” information starts with the string “admin”

<#if authn_info["username"]?starts_with("admin")>
itsm_admin
</#if>

str?ends_with("A")

Using the external IdP’s “email” information as Ops I’s “email” information when the external IdP’s “email” ends with the string “.com”

<#if authn_info["email"]?ends_with(".com")>
${authn_info["email"]}
</#if>

str?matches("A")

Assigning the customer code when the external IdP’s “customer (customer code)” consists of numbers

<#if authn_info["customer"]?matches("^[0-9]+$")>
${authn_info["customer"]}
</#if>

list?seq_contains("A")

Assigning the “itsm_admin” role when one of the multiple roles held by the external IdP is the “admin” role

<#if authn_info["role"]?seq_contains("admin")>
itsm_admin
</#if>

list?join("A")

Assigning the “role with the same name in Ops I when the external IdP has the “role” information

<#if authn_info["role"]??>^*
${authn_info["role"]?join("\n")}
</#if>

*This is valid when "authn_info["role"]" is a list type.

(2) Errors in template description

Errors will be output at the following timing if there are deficiencies in the template description.

[When saving the identity provider]

If there is a grammatical mistake, an error message will be displayed when saving the identity provider.
You can identify the problematic line by checking the “[Details]” provided in the error message.

For a syntax error KNBA00300-E

The specified data is invalid. Please review the specified data.
[Details] Line where the error occurred

[When a user logs in]

An error message will be displayed when the user attempts to log in if there is a deficiency other than grammar mistakes and the linkage between the external IdP and Ops I does not work properly.

When assigning a role but the corresponding role does not exist

An error occurred, and the System was unable to set up your account. Please contact your administrator. [Details] An attempt was made to assign to a non-existent role. Role to be assigned: Role name

When assigning a group but the corresponding group does not exist

An error occurred, and the System was unable to set up your account. Please contact your administrator. [Details] You attempted to be assigned to a non-existent group. Group to be assigned: Group name

When an attempt is made to assign multiple values to a single user attribute

An error occurred, and the System was unable to set up your account. Please contact your administrator. [Details] Multiple values were attempted to be assigned to a single user attribute.

When an attempt is made to assign the email address of a reserved user when assigning an email address

An error occurred, and the System was unable to set up your account. Please contact your administrator. [Details] The email address of the reservation user is about to be assigned.

When an attempt is made to assign an empty value to a required attribute^*

An error occurred, and the System was unable to set up your account. Please contact your administrator. [Details] An empty value was about to be assigned to a required attribute.

*For OIDC, when "email", "given_name", and "family_name" are specified for "authn_info", automatic mapping will be applied, so attribute assignment is unnecessary. For SAML, when "email" is specified for "authn_info", automatic mapping will be applied, so attribute assignment is unnecessary.

When the character count exceeds 10,000, which is the maximum output limit for templates

An error occurred, and the System was unable to set up your account. Please contact your administrator. [Details] The output limit for assignment by template has been reached.

The following messages will be displayed depending on the nature of the deficiency. For details on the authentication process of assigned email addresses, see "(Figure) Logging in through an external IdP when the user is determined the same between Ops I and the external IdP".

An error occurred, and the System was unable to set up your account. Please contact your administrator.[Details] User is missing one of these required attributes (firstName, lastName, email).

An error occurred, and the System was unable to set up your account. [Details] Failed to execute api create oss user.

An error occurred, and the System was unable to set up your account. [Details] Failed to execute api update oss user.

An error occurred, and the System was unable to set up your account. Please contact your administrator.[Details] Length of user email must not exceed 100 characters.

An error occurred, and the System was unable to set up your account. Please contact your administrator.[Details] Local part of user email must not exceed 64 characters.

An error occurred, and the System was unable to set up your account. Please contact your administrator.[Details] User email is in invalid format.

An error occurred, and the System was unable to set up your account. Please review the identity provider settings. [Details] Unexpected error when authenticating with identity provider.

(3) Common mistakes

The following shows examples of common mistakes in template descriptions and their correct counterparts.

When specifying a customer, use the customer ID, instead of the customer name.
<Incorrect>
<#if authn_info["customer"] == "customer1">
customer1
</#if>
<Correct>
<#if authn_info["customer"] == "customer1">
1001
</#if>

When assigning groups, specify them on separate lines.
<Incorrect>
<#if authn_info["group"]??>
${authn_info["group"]}
</#if>
<Correct>
<#if authn_info["group"]??>
${authn_info["group"]?join("\n")}
</#if>

When assigning roles, specify them on separate lines.
<Incorrect>
<#if authn_info["id"] == "1">
    System Security Administrator, user_admin
</#if>
<Correct>
<#if authn_info["id"] == "1">
    System Security Administrator
    user_admin
</#if>

For SAML, specify the index to indicate which element in the array to reference.
- When assigning an attribute (customer) by using a template
  <Incorrect>
  <#if authn_info["customer"] == "customer1">
  1001
  </#if>
  <Correct>
  <#if authn_info["customer"][0] == "customer1">
  1001
  </#if>
- When assigning a role by using the template
  <Incorrect>
  <#if authn_info["username"]?c_upper_case == "HITACHI_TARO">
  customer_admin
  </#if>
  <Correct>
  <#if authn_info["username"][0]?c_upper_case == "HITACHI_TARO">
  customer_admin
  </#if>