title: Custom Attribute Mapping category: Synchronization tags: sync, attributes, mapping, transform, custom, ldap priority: Normal
Custom Attribute Mapping
Attribute mapping defines how data flows from your directory sources into IdentityCenter's Objects table. By customizing these mappings, you control exactly which directory attributes are synchronized, how they are transformed, and where they are stored.
What Attribute Mapping Does
When IdentityCenter synchronizes objects from Active Directory or another LDAP source, each object has dozens (or hundreds) of attributes. Attribute mappings tell the sync engine:
- Which source attributes to read from the directory
- Which destination fields to write in the IdentityCenter database
- How to transform the data during the transfer (if needed)
Without mappings, the sync engine would not know which attributes to collect or where to store them.
Default Mappings
IdentityCenter provides default attribute mappings for each of the 24 supported object classes through the AutoAttributeMappingService. When you create a sync project using Auto Sync Projects, these defaults are applied automatically.
Default User Mappings
| Source Attribute (AD) | Destination Field | Description |
|---|---|---|
| displayName | DisplayName | Full display name |
| sAMAccountName | Username | Logon name (pre-Windows 2000) |
| userPrincipalName | UserPrincipalName | UPN (e.g., jsmith@corp.local) |
| Primary email address | ||
| givenName | FirstName | First name |
| sn | LastName | Last name |
| department | Department | Department name |
| title | Title | Job title |
| company | Company | Company name |
| manager | ManagerSourceId | Manager's DN (resolved by Lookup step) |
| telephoneNumber | Phone | Office phone number |
| mobile | MobilePhone | Mobile phone number |
| facsimileTelephoneNumber | Fax | Fax number |
| homePhone | HomePhone | Home phone number |
| physicalDeliveryOfficeName | Office | Office location |
| streetAddress | Street | Street address |
| l | City | City |
| st | State | State or province |
| postalCode | PostalCode | ZIP or postal code |
| co | Country | Country name |
| division | Division | Division name |
| employeeID | EmployeeId | Employee identifier |
| employeeType | EmployeeType | Employee classification |
| middleName | MiddleName | Middle name |
| description | Description | Object description |
| distinguishedName | DN | Full LDAP path |
| cn | CN | Common name |
| objectGUID | SourceUniqueId | Unique identifier from AD |
Default Group Mappings
| Source Attribute (AD) | Destination Field | Description |
|---|---|---|
| displayName | DisplayName | Group display name |
| sAMAccountName | Username | Group logon name |
| Group email address | ||
| description | Description | Group description |
| managedBy | ManagerSourceId | Group owner DN |
| member | Members | Group membership (multi-valued) |
| groupType | GroupType | Security/Distribution, scope |
| cn | CN | Common name |
| distinguishedName | DN | Full LDAP path |
Viewing and Editing Mappings
To view or edit attribute mappings for a sync project:
- Navigate to Synchronization > Sync Projects
- Click the sync project you want to modify
- Open the Attribute Mappings tab
- Each row shows the source attribute, destination field, and mapping type
- Click a mapping to edit it, or click Add Mapping to create a new one
Mapping Types
Direct Mapping
A direct mapping copies the source attribute value to the destination field without modification. This is the most common type.
| Source | Destination | Result |
|---|---|---|
| displayName | DisplayName | "John Smith" -> "John Smith" |
| "jsmith@corp.local" -> "jsmith@corp.local" |
Transform Mapping
A transform mapping applies logic to the source value before storing it. Use this when the raw directory value needs formatting or conversion.
