PingFederate Server

Sample OGNL expressions

OGNL expressions provide the flexibility to evaluate and manipulate values. These applications include using the following expressions to determine net worth, form a single sign-on (SSO) token, verify a user’s group, retrieve a value from an HTTP request object, and check the authenticity of a client certificate.


In this sample expression, the value of the attribute “net-worth” is transformed first to eliminate any dollar signs or commas, then the result is evaluated to determine whether the user’s net worth falls into a “bronze,” “silver,” or “gold” category.

#result < 500000 ? "bronze" :
#result < 1000000 ? "silver" : "gold"

Multivalued attribute

new org.sourceid.saml20.adapter.attribute.AttributeValue( {"Blue", "Gray", "Pink"})

This expression formulates a multivalued attribute in an SSO token.

<saml:Attribute Name="clrs" ...>
  <saml:AttributeValue ...>Blue</saml:AttributeValue>
  <saml:AttributeValue ...>Gray</saml:AttributeValue>
  <saml:AttributeValue ...>Pink</saml:AttributeValue>


  "clrs": [

In these truncated samples, clrs is the multivalued attribute. The former is a SAML assertion through a SAML service provider (SP) connection. The latter is a JSON web token (JWT) through a WS-Federation SP connection using JWT as the token type.

Token authorization

This expression verifies whether a user is a member of the “Engineering” or “Marketing” group.


The following expression extracts the domain information out of an email address (mail) and returns true if it matches a specific domain.

  #at > 0?

Line breaks are inserted to both samples for readability only. You must enter statements calling methods whose arguments are enclosed in quote on a single line.

This sample expression returns true when the IP address of the client is within the specified CIDR range of fe80::74da:14b:76d1:eba3/128.

#isWithinCidrRange = @com.pingidentity.sdk.CIDROperations@isInRange(#this.get("context.ClientIp"),"fe80::74da:14b:76d1:eba3/128")

The isInRange method supports both IPv4 and IPv6 CIDR notations.

HTTP request context

You can use the following example to retrieve a value from an HTTP request object. The expression retrieves the User-Agent HTTP header value and compares it against a value required for token authorization.


STS client authentication context

This security token service (STS) SSL Client Certificate Chain example checks that the issuer of the client certificate matches the specified distinguished name (DN).

#this.get("context.StsSSLClientCertChain").getObjectValue()[1].getSubjectX500Principal().equals(new"CN=Ping Identity Engineering,OU=Engineering,O=Ping Identity,L=Denver,ST=CO,C=USA"))

#this.get("context.StsSSLClientCertChain").getObjectValue() returns an array of instances. This array starts with the client certificate itself.