Some more useful tidbits of information for anyone else following in this path…
- When setting user attribute mapping rules on an IdP and you switch to “expression” mode (instead of “direct”), the syntax for referencing ID token properties is “{idp-attributes:X}”. I didn’t see this documented anywhere and only stumbled on it by accident.
- You can use all of the ID token properties in your security level rules, even ones that are never exposed elsewhere!
- You can as a last-ditch solution pack lots of properties into one. I just tested it by putting all of my leftover properties into a JSON string, and then putting that into the lastName field. The expression mapping looked like this:
jsonSet(jsonSet(jsonSet("{'sf_groups':'', 'sms':'', 'lname':''}", "sf_groups", {idp-attributes:sf_groups}), "sms", {idp-attributes:sms}), "lname", {idp-attributes:lname})
Then in Perspective I have to decode session.props.auth.user.lastName as JSON to get all my other fields back.