You can map PingOne user attributes to and from attributes in an external identity store. For inbound provisioning, the mapping is applied to the attribute coming from the source identity store before it is saved to the PingOne directory. For outbound provisioning, the mapping is applied to the attribute coming from the PingOne directory before it is saved to the target identity store.
- Go to .
- Click the Rules tab.
- Find the appropriate rule and click it to show the details panel.
- Click the Configuration tab.
Click Attribute mapping.
You must have a source and target connection configured before you can set up attribute mapping.
- Click the pencil icon to edit the attribute mapping.
Review the attribute mappings for the configured identity store. The default
attribute mappings for a particular identity store are provided. For more
information, see Mapping attributes.
- To add an attribute mapping, click + Add. Enter the source and target attribute.
- To use the expression builder, click the gear icon. See Using the expression builder. You can also use list values in the expression builder to create advanced expressions, such as conditional statements.
- Some attributes have metadata that define potential values. For these attributes, you can
choose values from a picklist. For example, for Salesforce attribute
mapping, you can see a list of values from Salesforce in the form of a
picklist. In the expression builder, enter a single quote to see
You can use a switch statement or an if-else to evaluate an expression based on a pattern match.For example, to match an accountId attribute, enter the following in the expression builder:
#core.switchExpr(#root.accountId, '0000EXAMPLEID', 'Valid' , 'Invalid')For a switch statement with multiple cases and a match, enter the following in the expression builder.
#core.switchExpr(#root.accountId, '0000EXAMPLEID1', 'Full Access', '0000EXAMPLEID2', 'Restricted Access' , '0000EXAMPLEID3', 'Read-only Access', 'No Access')
- To delete a mapping, click the trash can icon.
The default attributes are based on the directory type of the gateway used. For outbound provisioning, the RDN attribute defaults to cn for Active Directory.
For inbound provisioning from Workday and SCIM identity stores, you can specify some additional options for onboarding new users. See Adding attribute mapping for inbound provisioning.
- Click Save.