In addition to standard groups and roles, Purplepass supports passing custom claims (attributes) and boolean flags through your identity provider (IdP) for more granular control over ticket access. This article covers the claim key formats, how flag values are evaluated, and a worked example showing both approaches side by side.
For an overview of how groups, roles, custom claims, and flags work together, see Restricting Ticket Access with SSO: Groups, Roles, Custom Claims & Flags. For group and role setup, see Configuring SSO Groups & Roles for Restricted Ticket Access.
Why use a custom claim or flag instead of a group?
Custom claims and flags let you target ticket access using a single attribute passed per user, instead of creating and maintaining a separate SSO group in your identity provider for every variation. This is especially useful when you have several similar but distinct audiences, such as multiple commencement ceremony times or graduating terms.
How Purplepass identifies custom claims and flags
Because custom claims and flags can be named anything you want, Purplepass needs a way to recognize which claims to read, and whether to treat the value as plain text or as true/false. This is done through a specific naming convention in the claim's key (its URI). Using the Purplepass URL as part of the key also keeps it unique from any other claims you may already have configured in your IdP, which is standard practice for SAML claim setup.
The naming convention matters
Custom claims and flags use two different key formats. If the wrong format is used, Purplepass won't be able to read the claim.
Custom claims (name/value pairs)
Use this format when you want to pass an attribute with a specific, meaningful value (not just true or false), such as a student ID, campus, or graduation term.
Claim key format:
https://www.purplepass.com/access/id/claims/<key>
Replace <key> with the name of your custom claim. Purplepass automatically reads the value of any claim key that starts with https://www.purplepass.com/access/id/claims/.
Example claim keys:
https://www.purplepass.com/access/id/claims/student_idhttps://www.purplepass.com/access/id/claims/enrollment_idhttps://www.purplepass.com/access/id/claims/campushttps://www.purplepass.com/access/id/claims/GraduationStatus
Example attributes and values:
| Attribute | Example value |
|---|---|
| Degree | Engineering |
| StudentID | 12345678 |
| Student-Level | Junior |
| Grad-Date | May15th2026 |
These use the same format, for example https://www.purplepass.com/access/id/claims/Degree.
With custom claims, only the value is used for targeting, not the claim key itself. Claim values are also not case-sensitive (Spring2026, spring2026, and SPRING2026 are all treated the same). When you create the matching SSO group in the Purplepass dashboard, you can give it any friendly name for your own reference; the value you enter must match the claim's value exactly. See the worked example below.
Boolean flags
Use this format when you want a simple true/false condition, such as whether a student belongs to a specific graduating class.
Claim key format:
https://www.purplepass.com/access/flag/claims/<flag>
Replace <flag> with the name of your flag. Purplepass automatically reads any claim key that starts with https://www.purplepass.com/access/flag/claims/ and evaluates it as true or false.
Example claim keys:
https://www.purplepass.com/access/flag/claims/is_studenthttps://www.purplepass.com/access/flag/claims/is_graduatinghttps://www.purplepass.com/access/flag/claims/business_majorhttps://www.purplepass.com/access/flag/claims/Graduating_Spring2026
When you create the matching SSO group in the Purplepass dashboard, the name can be any label you choose, for your own reference. The value must match the flag name exactly, meaning the portion of the claim key after /claims/. For the example above, you'd enter Graduating_Spring2026, not the full claim key URL.
How flag values are evaluated
| Value passed | Result |
|---|---|
true, yes, y, or 1
|
✅ Active |
| Not passed at all | ❌ Inactive |
false, no, n, or 0
|
❌ Inactive |
| Blank, or any other value | ❌ Inactive |
Flag values are not case-sensitive (TRUE, True, and true are all treated the same).
EXAMPLE: Targeting a Spring 2026 graduating class
Below are two ways to set up restricted access for students graduating in Spring 2026, one using a custom claim and one using a flag. Both approaches work the same way once configured in Purplepass. Use whichever is easier to set up in your identity provider.
Option #1 - Custom claim
Your IdP passes the claim key https://www.purplepass.com/access/id/claims/GraduationStatus with a value such as Spring2026, Spring2026-1pm, or Fall2026, depending on the student's term and ceremony session.
In Purplepass, create an SSO group targeting the value Spring2026, then restrict your commencement ticket to that group. Only students whose GraduationStatus value is exactly Spring2026 will be able to access the ticket. A student with a value of Fall2026 (or any other value) won't have access.
Option #2 - Boolean flag
Your IdP passes the claim key https://www.purplepass.com/access/flag/claims/Graduating_Spring2026 with a value of true, yes, y, or 1 for each student in that graduating class.
In Purplepass, create an SSO group targeting the flag name Graduating_Spring2026 (not the full claim key), then restrict your commencement ticket to that group. Only students with that flag set to an active value will be able to access the ticket. If the flag isn't passed, or is passed with any other value, the student won't have access.
Related articles
- Restricting Ticket Access with SSO: Groups, Roles, Custom Claims & Flags
- Configuring SSO Groups & Roles for Restricted Ticket Access