Identity as a Service:Field Mappings

Introduction

You can use field mappings to synchronize an IDaaS account with an external account.

• Bind accounts: You can bind the accounts to synchronize account status. For example, you can bind a DingTalk user to an IDaaS account when you import users from DingTalk. When the user is deleted from DingTalk, the bound IDaaS account is also deleted.

• Map fields: After you bind the accounts, you can map the fields of the accounts to synchronize account information. For example, you can use the enterprise email address of DingTalk users as the display name of IDaaS accounts when you import users from DingTalk. When the enterprise email address of a DingTalk user is changed, the display name of the IDaaS account is also changed.

Configure field mappings

You can use the following methods to configure field mappings.

• Configure field mapping when you create an identity provider (IdP): Configure field mappings when you create an IdP. Field mappings cannot be configured when you create an IdP to synchronize data from DingTalk.

• Configure field mapping when you modify an IdP: On the IdPs page, click Modify Settings. In the dialog box that appears, click the Field Mapping tab, configure field mappings, and then click Confirm.

Configure mapping identifiers

You can specify a mapping identifier to bind accounts. If the values of the identifier fields of the accounts are the same, the accounts are bound. In most cases, mapping identifiers are used to bind existing accounts. For example, you want to import users from DingTalk to IDaaS. The following figure shows the mapping identifier. If the enterprise email address of a DingTalk user zh***@example.com is the same as the email address of an IDaaS account, the accounts are bound. If none of the existing IDaaS accounts have the same email address, an IDaaS account is created and bound to the DingTalk account. After the accounts are bound, the status and information of the accounts are synchronized.

Different mapping identifiers are supported by the various IdPs. You can set one of the fields as a mapping identifier based on your business requirements. You can also choose not to set or remove a mapping identifier.

Mapping rules

You can use one of the following methods to map fields.

• Select a field to map: Select a field from the synchronization source and use its value as the value of the destination field. IDaaS provides different fields for different IdPs. If you cannot find a field that you need, you can specify an expression to configure the field.

• Specify an expression: You can specify an expression to customize the value of a field and use the value as the value of a destination field. Expressions can be specified for different scenarios. You can use the email prefix of DingTalk accounts as the IDaaS account name or use a field that is not provided by IDaaS. The following examples show some common expressions.

  • Use fields that are not provided by IDaaS:

    • Position of users in DingTalk: idpUser.title

    • Workplace of users in DingTalk: idpUser.work_place

    • Head of department in DingTalk: idpOrganizationalUnit.org_dept_owner

    • For more information about DingTalk fields, see DingTalk user fields and DingTalk department fields.

  • Use email prefixes as field values:

    • Email prefix of users in DingTalk: SubstringBefore(idpUser.email,"@")

    • User Principal Name (UPN) prefix of accounts in Active Directory (AD): SubstringBefore(idpUser.userPrincipalName,"@")

  • Fixed value: Trim("myString")

If you do not want a field to be mapped, click Remove in the Actions column. Then, the Mapping Rule of the field is changed to Disable Mapping, and the data of this field is not synchronized.

​

​