PingFederate SAML Issuance Criterion – Or Operator

We use the “Issuance Criteria” to restrict access to applications that do just-in-time provisioning without processing group memberships to restrict who gets provisioned. The GUI, however, has an implicit AND operator … which means you cannot be allowed to log on if you are a member of X or Y

To use an OR operator, you need to use an OGNL expression. Show the advanced criteria

Use an OGNL expression — this is an example allowing members of two groups

<urn:TokenAuthorizationIssuanceCriterion AttrName="" AttrSourceType="Expression" ComparisonValue="" ErrorResult="No Role Assigned">
     <urn:ExprText>#group = #this.get("memberOf"), #group.toString().contains("Scribe - Creator Access") || #group.toString().contains("Scribe - Viewer Access") ? @java.lang.Boolean@TRUE : @java.lang.Boolean@FALSE</urn:ExprText>
</urn:TokenAuthorizationIssuanceCriterion>

Leave a Reply

Your email address will not be published. Required fields are marked *