PingFederate Server

Specifying mapping details

Define specific mapping information for each field, required or optional, for provisioning as needed.

If end-users at your site are permitted to edit some of their own attributes directly in the LDAP store, ensure that the attributes are restricted and do not include any needed by the service provider to grant permissions.

Defining mapping information for a standard attribute

Before you begin

  • Go to Applications → Integration → SP Connections to open the SP Connections configuration window.

  • To edit an existing SP Connection, open an SP Connection by clicking on its name in the Connection Name column.

  • On the Outbound Provisioning tab, click Configure Provisioning to open the Configure Channels configuration window.

    The Outbound Provisioning tab, is only visible after you select the OutBound Provisioning check box and the type in the Type list, on the Connection Type tab.

  • Go to the Manage Channels tab.

  • Click the name of the channel to edit it.

    If you have specified any custom attributes, they are listed at the end of the Attribute Mapping configuration.

Steps

  1. On the Attribute Mapping tab, click Edit in the Action column for the Field Name whose attributes you want to map.

  2. Select the class containing a user-store attribute in the Root Object Class column that you want to map to the provisioning attribute shown in the Field Name column.

    For some fields, you might not need to map specific user attributes. If so, supply a value in the Default Value field, skip this step, and go to step 5. For certain attributes, you can specify LDAP attributes and a default value, as needed.

  3. Select the source attribute from the class in the Attribute column. Click Add Attribute.

    If the selected source attribute is binary, ensure that the selected attribute is set as a binary attribute in the source LDAP datastore. For more information, see Setting advanced LDAP options.

  4. Repeat the previous steps to add additional applicable attributes to use in a mapping expression.

    You must add an attribute for it to be used in an expression.

  5. Optional: If one or more attributes are specified: go to the Value Definition section, and in the Default Value field, enter or select a default value.

    If you have specified any custom attributes, they are listed at the end of the Attribute Mapping configuration.

    A list appears for this field if the vendor requires a choice among specified values. When an expression is also supplied, the default value is sent during provisioning if an error occurs when evaluating the expression.

  6. If more than one attribute is used for mapping fields other than LDAP Attributes Map, in the Value Definition section, enter an expression.

    1. To create and validate the expression for the Expression field, click Edit.

  7. Select one or more processing options.

    Processing option Description

    Create Only

    The field is provisioned only once and not subsequently updated.

    For SCIM, the Password attribute should be passed only when creating a user or updating the password. Select Create Only to limit when the Password attribute is passed.

    Trim

    Removes any white space from the attribute values.

    Mask Log Values

    Determines whether sensitive information, such as the Password attribute, will be masked in PingFederate log files.

    Upper Case, Lower Case, or None

    Transforms the attribute values to the case indicated unless the default, None option, is selected.

    Parsing > Extract CN from DN

    For attributes in the form of a distinguished name (DN), such as Group DNs in Active Directory, maps only the common name portion of the DN.

    Parsing > Extract Username from Email

    For attributes containing an email address, maps only the username.

  8. Click Done.

Defining mapping information for a custom attribute

Steps

  1. Select a sub-attribute in the Attribute column and list.

    Applicable only to complex attributes or complex multivalued attributes, see Specifying custom SCIM attributes.

  2. Select the class containing a user-store attribute in the Root Object Class column that you want to map to the provisioning attribute shown in the Field Name column.

    For some fields, you might not need to map specific user attributes. If so, supply a value in the Default Value field, skip this step, and go to step 5. For certain attributes, you can specify both LDAP attributes and a default value, as needed.

  3. Select the source attribute from the class in the LDAP Attribute column. Click Add Attribute.

    If the selected source attribute is binary, ensure that the selected attribute is set as a binary attribute in the source LDAP datastore. For more information, see Setting advanced LDAP options.

  4. In the Options section, select one or more processing options.

    Processing option Description

    Create Only

    The field is provisioned only once and not subsequently updated.

    For System for Cross-domain identity Mangement (SCIM), the Password attribute should be passed only when creating a user or updating the password. Select Create Only to limit when the Password attribute is passed.

    Trim

    Removes any white space from the attribute values.

    Mask Log Values

    Determines whether sensitive information, such as the Password attribute, will be masked in PingFederate log files.

    Upper Case, Lower Case, or None

    Transforms the attribute values to the case indicated unless the None option is selected, the default.

    Parsing > Extract CN from DN

    For attributes in the form of a distinguished name (DN), such as Group DNs in Active Directory, maps only the common name portion of the DN.

    Parsing > Extract Username from Email

    For attributes containing an email address, maps only the username.

  5. In the Default Value field, enter a default value.

  6. Click Add Mapping.

    For complex attributes or complex multivalued attributes, repeat these steps to map additional sub-attributes as needed.

  7. Click Done.