Regular Expression Transformer Action
A regular expression action transforms the input attribute names and values. It does not enforce attributes, so it will not fail the authentication.
Transforming attribute names means that an attribute named user-email can be transformed to something like email in the output. This is useful when unifying data from different account sources.
Transforming attribute values mean that the data inside the attribute is transformed. Transforming a username of the form DOMAIN/johndoe to johndoe is a common transform.
It is also possible to exclude attributes from the result, simply by listing them as excluded-attributes in the configuration. This will result in them being dropped when found.
The regex transformer doesn’t use any external data source, but works on the incoming attributes using regular expressions. See the javadocs on the Java Pattern class for more information about the regular variant that is supported.
By default, this action transforms the subject attributes. It can be configured to transform the context attributes or the action attributes, by setting the attributes-location configuration setting.
Transforming values using regular expressions#
An example could be the following:
Take the email attribute, remove the domain and @ symbol and store in the subject attribute.
The capture groups can be used as the replacement values as in any regular expression. $0 is the whole match $1 the first capture group and so on.
Excluding attributes#
Excluding attributes is done by adding the attribute name to the exclude table.
Renaming attributes#
Sometimes it’s useful to rename an incoming attribute for conformity. There is no need to perform a value transformation.
Configuration#
The following configuration options are available:
| Configuration | Mandatory | Description |
|---|---|---|
| excluded-attributes | no | A list of attributes to exclude from the result |
| attributes | no | The list of transformations to perform (see next table) |
| attributes-location | no | The location from where the attributes are retrieved and stored, which can be: subject-attributes (the default), context-attributes, and action-attributes. |
Attributes List#
| Configuration | Mandatory | Description |
|---|---|---|
| attribute-base-path | yes | If the attribute is nested this is the path to the attribute. dot-notated (emails.email would result in the base path emails.) If it’s a top level attribute. Use $root as base path. |
| attribute-name | yes | The name of the attribute following the base path emails.email would result in email as attribute-name. |
| transformed-attribute-name | no | The new name of the attribute. If left empty the same name is used. Note: the path remains the same. |
| matching-regex | no | When transforming value, the transform applies if this regex matches |
| replacement-value | yes* | When transforming value, this is the replacement value for the matching regex. |
* - mandatory only if matching-regex is set.
Back-channel support#
This action can be used in back-channel authentication.