add more JSONata examples

ranbel · ranbel · commit c913375dc6df · 2025-03-04T18:12:44.000-05:00
diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 1
 ---
 
-import { Render } from "~/components";
+import { Render, Details } from "~/components";
 
 This page provides generic instructions for setting up a SaaS application in Cloudflare Access using the SAML authentication protocol.
 
@@ -86,7 +86,7 @@ Open an incognito browser window and go to the SaaS application's login URL. You
 - `email` - User's email address
 - `groups` - Identity provider group membership
 
-In Access for SaaS, you can add additional SAML attributes and customize the SAML statement sent to the SaaS application. This allows you to integrate SaaS applications which have specific SAML attribute requirements.
+In Access for SaaS, you can add additional SAML attributes or customize the SAML statement sent to the SaaS application. This allows you to integrate SaaS applications which have specific SAML attribute requirements.
 
 ### SAML attribute statements
 
@@ -102,37 +102,23 @@ To send additional SAML attributes to your SaaS application, configure the follo
 	- **Required**: If a claim is marked as required but is not provided by an IdP, Cloudflare will fail the authentication request and show an error page.
 	- **Add per IdP claim**: (Optional) If you turned on multiple identity providers for the SaaS application, you can choose different attribute mappings for each IdP. These values will override the parent **IdP claim**.
 
-### Transformation
+### JSONata transforms
 
-In **Advanced settings** > **Transformation**, you can enter a [JSONata](https://jsonata.org/) script that modifies a copy of the user identity before creating SAML attributes to be sent to the SaaS application. This is useful for setting defaults, excluding email addresses, or ensuring usernames meet arbitrary criteria.
+In **Advanced settings** > **Transformation**, you can enter a [JSONata](https://jsonata.org/) script that modifies a copy of the [User Registry identity](/cloudflare-one/insights/logs/users/). This is useful for setting default values, excluding email addresses, or ensuring usernames meet arbitrary criteria. Access will send the modified user identity to the SaaS application as SAML attributes.
 
-Note that JSONata Transformations are not compatible with SAML attribute statements. JSONata transformations will override any specified SAML attributes.
+:::note
+JSONata transformations are not compatible with [SAML attribute statements](#saml-attribute-statements). JSONata transformations will override any specified SAML attributes.
+:::
 
-For example, the following JSONata script modifies the `groups` attribute:
+For example, the following JSONata script merges group names into a list and adds an `eduPersonPrincipalName` field which maps to the user email.
 
-```jsonata title="JSONata expression"
-{
-  "account_id": account_id,
-  "amr": amr,
-  "auth_status": auth_status,
-  "common_name": common_name,
-  "devicePosture": devicePosture,
-  "device_id": device_id,
-  "device_sessions": device_sessions,
-  "email": email,
-  "gateway_account_id": gateway_account_id,
-  "geo": geo,
-	"groups": $map($.groups, function($group) {
-    {"group_name": $group.name}}),
-  "iat": iat,
-  "id": id,
-  "idp": idp
-}
+```jsonata title = "JSONata expression"
+$merge([$, {"groups": groups.name, 'eduPersonPrincipalName': email}])
 ```
 
-Here is an example of a user identity before applying the transform:
+Here is an example of a user identity before applying the JSONata transform:
 
-```json title= "Before JSONata transform" collapse={2-25, 40-45}
+```json title= "User identity before JSONata transform"
 {
   "account_id": "699d98642c564d2e855e9661899b7252",
   "amr": [
@@ -181,9 +167,123 @@ Here is an example of a user identity before applying the transform:
 }
 ```
 