Common transforms:
| Transform | Input | Output | Use Case |
|---|---|---|---|
| Uppercase | "jsmith" | "JSMITH" | Normalize case |
| Lowercase | "JSMITH@CORP.LOCAL" | "jsmith@corp.local" | Normalize email |
| Trim | " John Smith " | "John Smith" | Remove whitespace |
| Substring | "CN=jsmith,OU=..." | "jsmith" | Extract from DN |
Constant Mapping
A constant mapping writes a fixed value regardless of the source data. Use this to tag objects with metadata.
| Destination | Constant Value | Use Case |
|---|---|---|
| Source | "Corporate AD" | Identify which source an object came from |
| Region | "North America" | Tag all objects from a regional OU |
Multi-Valued Attributes
Some AD attributes contain multiple values. IdentityCenter handles these specially:
| Attribute | Type | How Handled |
|---|---|---|
| member | Multi-valued DN | Processed by the Membership sync step |
| memberOf | Multi-valued DN | Processed by the Membership sync step |
| servicePrincipalName | Multi-valued string | Stored as delimited list |
| proxyAddresses | Multi-valued string | Stored as delimited list |
The member and memberOf attributes are not stored through normal attribute mapping. Instead, the Membership sync step processes them separately to build the group membership relationships in IdentityCenter.
AD Timestamp Attributes
Active Directory stores certain timestamps as Windows FILETIME values (the number of 100-nanosecond intervals since January 1, 1601). IdentityCenter converts these automatically during sync:
| AD Attribute | Format | Converted To |
|---|---|---|
| lastLogon | FILETIME (Int64) | DateTime |
| lastLogonTimestamp | FILETIME (Int64) | DateTime |
| pwdLastSet | FILETIME (Int64) | DateTime |
| accountExpires | FILETIME (Int64) | DateTime |
| whenCreated | Generalized Time (string) | DateTime |
| whenChanged | Generalized Time (string) | DateTime |
Note:
lastLogonis not replicated across domain controllers. To get the most accurate value, you would need to query every DC.lastLogonTimestampis replicated but has a default lag of up to 14 days. IdentityCenter stores whichever value it receives from the DC specified in the connection.
Custom Attributes
If your organization uses non-standard AD attributes (custom schema extensions or the built-in extensionAttribute fields), you can map them to IdentityCenter's extension fields.
Mapping Extension Attributes
Active Directory provides 15 built-in extension attributes (extensionAttribute1 through extensionAttribute15) commonly used by Exchange and custom applications.
To map a custom attribute:
- Open the sync project's Attribute Mappings tab
- Click Add Mapping
- Set the Source Attribute to the AD attribute name (e.g.,
extensionAttribute1) - Set the Destination Field to the appropriate extension field in IdentityCenter
- Save the mapping
Schema Extension Attributes
If your AD schema has been extended with custom attributes (e.g., myCompany-badgeNumber), you can map these the same way. Ensure the attribute name matches exactly as it appears in the AD schema (case-sensitive for some LDAP implementations).
Performance Considerations
Attribute mappings directly affect sync performance. Each mapped attribute:
- Adds to the LDAP query response size (more data transferred per object)
- Increases the database upsert payload (more columns to compare and update)
- Uses memory in the sync engine's working set
Best Practices for Performance
- Map only what you need. Remove mappings for attributes you do not use in policies, reports, or the directory browser.
- Avoid mapping binary attributes (such as thumbnailPhoto or userCertificate) unless you specifically need them. Binary attributes are large and slow down sync.
- Test with a small OU first. When adding new mappings, run a sync against a single OU to verify the mapping works before applying it to the full directory.
- Review mappings periodically. Over time, mappings accumulate. Remove any that are no longer needed.
Troubleshooting Attribute Mapping Issues
| Problem | Cause | Fix |
|---|---|---|
| Attribute value is always empty | AD attribute name is misspelled | Verify the exact AD attribute name in the schema |
| Attribute value is truncated | Destination field has a length limit | Check the database column size |
| Transform produces unexpected output | Transform logic error | Test the transform with sample data |
| Mapped attribute not appearing | Mapping was added after initial sync | Run a full sync to populate the attribute |
| Performance degraded after adding mappings | Too many attributes or binary data | Remove unnecessary mappings |
Next Steps
- Creating a Sync Project -- Set up a project with attribute mappings
- Auto Sync Projects -- Understand default mappings per object class
- Delta & Incremental Sync -- How changes are detected for mapped attributes
- Sync Troubleshooting -- Resolve attribute-related sync failures
- Directory Browser -- View synced attribute values