The Roles from Identity Provider condition allows you to assign a role based on a role assigned by another identity provider (Liberty, SAML 2.0, WS Federation). Configure a condition to match the role sent by the identity provider, then set the action to assign a new role.
This condition uses the mapped attribute All Roles. All roles that are assigned to the user can be mapped to attributes and assigned to a trusted identity provider. For information about enabling All Roles, see Selecting Attributes for a Trusted Provider.
For an example of using Roles from Identity Provider to create a Role policy, see Mapping Roles between Trusted Providers. For examples of procedures required to share roles, see Sharing Roles.
To configure a Roles from Identity Provider condition, specify the following details:
Roles from Identity Provider: If you have configured your system for multiple identity providers, select the identity provider. If you have only one, it is selected.
Comparison: Select one of the following types:
Comparison: String: Specifies that you want the values compared as strings, and how you want the string values compared. Select one of the following:
Equals: Indicates that the values must match, letter for letter.
Starts with: Indicates that the Roles from Identity Provider value must begin with the letters specified in Value.
Ends with: Indicates that the Roles from Identity Provider value must end with the letters specified in Value.
Contains Substring: Indicates that the Roles from Identity Provider value must contain the letters in the same sequence, as specified in Value.
Comparison: Regular Expression: Matches: Specifies that the values compared as regular expressions.
Mode: Select the mode appropriate for the comparison type:
Comparison: String: Select Case Sensitive or Case Insensitive.
Comparison: Regular Expression: Matches: Select one or more of the following:
For regular expression syntax information, see the Javadoc for java.util.regex.Pattern.
Value: Select Data Entry Field, then specify the name of an identity provider role. Other value types are possible. Your policy requirements determine whether they are useful
Result on Condition Error: Specify what the condition returns when the comparison of the two values returns an error rather than the results of the comparison. Select either False or True. If you do not want the action applied when an error occurs, select False. If you want the action applied when an error occurs, select True.