Enabling and disabling expressions - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

As of PingFederate 10.1, the use of expressions is enabled by default. You can manually disable the use of expressions by editing a configuration file.

When upgrading PingFederate to 10.1 or later, administrative users who were granted the Admin role in the earlier installation are granted the Expression Admin role automatically.

You can disable the use of expressions by setting evaluateExpressions to false as described in the following procedure. Also, go to System > Server > Administrative Accounts and remove the Expression Admin role from all Admin users. Doing this will prevent Admin users from entering expressions into PingFederate if the evaluateExpressions element is set to true at a later time. For more information, see Administrative accounts.

Important:

If the current configuration contains expressions, disabling the feature causes errors during runtime processing.

  1. Edit the org.sourceid.common.ExpressionManager.xml file, located in the <pf_install>/pingfederate/server/default/data/config-store directory.
    Note:

    If you have a clustered PingFederate environment, edit the configuration file on the console node.

  2. Change the value of the element named evaluateExpressions to either true or false and save the file.
    <?xml version="1.0" encoding="UTF-8"?>
    <config xmlns="http://www.sourceid.org/2004/05/config">
        <item name="evaluateExpressions">true</item>
    </config>
    Note:

    The absence of an installed default value does not necessarily disable the use of expressions. You can successfully import configuration archives containing expressions to facilitate backward compatibility when no value is present, and further use of the feature is enabled. The term “silent” is used for this condition in the server log.

  3. If you have a stand-alone PingFederate environment, start or restart PingFederate.
    Tip:

    If you are enabling expressions to use for mapping outbound provisioning attributes, you do not need to restart the PingFederate server.

  4. If you have a clustered PingFederate environment:
    1. Sign on to the PingFederate administrative console.
    2. From System > Server > Cluster Management, click Replicate Configuration.
When you enable expressions, they are available for use in multiple locations:
  • The Source list under each of the administrative-console contract fulfillment windows
  • The Show Advanced Criteria section on the Issuance Criteria window following each of the administrative-console contract fulfillment windows
  • The provisioning attribute-mapping window when the Outbound Provisioning protocol is enabled