Mappings in OneLogin enable you to automate changes to user attributes, roles, and groups, based on conditions that you define. Mappings are typically used to grant application access based on user attributes stored in third-party directories. For example, you can use mappings to assign a OneLogin role (and access to all of the apps defined by that role) to users whose memberOf attribute from Active Directory contains a specified security group.This article provides an overview of creating and using mappings in OneLogin.
Groups, Roles and Mappings, Oh My!
Take a look at this brief training video to understand how mappings interact with groups and roles in OneLogin.
In your OneLogin admin portal, go to Users > Mappings and select an existing mapping or create a New Mapping.
Use the + icon to configure additional Conditions and Actions, or hover over an existing condition or action to remove it.
Note: Mappings cannot contain these special characters: ( ) * + \
You can set as many attribute conditions as necessary to determine which users the mapping will apply to. In addition to the broad Any/All operator, you can also use a pipe character (
|) to fine-tune multiple possible matches.
In this example, the mapping will apply to all users from Acme Corp who have logged in within the past two months and who have either "admin" or "manager" in their title.
When the mapping is saved, it will be automatically applied to all future users who meet the described conditions. It does not automatically apply to existing users.
You can test a saved mapping by entering one or more users in the Check conditions with users field to verify whether the mapping will apply correctly to known-good users.
To update your existing users, click Reapply All Mappings.
Note: Mappings are not applied to disabled users or synced to directories with mapping disabled.
Mappings are applied in the order they are listed in your admin portal, and can be reordered with drag-and-drop. If two conflicting mappings apply to the same users, the higher-numbered mapping will take priority.
However, note that mappings are triggered simultaneously and cannot interact with one another in a single sequence. For example, if one mapping grants a user the role "Example Role," and the next mapping is applied to all users with the role "Example Role," the second mapping will not apply to that user until the next time mappings are reapplied because they did not have that role when the mapping sequence was initially triggered.
Important! Mappings always override values that are set manually.
If you find that a user's attributes or configuration keep reverting to a value that you did not set, check whether a mapping may be inadvertently applying to that user.