Introduction
This article demonstrates how to map attributes from an identity provider to HelloID, or from HelloID to a single sign-on application.
For more background information on mapping, see Mapping - Overview.
To get started, go to Directory > Mapping Sets.
Edit an identity provider mapping set
For this example, we'll map attributes from Active Directory to HelloID. The process is nearly identical for other IdPs. Furthermore, Active Directory mapping sets contain both user and group mappings. Here, we'll only demonstrate user mappings. Group mappings use the same process.
Pull attributes from the IdP
Select the Edit link for the relevant IdP mapping set.
For this example, we'll select the Change attributes link for Active directory user.
Edit an existing attribute
A dialog box presents a list of attributes which will be pulled from the IdP during synchronization. Select the Edit link to see the details of a specific attribute. For this example, we'll edit the Last name attribute.
A second dialog box displays the mapping options for the Last name attribute.
Here, the IdP's sn attribute is being pulled out and assigned to an intermediary variable called lastName. Later, we'll assign this intermediary variable to a destination variable in the HelloID user schema.
Each attribute has five mapping options:
- Display Name
The label for the attribute, displayed in bold on the previous screen. Only for reference. Does not affect functionality. - Variable Name
The name of the intermediary variable which will temporarily hold values pulled out of the IdP attribute specified in Source Field. - Source Field
The name of the attribute to pull out of the IdP user schema. - Data Type
The data type of the intermediary variable specified in Variable Name. - Required
Whether the Source Field must be present to map a user into HelloID. If this toggle is turned on, but the Source Field attribute is empty or missing for the user in the IdP, no user will be mapped to HelloID during synchronization.
When you are finished, select the Close button to close the dialog box. Then select the Save button to commit your changes.
Add a new attribute
You can also pull custom attributes from the IdP's user schema. For example, let's assume our IdP user schema has a custom attribute called extensionAttribute1. To pull it out of the IdP, select the Add attribute button.
Fill out the fields as demonstrated below. These fields are defined above, in the Edit an existing attribute section.
Select the Add attribute button to confirm.
When you are finished, select the Close button to close the dialog box. Then select the Save button to commit your changes.
Delete an existing attribute
To delete an attribute, select its Delete link.
When you are finished, select the Close button to close the dialog box. Then select the Save button to commit your changes.
Map attributes to HelloID
After you've specified which attributes to pull out of the IdP user schema and mapped them onto intermediary variables, you need to map these intermediary variables onto destination variables in the HelloID user schema.
To do so, select the Edit link for the relevant mapping set, and then select the Change mappings link. For this example, we'll continue with our Active Directory user example.
Edit an existing attribute
A dialog box presents a two-column list of attributes.
The left column contains the intermediary variables pulled from the IdP. These correspond to Variable Name fields under the Change attributes link, and are accessed using double curly brace notation.
The right column contains destination variables in the HelloID user schema, onto which we will map the intermediary variables. These do not use double curly brace notation.
Edit these mappings as needed.
When you are finished, select the Close button to close the dialog box. Then select the Save button to commit your changes.
Add a new attribute
You can also add custom attributes to HelloID user schema. For this example, we'll add a field for Extension Attribute 1, the custom attribute we previously pulled out of Active Directory. To do so, select the Add mapping button.
A new field appears at the bottom of the list. Enter the required information. Note that extensionAttribute1 is not auto-completed in the right column. This is because it doesn't exist yet. The attribute will be added to the HelloID user schema during the next synchronization.
When you are finished, select the Close button to close the dialog box. Then select the Save button to commit your changes.
Delete an existing attribute
To delete an attribute, select its X button.
When you are finished, select the Close button to close the dialog box. Then select the Save button to commit your changes.
Set identifier
When mapping attributes from IdPs other than Active Directory, you have the option to manually set the unique identifier. To do so, select the Set Identifier link.
Otherwise, the process is the same as described above.
Edit an application mapping set
Mapping attributes from HelloID to a single-sign on application follows the same general principles used when mapping from an IdP to HelloID, as described above. The actual workflow is slightly different, and works as follows.
The attributes under an application's Change attributes link represent those which are recognized by the external application's identity schema. Thus, they represent attributes which are potentially available to map onto the claim. Applications from the HelloID application catalog come pre-filled with the appropriate attributes, although you may modify them as needed.
After the application's attributes are defined under the Change attributes link, you then use the Change mappings link to specify which of them will actually be included in the claim. In the right-hand column, you select the Display Name (as defined under the Change attributes link) to include that attribute in the claim. Then, in the left-hand column, you specify which attribute from the HelloID user schema will be mapped to it, using double curly brace notation.
When you add single sign-on applications to HelloID, especially those that rely on the Generic SAML connector, you will need to update these mappings to send the required attribute values.