Beyond directly mapping claims to users or groups, identity mappings in Artifactory support transformation patterns. These allow claim values to be modified on the fly—adding suffixes, stripping domains, or normalizing formats.
A mapping pattern has two parts:
- Before the | → the pattern to match against the claim value.
- {{actor}} or {{mail}} means “take the raw claim value.”
- Wrapping with parentheses () defines capture groups (sub-sections of the value you want to extract).
- After the | → the transformation rule, using:
- $0 = the entire match from the left side.
- $1, $2, … = the contents of the first, second, etc. capture groups.
Think of it as:
Claim value → Match (before |) → Rewrite (after |) → Final mapped value
Examples:
// Example 1: Append a domain suffix
"username_pattern": "{{actor}} | $0@jfrog.com"
// actor = "saidegreen"
// Match: $0 = "saidegreen"
// Result → applied-permissions/user:saidegreen@jfrog.com
// Example 2: Strip a domain
"username_pattern": "({{actor}})@jfrog.com | $1"
// actor = "saidegreen@jfrog.com"
// Match: $0 = "saidegreen@jfrog.com", $1 = "saidegreen"
// Result → applied-permissions/user:saidegreen
// Example 3: Add a suffix to groups
"groups_pattern": "{{group}} | $0-jfrog"
// group = "gitgroup"
// Match: $0 = "gitgroup"
// Result → applied-permissions/groups:"gitgroup-jfrog"
// Example 4: Match and preserve a full email
"username_pattern": "jf{{mail}}jfrog.com | $0"
// mail = "jfsaidegreen@jfrog.com"
// Match: $0 = "jfsaidegreen@jfrog.com"
// Result → applied-permissions/user:jfsaidegreen@jfrog.com
// Example 5: No match case
"username_pattern": "jf{{mail}}jfrog.com | $0"
// mail = "gitsaidegreen@jfrog.com"
// Pattern expects the email to start with "jf" and end with "jfrog.com"
// Match: fails because the claim does not meet the pattern