Identity as a Service:Field mappings

Concepts

You can use field mappings to synchronize an IDaaS account with an external account.

• Accounts: You can bind accounts to synchronize account status. If you bind a DingTalk user to an IDaaS account after you import users from DingTalk, when you delete the user from DingTalk, the IDaaS account is also deleted.

• Fields: After you bind accounts, you can map the fields of the accounts to synchronize account information. For example, you can use the enterprise email addresses of DingTalk users as the display names of IDaaS accounts when you import users from DingTalk. When the enterprise email address of a DingTalk user is changed, the display name of the IDaaS account is also changed.

Configure field mappings

You can use the following methods to configure field mappings.

• Configure field mappings when you create an identity provider (IdP). However, you cannot configure field mappings when you create an IdP to synchronize data from DingTalk.

• Configure field mappings when you modify an IdP. On the IdPs page, click Modify Settings. In the panel that appears, click the Field Mapping tab, configure field mappings, and then click Confirm.

Configure mapping identifiers

You can specify a mapping identifier to bind accounts. If the values of the identifier fields of the accounts are the same, the accounts are bound. In most cases, mapping identifiers are used to bind existing accounts. For example, you want to import users from DingTalk to IDaaS and specify a mapping identifier as shown in the following figure. If the enterprise email address of a DingTalk user zh***@example.com is the same as the email address of an IDaaS account, the accounts are bound. If none of the existing IDaaS accounts have the same email address, an IDaaS account is created and bound to the DingTalk account. After the accounts are bound, the status and information of the accounts are synchronized.

Configure mapping rules

You can use one of the following methods to map fields.

• Select a field: Select a field from the synchronization source and use the field value as the value of the destination field. IDaaS provides different fields for different IdPs. If you cannot find a field that you require, you can specify an expression.

• Specify an expression: You can specify an expression to customize the value of a field and use the value as the value of a destination field. You can specify expressions for different scenarios. You can use the email prefix of DingTalk accounts as the IDaaS account name or use a field that is not provided by IDaaS. The following examples describe specific common expressions. The following examples describe specific common expressions.

  • Use fields that are not provided by IDaaS:

    • Position of users in DingTalk: idpUser.title

    • Workplace of users in DingTalk: idpUser.work_place

    • Head of department in DingTalk: idpOrganizationalUnit.org_dept_owner

    • For more information about DingTalk fields, see DingTalk user fields and DingTalk department fields.

  • Use email prefixes as field values:

    • Email prefix of users in DingTalk: SubstringBefore(idpUser.email,"@")

    • User Principal Name (UPN) prefix of accounts in Active Directory (AD): SubstringBefore(idpUser.userPrincipalName,"@")

  • Fixed value: Trim("myString")

If you do not want to map a field, click Remove in the Actions column. Then, the Mapping Rule of the field is changed to Disable Mapping, and the data of this field is not synchronized.