attributeCondition property

A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted.

The expression must output a boolean representing whether to allow the federation. The following keywords may be referenced in the expressions: * assertion: JSON representing the authentication credential issued by the provider. * google: The Google attributes mapped from the assertion in the attribute_mappings. google.profile_photo, google.display_name and google.posix_username are not supported. * attribute: The custom attributes mapped from the assertion in the attribute_mappings. The maximum length of the attribute condition expression is 4096 characters. If unspecified, all valid authentication credentials will be accepted. The following example shows how to only allow credentials with a mapped google.groups value of admins: "'admins' in google.groups"

Implementation

WorkforcePoolProvider class