-Here is the payload after applying the example JSONata transform:
+Result after applying the example JSONata script:
+
+```json output
+{
+  "account_id": "699d98642c564d2e855e9661899b7252",
+  "amr": [
+    "pwd"
+  ],
+  "auth_status": "NONE",
+  "common_name": "",
+  "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa",
+  "device_sessions": {
+    "49e653db-991e-11ee-af26-2243bf8c3428": {
+      "last_authenticated": 1703004275
+    }
+  },
+  "devicePosture": {
+    "8534a230-e85e-4183-8964-a4b7dcf72986": {
+      "rule_name": "Warp",
+      "success": true,
+      "type": "warp"
+    }
+  },
+  "email": "jdoe@company.com",
+  "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU",
+  "geo": {
+    "country": "US"
+  },
+  "groups": [
+    "IdentityProtection-RiskyUser-RiskLevel-low",
+    "Global Administrator",
+    "Application Administrator"
+  ],
+  "iat": 1659474397,
+  "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M",
+  "idp": {
+    "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47",
+    "type": "azureAD"
+  },
+  "eduPersonPrincipalName": "jdoe@company.com"
+}
+```
+
+For more JSONata transform use cases, refer to the following examples.
+
+<Details header="Remove groups attribute">
+
+The following JSONata script removes the `groups` SAML attribute. This can be useful if your SaaS application does not need to receive user group information.
+
+```jsonata title="JSONata expression"
+$ ~> |$|{}, ['groups']|
+```
+
+Result after applying the JSONata transform:
+```json output
+{
+  "account_id": "699d98642c564d2e855e9661899b7252",
+  "amr": [
+    "pwd"
+  ],
+  "auth_status": "NONE",
+  "common_name": "",
+  "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa",
+  "device_sessions": {
+    "49e653db-991e-11ee-af26-2243bf8c3428": {
+      "last_authenticated": 1703004275
+    }
+  },
+  "devicePosture": {
+    "8534a230-e85e-4183-8964-a4b7dcf72986": {
+      "rule_name": "Warp",
+      "success": true,
+      "type": "warp"
+    }
+  },
+  "email": "jdoe@company.com",
+  "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU",
+  "geo": {
+    "country": "US"
+  },
+  "iat": 1659474397,
+  "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M",
+  "idp": {
+    "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47",
+    "type": "azureAD"
+  }
+}
+```
+</Details>
+
+<Details header="Rename groups field and remove group ID">
 
-```json title="After JSONata transform" collapse={2-25, 40-45}
+The following JSONata script changes the `groups.name` field from `name` to `group_name` and removes the `groups.id` field:
+
+```jsonata title="JSONata expression"
+{
+  "account_id": account_id,
+  "amr": amr,
+  "auth_status": auth_status,
+  "common_name": common_name,
+  "devicePosture": devicePosture,
+  "device_id": device_id,
+  "device_sessions": device_sessions,
+  "email": email,
+  "gateway_account_id": gateway_account_id,
+  "geo": geo,
+	"groups": $map($.groups, function($group) {
+    {"group_name": $group.name}}),
+  "iat": iat,
+  "id": id,
+  "idp": idp
+}
+```
+
+Result after applying the JSONata transform:
+
+```json output
 {
   "account_id": "699d98642c564d2e855e9661899b7252",
   "amr": [
@@ -229,4 +329,62 @@ Here is the payload after applying the example JSONata transform:
 }
 ```
 
-In this example, the JSONata transform changed the `group.name` field from `name` to `group_name` and removed the `group.id` field.
+</Details>
+
+<Details header="Filter groups by name">
+
+The following JSONata script filters groups to those that match a regular expression.
+
+```jsonata title="JSONata expression"
+$merge([$, { "groups": $filter(groups, function($v) { $contains($v.name, /Administrator/) }) }])
+```
+
+Result after applying the JSONata transform:
+
+```json output
+{
+  "account_id": "699d98642c564d2e855e9661899b7252",
+  "amr": [
+    "pwd"
+  ],
+  "auth_status": "NONE",
+  "common_name": "",
+  "device_id": "c1744f8b-faa1-48a4-9e5c-02ac921467fa",
+  "device_sessions": {
+    "49e653db-991e-11ee-af26-2243bf8c3428": {
+      "last_authenticated": 1703004275
+    }
+  },
+  "devicePosture": {
+    "8534a230-e85e-4183-8964-a4b7dcf72986": {
+      "rule_name": "Warp",
+      "success": true,
+      "type": "warp"
+    }
+  },
+  "email": "jdoe@company.com",
+  "gateway_account_id": "bTSquyUGwLQjYJn8cI8S1h6M6wU",
+  "geo": {
+    "country": "US"
+  },
+  "groups": [
+    {
+      "id": "12348f47-8234-4860-a03f-c2a1513f267b",
+      "name": "Global Administrator"
+    },
+    {
+      "id": "11235980-87d7-4917-b0aa-74c01914c40e",
+      "name": "Application Administrator"
+    }
+  ],
+  "iat": 1659474397,
+  "id": "OidHvkPt-I-13IBSnd77UJ8cHgsrUpjs3W6_4t6ES7M",
+  "idp": {
+    "id": "b08e8c0c-a75d-4b3f-8e7b-cd427b7c7b47",
+    "type": "azureAD"
+  }
+}
+```
+</Details>
+
+
