Smart Card idpUser expressions

When you create a Smart Card identity provider (IdP), specify one of the attributes of idpuser as the value of the IdP Username field. This value is used to look up the associated user. The IdP Username field can also contain an Okta Expression Language expression. When IdP Username contains an expression, the result of evaluating the expression is then used to match users. This page describes the process of creating and testing expressions before using them with a Smart Card IdP.

You can use spaces in the username field of the X509 certificates that you use in IdPs. Don't use spaces as prefix or suffix characters. This enables Okta to perform username transforms with custom Universal Directory attributes.

Before you begin

Ensure that a Smart Card IdP has been previously created as described in Add a Smart Card identity provider.

Create a test attribute

A test attribute is used to create and validate the result of the expression. Using a test attribute avoids overwriting actual data.

  1. In the Admin Console, go to DirectoryProfile Editor.

  2. In the Profile Editor pane, select the Users tab, and then Identity Providers.
  3. Open the previously created Smart Card IdP by clicking its name. The profile page appears.
  4. In the Attributes section, click Add Attribute.
  5. In the Add Attribute dialog, enter these values:
    • Display name: Enter a name, like Test Attribute.
    • Variable name: Enter a variable name, like testAttribute.
  6. Ensure that the attribute type is string, and then click Save.

Develop an expression

Using the previously added attribute, develop an expression. The expression must return a string, evaluate to a single value, and it must match the value of the IdP Match against field.

  1. In the Admin Console, go to DirectoryProfile Editor.

  2. Select Identity Providers.
  3. Select the previously created IdP.
  4. Click Mappings.
  5. Enter the expression that represents the value of the attribute value. For example, to return content before at sign (@) from the email address, use this expression:

    String.substringBefore(appuser.subjectAltNameEmail, "@")).

    Use appuser instead of idpuser in test examples. idpuser isn't available during testing.
    Only use appuser for testing. It contains all currently supported idpuser fields.
    When using this expression in an IdP always substitute idpuser for all instances of appuser.

    See Expressions for details and examples of expressions.

  6. Click Save Mappings. Correct any expression errors if required.
  7. In the preview section, select a user and then click Enter.
  8. Examine the result to ensure that the expression returned the expected value. Repeat as required.
  9. When complete, click Exit Preview.
  10. Copy the finished expression for use in the IdP.
  11. Click Cancel.
  12. Delete the test attribute.

Specify an expression as idpUser

  1. In the Admin Console, go to SecurityIdentity Providers.

  2. In the row containing the PIV Smart Card IdP, click ConfigureConfigure Identity Provider.
  3. In the IdP Username field, select the current contents and paste the replacement value.
  4. Click Update Identity Provider.

Related topics

Add a Smart Card identity provider

Expressions