A regular expression action transforms the input attribute names and values. It does not enforce attributes, so it will not fail the authentication.
Transforming attribute names means that an attribute named user-email can be transformed to something like email in the output. This is useful when unifying data from different account sources.
Transforming attribute values mean that the data inside the attribute is transformed. Transforming a username of the form DOMAIN/johndoe to johndoe is a common transform.
It is also possible to exclude attributes from the result, simply by listing them as excluded-attributes in the configuration. This will result in them being dropped when found.
The regex transformer doesn’t use any external data source, but works on the incoming attributes using regular expressions. See the javadocs on the Java Pattern class for more information about the regular variant that is supported.
By default, this action transforms the subject attributes.
It can be configured to transform the context attributes or the action attributes, by setting the attributes-location configuration setting.
An example could be the following:
Take the email attribute, remove the domain and @ symbol and store in the subject attribute.
The capture groups can be used as the replacement values as in any regular expression. $0 is the whole match $1 the first capture group and so on.
Excluding attributes is done by adding the attribute name to the exclude table.
Sometimes it’s useful to rename an incoming attribute for conformity. There is no need to perform a value transformation.
The following configuration options are available:
* - mandatory only if matching-regex is set.