User profile schema LDAP attribute mapping

Security Verify Access provides pre-defined mapping of SCIM attributes to commonly available LDAP attributes.

This default mapping can be customized on the User Profile tab of the SCIM Configuration page. See User profile.

SCIM attributes that are not mapped to an LDAP attribute are not shown when the user profile schema is queried.

The following table shows the default user schema attribute mapping.

Table 1. User schema attribute mapping
SCIM attribute LDAP attribute
addresses[0].type == home  
addresses[0].formatted homePostalAddress
addresses[1].type == work  
addresses[1].formatted postalAddress
addresses[1].streetAddress street
addresses[1].postalCode postalCode
addresses[1].locality l
addresses[1].region st
displayName displayName
emails[0].type == work  
emails[0].primary == true  
emails[0].value mail
id Base64URLEncoded version of uid
name.familyName sn
name.givenName givenName
password userPassword
phoneNumbers[0].type == work  
phoneNumbers[0].primary == true  
phoneNumbers[0].value telephoneNumber
phoneNumbers[1].type == home  
phoneNumbers[1].value homePhone
phoneNumbers[2].type == mobile  
phoneNumbers[2].value mobile
phoneNumbers[3].type == pager  
phoneNumbers[3].value pager
preferredLanguage preferredLanguage
title title
userName cn, uid
Note:
  • The multi-valued SCIM attributes (addresses, emails, and phone numbers) are not order-dependent and are shown here with array indices for illustrative purposes only.
  • id is generated by the server based on the userName attribute when an account is created. If you are connecting the SCIM application to a user registry that is already populated with users, the id field is a Base64URLEncoded version of the uid field.

The following table shows the enterprise extension attribute mapping.

Table 2. Enterprise extension attribute mapping
SCIM attribute LDAP attribute
department departmentNumber
employeeNumber employeeNumber
manager.value manager
organization o

The following attributes are not mapped by default:

User schema

active
entitlements
externalId
groups
ims[]
locale
name.formatted
name.middleName
name.honorificPrefix
name.honorificSuffix
nickName
photos
profileUrl
roles
timezone
userType
x509Certificates
Enterprise user schema

costCenter
division

Handling of multi-valued LDAP attributes

If an attribute in the SCIM schema is mapped to a multi-valued LDAP attribute, only the first of the multiple values that are provided by the LDAP server is returned.

Handling of multi-valued SCIM attributes

Some SCIM attributes, such as addresses, emails, and phone numbers contain multiple complex values. For these attributes, the returned value is an array where each array element is a sub attribute with a different type string. The type strings are mapped to fixed strings and as such the entire sub attribute is always returned, regardless of whether other attributes such as value or primary are present.

Consider the following LDAP entry and corresponding SCIM JSON representation of an example user.

LDAP representation

dn: cn=bjensen,dc=scim-users
o: Universal Studios
givenName: Barbara
sn: Jensen
street: 100 Universal City Plaza
userPassword:: cGFzc3dvcmQ=
departmentNumber: Tour Operations
displayName: Bab Jensen
mail: bjensen@example.com
uid: bjensen
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
postalAddress:: MTAwIFVuaXZlcnNhbCBDaXR5IFBsYXphDQpIb2xseXdvb2QsIENBIDkxNjA4IF
 VTQQ==
postalCode: 91608
title: Tour Guide
cn: bjensen
employeeNumber: 701984
l: Hollywood
st: CA
homePostalAddress:: NDU2IEhvbGx5d29vZCBCbHZkCkhvbGx5d29vZCwgQ0EgOTE2MDggVVNB
telephoneNumber: 555-555-5555
mobile: 555-555-4444
homePhone: 555-555-3333
pager: 555-555-2222
preferredLanguage: en-US
manager: cn=jsmith
SCIM JSON representation

{
  "addresses": [
    {
      "formatted": "100 Universal City Plaza\r\nHollywood, CA 91608 USA",
      "locality": "Hollywood",
      "postalCode": "91608",
      "region": "CA",
      "streetAddress": "100 Universal City Plaza",
      "type": "work"
    },
    {
 "formatted": "456 Hollywood Blvd\nHollywood, CA 91608 USA",
      "type": "home"
    }
  ],
  "displayName": "Bab Jensen",
  "emails": [
    {
      "primary": true,
      "type": "work",
      "value": "bjensen@example.com"
    }
  ],
  "id": "YmplbnNlbg",
  "meta": {
    "location": "https://isam-demo.ibm.com/scim/Users/YmplbnNlbg",
    "resourceType": "User"
  },
  "name": {
    "familyName": "Jensen",
    "givenName": "Barbara"
  },
  "phoneNumbers": [
    {
      "primary": true,
      "type": "work",
      "value": "555-555-5555"
    },
    {
      "primary": false,
      "type": "home",
      "value": "555-555-3333"
    },
    {
      "primary": false,
      "type": "mobile",
      "value": "555-555-4444"
    },
    {
      "primary": false,
      "type": "pager",
      "value": "555-555-2222"
    }
  ],
  "preferredLanguage": "en-US",
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
  ],
  "title": "Tour Guide",
  "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": {
    "department": "Tour Operations",
    "employeeNumber": "701984",
    "manager": {
      "value": "cn=jsmith"
    },
    "organization": "Universal Studios"
  },
  "userName": "bjensen"
}