Add Mapper

Prerequisite

Group Mapper Manager or Identity Provider Manager role

Procedure

1. Call up the Access management > Identity provider menu.
2. Click on an entry in the list of identity providers.

   The details area of the selected identity provider appears.

3. In the header of the details area, add a new mapper with .

   The Add Mapper dialog appears.

   Fields marked with an asterisk (*) are mandatory and must be completed.

   

4. In the Name text field, enter a freely selectable (user-friendly) name for the mapper.
5. In the Synchronization Mode drop-down list, specify how the mapper is to be synchronized:
   • Inherit

     Applies the synchronization mode that has been set for this identity provider.

   • Import

     The user information is synchronized with Nexeed IAS once when the user logs in for the first time.

   • Legacy

     Current settings in Nexeed IAS are retained.

   • Force

     The user information is synchronized upon every login.

6. Select the group assignment from the Type drop-down list.
   • Extended Claim to Groups

     Adds the user to a Multitenant Access Control group and authorizes the user with predefined roles.

     This group assignment can only be made by the Group Mapper Manager.

   • Attribute Import

     Transfers attributes of externally defined users to attributes or properties of the imported Nexeed IAS user.

   • Name Template for Users

     Maps externally defined OIDC claims or SAML attributes with a template to the user name of the imported Keycloak user.

     Depending on the selected Type, different input fields are displayed below.

7. Mapper selection Extended Claim to Groups:
   • Enter Claim Name.

     A claim is an attribute in the user's ID token.

   • Enter Claim Value.

     The claim value must be included in the claim's value list in order to add the user to a Nexeed IAS group.

   • In the Group list, select the Nexeed IAS group to which the new mapper is to be linked.
8. Mapper selection Attribute Import:
   • Enter Claim Name.
   • Enter Name of the User Attribute.

     A user attribute provides information about the user, such as email address, first name or last name. The name of the user attribute is defined by the identity provider and can be different for each identity provider. Only one attribute can be entered.

9. Mapper selection Name Template for User:
   • Enter Template.

     Entering the name template "${ALIAS}.${CLAIM.preferred_username}" results in "idp.johndoe" for the identity provider with the alias "idp" and the preferred_username claim value "johndoe".

     It is possible to convert to lowercase or uppercase letters with "${CLAIM.sub | lowercase}" or "${CLAIM.sub | uppercase}" respectively.

   • Enter the storage location for the user name in the Target input field.

     LOCAL (default) for saving in the local database during user import or BROKER_ID and BROKER_USERNAME for saving in the ID or in the user name used during the federated user lookup.

10. Click Save.

The mapper is added.