Regular Expression Transformer Action

A regular expression action transforms the input attribute names and values. It does not enforce attributes, so it will not fail the authentication.

Transforming attribute names means that an attribute named user-email can be transformed to something like email in the output. This is useful when unifying data from different account sources.

Transforming attribute values mean that the data inside the attribute is transformed. Transforming a username of the form DOMAIN/johndoe to johndoe is a common transform.

It is also possible to exclude attributes from the result, simply by listing them as excluded-attributes in the configuration. This will result in them being dropped when found.

The regex transformer doesn’t use any external data source, but works on the incoming attributes using regular expressions. See the javadocs on the Java Pattern class for more information about the regular variant that is supported.

By default, this action transforms the subject attributes. It can be configured to transform the context attributes or the action attributes, by setting the attributes-location configuration setting.

Transforming values using regular expressions

An example could be the following:

Take the email attribute, remove the domain and @ symbol and store in the subject attribute.


The capture groups can be used as the replacement values as in any regular expression. $0 is the whole match $1 the first capture group and so on.

Excluding attributes

Excluding attributes is done by adding the attribute name to the exclude table.


Renaming attributes

Sometimes it’s useful to rename an incoming attribute for conformity. There is no need to perform a value transformation.



The following configuration options are available:

Configuration Mandatory Description
excluded-attributes no A list of attributes to exclude from the result
attributes no The list of transformations to perform (see next table)
attributes-location no The location from where the attributes are retrieved and stored, which can be: subject-attributes (the default), context-attributes, and action-attributes.

Attributes List

Configuration Mandatory Description
attribute-base-path yes If the attribute is nested this is the path to the attribute. dot-notated ( would result in the base path emails.) If it’s a top level attribute. Use $root as base path.
attribute-name yes The name of the attribute following the base path would result in email as attribute-name.
transformed-attribute-name no The new name of the attribute. If left empty the same name is used. Note: the path remains the same.
matching-regex no When transforming value, the transform applies if this regex matches
replacement-value yes* When transforming value, this is the replacement value for the matching regex.

* - mandatory only if matching-regex is set.