This article includes the following topics:
Mappings in OneLogin enable you to automate changes to user attributes, roles, and groups, based on conditions that you define. Typically, you use mappings to grant application access based on user attributes stored in third-party directories. For example, you can use mappings to assign a OneLogin role (and access to all of the apps defined by that role) to users whose memberOf attribute contains a specified Active Directory security group.
Important! Mappings always override attribute values that are set manually.
Note. You can't apply mappings to disabled directories.
- If you are using mappings to automate membership in OneLogin roles or groups, you must define those roles and groups first.
If you are using mappings to map user attributes from third-party directories like Active Directory, you must have an active connection to the third-party directory, and you must enable mappings for the directory:
- Log in to OneLogin as an admin.
- Go to Users > Directory and select your directory.
On the Advanced tab, toggle Mappings on.
Creating a mapping
To configure a mapping:
Navigate to Users > Mappings and click New Mapping to open the Mappings page.
- Give the mapping a name.
Set the Conditions that determine what gets mapped.
You can set conditions based on DistinguishedName, MemberOf, Email, and many other fields. You can also set different thresholds for the condition, including equals, contains, does not contain, begins with, and ends with.
Note. If you are setting a DistinguishedName or MemberOf as a condition, it is best practice to use contains rather than equals.
You can add multiple conditions. If you add multiple conditions, you can choose to have users meet all of these conditions or any of these conditions by selecting the option from the Match all / any of the following conditions setting:
All sets the conditions to be processed as if joined by an and. In other words, if you had two conditions, Department > contains > Documentation and Title > contains > writer, the mapping would apply to users who are both in the Documentation department and have a title that includes the word "writer."
- Any sets the conditions to be processed as if joined by an or. In other words, if you set the mapping to apply to users who meet any of the two conditions listed above, the mapping would apply to users who are either in the Documentation department or have a title that includes the word "writer."
You can also create mappings that include no conditions.
Set the Actions that you want to apply to the objects that meet the conditions.
Actions are selectable from the drop-down list. Some actions take predefined values, which are available by drop-down to the right of the Action field. Other actions take editable values, which you can enter in an edit box to the right of the Action field.
You can set multiple actions.
Take care not to set conflicting actions.
- Click Save.
Important! Whenever you create or update a mapping, you must apply the mapping to users by selecting Reapply All Mappings on the main Mappings page (where the mappings are listed) or from the More Actions drop-down on an individual user configuration page (Users > All Users > select user).
Testing a mapping
You can test your mapping by checking whether an individual user who should be mapped is indeed mapped.
- Go to Users > Mappings and select the mapping from the list.
Enter a user name in the Check Conditions with Users (optional) field and click CHECK.
You can enter a character or two and a list of matching names appears.
The mapping results appear immediately below this field, and let you know whether or not the user will be mapped.
Mappings are applied in the order in which they are listed on the Mappings page. In the example pictured below, the mappings run in the following order:
- Business Development Mapping
- Customer Success Management Mapping
- Design Mapping
There are occasions when the order in which mappings are applied can be important. In those cases, you can change the mapping order simply by grabbing a mapping row...
...and dragging it to another row:
Why is a value I'm manually setting for a user being overidden by another value?
If you find that a value you’ve manually set for a user is being been overridden by another value, take a look at your mappings. Mappings always override competing attributes that you manually set for a user record.
For example, let's say that you manually set the Authenticated By value for a user to OneLogin.
When you save the user, you find that the Authenticated By value has changed to Active Directory. You change it back to OneLogin, save the user, and find that the value keeps reverting to Active Directory.
Take a look at your mappings. You may have set up a mapping that will automatically set the authentication directory to Active Directory for a set of users that includes the user you are manually updating.