attributeCondition property
A Common Expression Language expression, in plain text, to restrict what otherwise valid authentication credentials issued by the provider should not be accepted.
The expression must output a boolean representing whether to allow the
federation. The following keywords may be referenced in the expressions: *
assertion: JSON representing the authentication credential issued by the
provider. * google: The Google attributes mapped from the assertion in
the attribute_mappings. google.profile_photo and google.display_name
are not supported. * attribute: The custom attributes mapped from the
assertion in the attribute_mappings. The maximum length of the attribute
condition expression is 4096 characters. If unspecified, all valid
authentication credentials will be accepted. The following example shows
how to only allow credentials with a mapped google.groups value of
admins: "'admins' in google.groups"
Implementation
core.String? attributeCondition;