See also: SSO (Single Sign-On)
The fieldMappings property of "SSO System Preferences" maps identity provider claims to LDP user attributes. This reference describes the syntax. It also lists typical Azure claims.
Syntax
fieldMappings is a single string. The format is:
field=claim,field2=claim2&claim3
Three separators are used:
Character | Purpose |
|---|---|
| Separates one mapping from the next |
| Separates the LDP attribute (left) from the source claim (right) |
| Connects multiple source claims as a fallback chain |
Each mapping defines a target LDP user attribute on the left side. On the right side, you list one source claim or a fallback chain. The first non-empty claim in the chain wins.
Example:
username=email&preferred_username,displayname=name
This string defines two mappings:
For
username, use theemailclaim. Ifemailis missing, fall back topreferred_username.For
displayname, use thenameclaim.
Common Azure (Entra ID) claims
The Azure ID token and user info endpoint can return these claims:
Claim | Description |
|---|---|
| Primary e-mail address |
| User principal name (UPN). Typically the user's e-mail |
| Subject. Stable opaque user identifier |
| Object ID. Globally unique user identifier in Azure AD |
| Display name |
| First name |
| Last name |
Which claims are returned depends on the Scope in the SSO system preferences. The email claim needs the email scope. The name, given_name, and family_name claims require the profile scope.
Practical example: typical Azure username mapping
Map the LDP username to the user's e-mail. Use preferred_username as a fallback:
username=email&preferred_username
NOTE The fieldMappings field in the detail view is a single multi-line text field. There is no guided mapping editor. Enter the syntax directly.