Group assignment

With group assignment, users can be assigned to groups based on claims of the logged-in user.

Example:

Adds a user to the group "__SystemUsers" if "groups[*]" contains the value "admin-realm".

{
    "condition": {
        "claimPath": "groups[*]",
        "matchValue": "admin-realm"
    },
    "grantedGroups": [
        "__SystemUsers"
    ]
}

Syntax

Simple key:

Easy access to an entry within the claims.

email                             → claims["email"]
sub                               → claims["sub"]
email_verified                    → claims["email_verified"]

Separator:

The individual levels are separated with double colons "::".

realm_access::roles               → claims["realm_access"]["roles"]
resource_access::account          → claims["resource_access"]["account"]
user::profile::name               → claims["user"]["profile"]["name"]

Array:

An index can be used to check a specific index.

groups[0]                         → claims["groups"][0]  (first element)
roles[2]                          → claims["roles"][2]   (third element)
realm_access::roles[0]            → claims["realm_access"]["roles"][0]

The entire array is checked with an asterisk *.

groups[*]                         → any element in claims["groups"]
realm_access::roles[*]            → any element in claims["realm_access"]["roles"]