Field mapping

Key concepts

Field mapping keeps external and IDaaS accounts consistent at two levels:

• Account level: Account binding keeps the status of accounts consistent. For example, when you import users from DingTalk, if a DingTalk user is bound to an IDaaS account, deleting the user in DingTalk also deletes the corresponding account in IDaaS.

• Field level: With an established account binding, field mapping keeps account information consistent. For example, if you map a DingTalk user's corporate email to an IDaaS account's display name, any update to the email in DingTalk automatically updates the display name in IDaaS.

Accessing field mapping

You can configure field mapping in the following places:

• During creation: When you create an identity provider, you can configure field mapping as part of the setup process. This does not apply to inbound DingTalk synchronization.

• After creation: On the Identity providers page, click Modify Settings and go to the Field Mapping tab.

The Modify Configuration link is in the Sync to IDaaS section of the identity provider card.

Mapping identifier

You can specify a mapping identifier to establish an account binding. If the value of the identifier field is the same in both the source system and IDaaS, the accounts are bound. This is primarily used for binding existing accounts. For example, when importing users from DingTalk, if a DingTalk user's corporate email, such as zh*@example.com, matches the email of an existing IDaaS account, the two accounts are automatically bound. After binding, their status and information are synchronized. If no matching IDaaS account is found, IDaaS creates and binds a new one. On the Field mapping tab for a DingTalk synchronization configuration, you can set either the Phone (user.phoneNumber) or Email (user.email) field as the mapping identifier.

Mapping rules

IDaaS supports two types of mapping rules:

• Select a field: Select a field from the sync source and use its value directly as the value for the corresponding field in the sync destination. IDaaS offers a range of source fields for different identity providers. If the field you need is not available in the list, you can use an expression.

• Expression: An expression provides a flexible way to customize the value of a field in the synchronization target. For example, you can use the prefix of a DingTalk email as an IDaaS account name or use a field that is not available in the IDaaS selectable fields. The following are common use cases for expressions:

  • Using fields outside the default selection list:

    • DingTalk user title: idpUser.title

    • DingTalk user work location: idpUser.work_place

    • DingTalk department owner: idpOrganizationalUnit.org_dept_owner

    • For a complete list of DingTalk fields, see DingTalk User Fields and DingTalk Department Fields.

  • Extracting an email prefix as the field value:

    • Use the DingTalk email prefix: SubstringBefore(idpUser.email,"@")

    • Use the Active Directory (AD) User Principal Name (UPN) prefix: SubstringBefore(idpUser.userPrincipalName,"@")

  • Using a fixed value: Trim("myString")

To unmap a field, click Remove. Its data will no longer be synchronized.