Policy validators
The SecureAuth Connect visual policy editor assembles policies from a set of built-in validators. Each validator performs one check against the request and returns true or false. The policy combines validators with logical operators and returns an allow or deny decision.
This page is a reference for every validator the visual editor provides. For the create-a-policy procedure, see Create policy (visual editor).
Attributes validator
Attributes validator is a generic validator that lets you compare any source valid for the selected policy type against any target. Available sources include:
- Authentication context attribute
- Access token claims
- ID token claims
- Secrets
- Scopes
When a dedicated validator exists for the data you want to check, prefer the dedicated validator over the generic Attributes validator.
Authentication context validator
Authentication context validator checks an authentication context attribute against:
- A specific value.
- Another authentication context attribute.
Use it to validate session-level identity data, for example the identity provider used to authenticate.
Client validator
Client validator checks the client context attributes in the request, passed in the contexts.client object. Use it to validate any client registered in SecureAuth. For available client parameters, see the Client API documentation.
Example request data the policy reads:
"contexts": {
"client": {"attribute_name": "value"}
}
Developer validator
Developer validator checks the developer context attributes in the request, passed in the contexts.developer object. Use it when policies need to gate actions based on third-party developer metadata.
Example request data the policy reads:
"contexts": {
"developer": {"attribute_name": "value"}
}
Embedded policy validator
Embedded policy validator lets you pick another policy of the same type and resolve it within the current validator. Use embedded policies to compose reusable primitives and reference them from higher-level policies.
Embedded Rego policies for Istio header injection
For Rego policies that inject headers for Istio-protected services, see Header injection for Istio policies.
Authentication factors (MFA) validator
Authentication factors validator checks whether the user has completed multi-factor authentication and prompts the user to complete it if they have not. Use it to gate sensitive actions behind a completed MFA challenge.
ID token validator
ID token validator compares an ID token attribute against a specific value or another ID token attribute.
Request header validator
Request header validator checks a specific HTTP header for value or presence. Use it to enforce API-level rules that depend on header-based context passed from the gateway or the caller.
Logical validators
By default, a policy evaluates every validator and passes only if all validators resolve to true. Logical validators let you build if/else branches based on earlier validator results.
The Fail and Pass validators end policy resolution.
Signal validator
Signal validator checks the Signal Sciences warnings on a request. Use it when your requests are protected through Signal Sciences and you want to validate a policy based on the presence or absence of warnings.
Software statement validator
Software statement validator restricts client registration based on parameters in a Software Statement Assertion (SSA). Use it when client registration is protected by an SSA and policy decisions need to reference fields inside the statement.
Example request data the policy reads:
"contexts": {
"softwareStatement": {"attribute_name": "value"}
}
Wildcard pattern matching
Wildcard pattern matching works in the SecureAuth visual policy editor only. It is not available for Rego policies.
When comparing values in any validator, you can match with the * character. Example comparator:
{
"fields":[
{
"field":"sub",
"comparator":"equals",
"value":"admin-*"
}
]
}
This comparator matches all values with the admin- prefix, such as admin-123.
To match the * character literally, escape it with \:
{
"fields":[
{
"field":"group",
"comparator":"equals",
"value":"\*"
}
]
}
This comparator matches the single character *.
When to use Rego instead
Visual editor validators cover the most common policy patterns. Reach for Rego when you need:
- Loops, set operations, or complex data transformations.
- Policies that need to be reviewed and versioned as code.
- Reusable Rego packages shared across policies.
- Logic that would require deeply nested validator structures in the visual editor.
For Rego authoring, see Authoring access policies using Rego or visual editor.