PingOne

Adding attribute mapping for outbound provisioning

You can map PingOne user attributes from attributes in an external identity store. For outbound provisioning, the mapping is applied to the attribute coming from the PingOne directory before it is saved to the target identity store.

Steps

  1. Go to Integrations → Provisioning.

  2. Click the Rules tab.

  3. Find the appropriate rule and click it to show the details panel.

  4. Click the Configuration tab.

  5. Click Attribute mapping.

    You must have a source and target connection configured before you can set up attribute mapping.

  6. Click the pencil icon to edit the attribute mapping.

  7. Review the attribute mappings for the configured identity store. The default attribute mappings for a particular identity store are provided. For more information, see Mapping attributes.

    • To add an attribute mapping, click Add. Enter the source and target attribute.

    • To use the expression builder, click the gear icon. See Using the expression builder. You can also use list values in the expression builder to create advanced expressions, such as conditional statements.

    • Some attributes have metadata that define potential values. For these attributes, you can choose values from a picklist. For example, for Salesforce attribute mapping, you can see a list of values from Salesforce in the form of a picklist. In the expression builder, enter a single quote to see potential values.

      You can use a switch statement or an if-else to evaluate an expression based on a pattern match.

      For example, to match an accountId attribute, enter the following in the expression builder:

      #core.switchExpr(#root.accountId, '0000EXAMPLEID', 'Valid' , 'Invalid')

      For a switch statement with multiple cases and a match, enter the following in the expression builder.

      #core.switchExpr(#root.accountId, '0000EXAMPLEID1', 'Full Access', '0000EXAMPLEID2', 'Restricted Access' , '0000EXAMPLEID3', 'Read-only Access', 'No Access')
    • To delete a mapping, click the trash can icon.

      The default attributes are based on the directory type of the gateway used. For outbound provisioning, the RDN attribute defaults to cn for Active Directory.

      For inbound provisioning from Workday and SCIM identity stores, you can specify some additional options for onboarding new users. See Adding attribute mapping for inbound provisioning.

  8. Click Save.