SAML field mapping, NameID mapping, SAML assertion attributes, IDaaS account attribute synchronization - Identity as a Service

Basic concepts

Field mapping maintains consistency between IDaaS accounts and external accounts at two levels:

Account level: Maintains account status consistency through account binding. When a user is deleted from an integrated application, the corresponding IDaaS account is also deleted.
Field level: Based on account binding, maintains account information consistency through field mapping. For example, use the corporate email of an integrated application user as the IDaaS account display name. When the email changes, the IDaaS account display name is also updated.

Note

Delete a binding relationship only after the corresponding IDaaS account, organization, or group has been deleted. Organizations also support binding and field mapping, but mapping identifiers are not supported for organizations.

Access the field mapping page

Access the Field Mapping configuration page using one of the following methods:

During creation: Configure field mapping as part of the process for creating a IdPs.
During modification: On the IdPs-> Inbound page, click Modify Settings. In the dialog box that appears, navigate to the Field Mapping tab.

Configure field mapping

Based on account binding, field mapping keeps account information consistent between the identity provider and IDaaS. For example, use the corporate email of an integrated identity provider user as the IDaaS account display name. When the email changes, the IDaaS account display name is also updated.

Note

The fields available as mapping identifiers vary by identity provider. Set one field as the mapping identifier based on your business needs, or leave it unset.

Mapping rules

IDaaS supports the following field mapping methods:

Mapping method

Description

Select field

Select a field from the sync source and use its value as the corresponding target field value. At the SAML IdP field level, only the username attribute is available for mapping and is generated by default.

Expression

Use an expression to define a custom value for the corresponding target field. Expressions flexibly support multiple scenarios. Common usages include:

Use fields outside the predefined list: IDaaS retrieves AttributeStatement data from the integrated application's SAML configuration and maps it to the idpUser.attributes object. Configure a Configure Field Mapping on the Extended Field page to obtain the required information. For example, to retrieve email from the SAML XML configured in the integrated application:
```
<saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml2:AttributeValue>te**@test.com</saml2:AttributeValue>
</saml2:Attribute>
```
On the Configure Field Mapping page, for the email (user.email) row, set Mapping Rule to Expression, and enter idpUser.attributes.email.value in the Field Value field. If the email has multiple AttributeValues in the SAML XML (that is, a multi-value field), enter idpUser.attributes.email.values in the Field Value field.
Extract the email prefix as the field value:
- Use the email prefix: SubstringBefore(idpUser.attributes.email.value,"@")
- Use the AD UPN prefix: SubstringBefore(idpUser.attributes.userPrincipalName.value,"@")
Use a fixed value: Trim("myString")

Note

The field format in IDaaS expressions is: for the inbound direction, "idp" + "User/OrganizationOU" + "." + "field name in the identity provider"; for the outbound direction, "idp" + "User/OrganizationOU" + "." + "field name in IDaaS". For example, idpUser.attributes.email.value. For more expression samples and syntax details, see Account field expressions。

For fields that you do not want to map, click Remove. The mapping rule changes to "Do not map", and the data for this field is not processed during synchronization.