Below are examples of using OGNL expressions for attribute mapping and token authorization.


In this sample expression, the value of the attribute “net-worth” is transformed first to eliminate any dollar signs or commas, then the result is evaluated to determine whether the user's net worth falls into a “bronze,” “silver,” or “gold” category.

#result < 500000 ? "bronze" : 
#result < 1000000 ? "silver" : "gold"

Multivalued attribute

new org.sourceid.saml20.adapter.attribute.AttributeValue( {"Blue", "Gray", "Pink"})

This expression formulates a multivalued attribute in an SSO token; for example:

<saml:Attribute Name="clrs" ...>
  <saml:AttributeValue ...>Blue</saml:AttributeValue>
  <saml:AttributeValue ...>Gray</saml:AttributeValue>
  <saml:AttributeValue ...>Pink</saml:AttributeValue>


  "clrs": [

In these truncated samples, clrs is the multivalued attribute. The former is a SAML assertion via a SAML SP connection. The latter is a JSON Web Token (JWT) via a WS-Federation SP connection using JWT as the token type.

Token authorization

This expression verifies whether a user is a member of the “Engineering” or “Marketing” group.


The following expression extracts the domain information out of an email address (mail) and returns true if it matches a specific domain.

  #at > 0?

Line breaks are inserted to both samples for readability only; statements calling methods whose arguments are enclosed in quotes must be entered on a single line.

This sample expression returns true when the IP address of the client is within the specified CIDR range of fe80::74da:14b:76d1:eba3/128.

#isWithinCidrRange = @com.pingidentity.sdk.CIDROperations@isInRange(#this.get("context.ClientIp"),"fe80::74da:14b:76d1:eba3/128")

The isInRange method supports both IPv4 and IPv6 CIDR notations.

HTTP request context

The following example may be used to retrieve a value from an HTTP request object. In this case, the expression retrieves the User-Agent HTTP header value and compare it against a value required for token authorization.


STS client authentication context

This STS SSL Client Certificate Chain example checks that the issuer of the client certificate matches the specified DN.

#this.get("context.StsSSLClientCertChain").getObjectValue()[1].getSubjectX500Principal().equals(new"CN=Ping Identity Engineering,OU=Engineering,O=Ping Identity,L=Denver,ST=CO,C=USA"))

#this.get("context.StsSSLClientCertChain").getObjectValue() returns an array of instances; this array starts with the client certificate itself.

For more information, see