On the Specify Attribute Mapping screen, you define specific mapping information for each field required for provisioning (and for any optional fields, as needed).

CAUTION:

If end-users at your site are permitted to edit some of their own attributes directly in the LDAP store, ensure that the attributes are restricted and do not include any needed by the service provider to grant permissions.

Defining mapping information for a standard attribute

  1. Optional: Select the class containing a user-store attribute under Root Object Class that you want to map to the provisioning attribute shown under Field Name.
    Note:

    For some fields, you may not need to map specific user attributes. If so, supply a value in the Default Value field instead—skip this step and go to step 5. You can also do both for certain attributes, as needed: that is, specify both LDAP attributes and a default value.

  2. Select the source attribute from the class under Attribute and then click Add Attribute.
  3. Repeat the previous steps to add additional applicable attributes, as needed, to use in a mapping expression.
    Important:

    You must add an attribute for it to be used in an expression.

  4. Enter or select a default value under Value Definition (optional, if one or more attributes is specified above).

    A list appears for this field if the vendor requires a choice among specified values. When an expression is also supplied, the default value is sent during provisioning if an error occurs evaluating the expression.

  5. If more than one attribute is used for mapping fields other than LDAP Attributes Map, enter an expression.
    Tip:

    Click Edit to create and validate the expression.

  6. Optional: Select one or more processing options, as defined below:
    Create Only
    The field is provisioned only once and not subsequently updated.
    Note:

    For SCIM, the Password attribute should be passed only when creating a user or updating the password. Select Create Only to limit when the Password attribute is passed.

    Trim
    Removes any white space from the attribute value(s).
    Mask Log Values

    Determines whether sensitive information (for example, the Password attribute) will be masked in PingFederate log files.

    Upper Case, Lower Case, or None
    Transforms the attribute value(s) to the case indicated unless the None option is selected (the default).
    Parsing > Extract CN from DN
    For attributes in the form of a distinguished name (for example, Group DNs in Active Directory), maps only the common name portion of the DN.
    Parsing > Extract Username from Email
    For attributes containing an email address, maps only the username.
  7. Click Done.

Defining mapping information for a custom attribute

  1. Select a sub attribute under Attribute ID.
    Note:

    Applicable only to complex attributes or complex multivalued attributes (see Specifying custom SCIM attributes).

  2. Optional: Select the class containing a user-store attribute under Root Object Class that you want to map to the provisioning attribute shown under Field Name.
    Note:

    For some fields, you may not need to map specific user attributes. If so, supply a value in the Default Value field instead—skip this step and go to step 5. You can also do both for certain attributes, as needed: that is, specify both LDAP attributes and a default value.

  3. Select the source attribute from the class under LDAP Attribute and then click Add Attribute.
  4. Optional: Select one or more processing options, as defined below:
    Create Only
    The field is provisioned only once and not subsequently updated.
    Note:

    For SCIM, the Password attribute should be passed only when creating a user or updating the password. Select Create Only to limit when the Password attribute is passed.

    Trim
    Removes any white space from the attribute value(s).
    Mask Log Values

    Determines whether sensitive information (for example, the Password attribute) will be masked in PingFederate log files.

    Upper Case, Lower Case, or None
    Transforms the attribute value(s) to the case indicated unless the None option is selected (the default).
    Parsing > Extract CN from DN
    For attributes in the form of a distinguished name (for example, Group DNs in Active Directory), maps only the common name portion of the DN.
    Parsing > Extract Username from Email
    For attributes containing an email address, maps only the username.
  5. Optional: Enter a default value.
  6. Click Add Mapping.
    Note:

    For complex attributes or complex multivalued attributes, repeat these steps to map additional sub attributes as needed.

  7. Click Done.