Transformations are a very powerful tool to transform SAML user attribute values, transmitted through the SAML Response (Assertion) from the Identity Provider. Mainly they are used to transform not changeable values within the Identity Provider, so the transformed value fits the required or an desired attribute format in the Atlassian application. The transformed value will be used then for authentication or user creation/update purposes.
Transformations are built as "Replace Regex with Replacement". Capturing groups can be referenced in the replacement with $1,$2...
Multiple Transformations can be configured at once. They are processed top-down until the first expression matches.
Transformations are currently available for User ID, Groups, and Service Desk Organizations. Groups and Organizations have an additional configuration called Skip untransformed groups. This option allows to skip group/organization values not matching the transformation regex. This means, when enabled, not matching values are ignored for user update then.
- Transform SAML Name ID's having an email address format to drop the domain part and get the name only:
Configuration: Replace "(.*)@.*" with "$1" → Test: "firstname.lastname@example.org" → Result: "john.bold"
- Transform group values delivered as Distinguished Name (LDAP) format to get the group name:
Configuration: Replace "CN=(.*),OU.*" with "$1" → Test: "CN=DevUK,OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com" → Result: "DevUK"
- Transform organization values to remove not desired/allowed characters (e.g. "_"):
Configuration: Replace "CN=(.*)_(.*)" with "$1$2" → Test: "Organization_1" → Result: "Organization1"