Navigation Tree

Map SCIM attributes to ConnID attributes

Last modified 04 May 2026 13:29 +02:00

Table of Contents

Mapping Script
Aditional built-in standard attributes

In order to properly implement the connector, you need to identify which attributes from the resource you are connecting to should be used for the standard ConnID attributes.

The ConnID framework requires attributes UID and NAME to be defined for each object class.

UID: A single-valued attribute that represents the unique identifier of an object within the name-space of the target resource. If possible, this unique identifier also should be immutable. When an application creates an object on a target resource, the create operation returns as its result the Uid of the created object.
NAME: A single-valued attribute that represents the user-friendly identifier of an object on a target resource. For instance, the name of an Account will most often be its loginName. The value of Name need not be unique within ObjectClass. In LDAP, for example, the Name could be the Common Name (CN). Contrast this with Uid, which is intended to be a unique identifier (and, if possible, immutable)

Mapping Script

The attribute mapping is defined in a Groovy script that uses a builder pattern to describe the mapping between application attributes and ConnID attributes.

objectClass("User") {
    connIdAttribute("UID", "id")
    connIdAttribute("NAME", "name")
}

In this example, we are mapping the id attribute from the application to the built-in UID attribute in ConnID, and the name attribute from the SCIM resource to the NAME attribute in ConnID.

The connIdAttribute method takes two parameters: the first is the name of the built-in ConnID attribute (e.g., UID, NAME), and the second is the name of the corresponding attribute in the target resource (e.g., id, name). The connIdAttribute method accepts only the built-in ConnID attributes as the first parameter.

Aditional built-in standard attributes

The following attributes are not required by the ConnID framework, but they are commonly used in connectors and can be very helpful for various operations. You should consider mapping these attributes if they are available in your target resource.

Currently these attributes are not supported by the framework, but they are planned for future releases. You should not map these attributes until they are officially supported, as they may not function correctly and could lead to issues in your connector implementation.

ENABLE: Gets/ sets the enable status of an object.
ENABLE_DATE: Gets/ sets the enable date for an object.
LOCK_OUT: Gets/ sets the lock out attribute for an object.
PASSWORD_EXPIRATION_DATE: Gets/ sets the password expired for an object.
PASSWORD: Normally this is a write-only attribute. Sets the password for an object.
FORCE_PASSWORD_CHANGE: Gets/ sets flag that forces immediate password change by the user (e. g. during next log on). This can be used to set temporary password and the force user to change it to a permanent password.
SHORT_NAME: Attribute that should hold a reasonable value for an application to display as a label for an object. If SHORT_NAME is not present, then the application should use the value of the NAME` attribute as a label.
DESCRIPTION: Attribute that should hold the value of the object’s description, if one is available.
LAST_PASSWORD_CHANGE_DATE: Read-only attribute that shows the last date/ time the password was changed.
PASSWORD_CHANGE_INTERVAL: Common password policy attribute where the password must be changed every so often.
LAST_LOGIN_DATE: Last login date for an account. This is usually used to determine inactivity.

Was this page helpful?

YES NO

Thanks for your feedback