Groovy Script Examples
Examples SAML
Login any user as guestuser
if the attribute groups contains guests. 
This script should be mapped to the Application-attribute Username and assumes that the usernames comes from the SAML Name-ID:
Set SAML attribute email to an unique value if the attribute is not present
This script should be mapped to the Application-attribute E-Mail Address.
Set the last name to uppercase
This script should be applied to the Application-attribute Full Name and assumes the first name is in first
and the last name in last
Combine groups from attributes with the value true
In this example. the IdP sends a fixed set of group names as keys with the value true if the user is member of that group:
Handle Groups Not Sent As Multivalue Attribute in SAML Response, Replace Group Names In The Process
Handle Groups Not Sent As Multivalue Attribute in SAML Response And Filter Empty Strings
Transform one group from the SAML response to two or more groups
Transform one group from the SAML response to two or more groups and also perform more direct transformations
Allow user authentication based on the email domain of the user 
Add a user into a specific group when not calling the JSM portal and the IdP returns a specific group
Drop the user if the email is already present
Use this to transform the email-attribute. If the email-address is found and don't belong to this user, drop the user.
Exclude some users from being reactivated during login even if that option is enabled
Use the following Groovy code for the username attribute mapping (assuming that the username attribute is mapped to the default value originally ATTR_NAMEID
):
Fail the authentication if a value (among a list) of an attribute matches any value of another list
Use the following Groovy code for the username attribute mapping.
Assumptions:
- The Jira Username attribute is mapped to
ATTR_NAMEID
- The attribute to be checked is called
userDep
Assign a specific group based on some conditions
In the following example, we are going to assign group 'myGroup' to the users if the following two conditions are both met:
- The nameId starts with 'M' and followed by some numbers
- The department attribute has a value of 'IT'
Assuming the following attributes returned by the IdP:
Use the following Groovy code for the Groups attribute mapping.
Just-In-Time Provisiong add licensed Jira group to any authentication through SAML SSO
In the following example, we are going to add licensed Jira group to the users if the following conditions are met:
- The user login via SAML
- If SAML attribute
<your-attribute>
has a value of 'Internal'- The user will be added to the group 'jira-users'
- Else
- The user will be added to the group 'jira-external-users'
Use the following Groovy code for the Groups attribute mapping.
Variant
- If SAML attribute
<your-attribute>
isnull
- The user will be added to the group 'jira-empty'
Examples User Sync
Assign a license group based on some conditions and only if user login via SAML
In the following example, we are going to assign the Jira license group 'jira-users' or jira-external-users' to the users if the following conditions are met:
- The user login via SAML
- The WorkerType attribute has a value of 'Internal'
- The user will be added to the group 'jira-users'
- The WorkerType attribute starts with 'E[ABCD]'
- The user will be added to the group 'jira-external-users'
- If the user is already part of the other group (e.g. jira-users) the group will be removed. So, the user can only be part of one group.
Since we are using Group Management, we moved the Group Management configuration (UI) to the groovy script, too. Please remove the UI Group Management configuration and modify the script to your needs.
Assuming the attribute WorkerType
is returned by the IdP:
This script should be mapped to the Application-attribute Groups:
Remove any user from the group confluence-users if the user is disabled on the IdP side.
The script could be helpful since Confluence is sometimes displaying an incorrect number of active users. License will display the correct number of users only if the users are not part of any group with CAN-USE permission (in our case 'confluence-users').
This script should be mapped to the Application-attribute Groups:
Transform group names using regular expressions
Replacing attributes using regular expressions can be done in a Groovy-transformation instead of adding Regexes to the configuration. Especially when a large number of regular expressions need to be applied it can be helpful to have all of them in a piece of code
Assuming the user data looks like this
This transformation returns
Apply the Cleanup Behaviour (e.g. Disable) when a user is a member of a certain group
Use the following Groovy code for the Groups
attribute mapping in the connector:
Assign default groups only to a certain domain in the email address
Use the following Groovy code for the Groups
attribute mapping in the connector:
Assign a default group only upon a successful login via SAML
User should be assigned to a specific group, called groupA
, only upon a successful SAML login (i.e. not via the regular sync of User Sync)
Use the following Groovy code for the Groups
attribute mapping in the connector:
Assign a default group only to the members of certain groups
Use the following Groovy code for the Groups
attribute mapping in the connector:
SAML Single Sign-On is available for Atlassian Server & Atlassian Data Center products.
Our Jira Data Center, Confluence Data Center, Bitbucket Data Center, Jira Server, Confluence Server, Bitbucket Server and other apps are all available on the Atlassian Marketplace.
- Examples SAML
- Login any user as guestuser if the attribute groups contains guests.
- Set SAML attribute email to an unique value if the attribute is not present
- Set the last name to uppercase
- Combine groups from attributes with the value true
- Handle Groups Not Sent As Multivalue Attribute in SAML Response, Replace Group Names In The Process
- Handle Groups Not Sent As Multivalue Attribute in SAML Response And Filter Empty Strings
- Transform one group from the SAML response to two or more groups
- Transform one group from the SAML response to two or more groups and also perform more direct transformations
- Allow user authentication based on the email domain of the user
- Add a user into a specific group when not calling the JSM portal and the IdP returns a specific group
- Drop the user if the email is already present
- Exclude some users from being reactivated during login even if that option is enabled
- Fail the authentication if a value (among a list) of an attribute matches any value of another list
- Assign a specific group based on some conditions
- Just-In-Time Provisiong add licensed Jira group to any authentication through SAML SSO
- Examples User Sync
- Assign a license group based on some conditions and only if user login via SAML
- Remove any user from the group confluence-users if the user is disabled on the IdP side.
- Transform group names using regular expressions
- Apply the Cleanup Behaviour (e.g. Disable) when a user is a member of a certain group
- Assign default groups only to a certain domain in the email address
- Assign a default group only upon a successful login via SAML
- Assign a default group only to the members of certain groups