Manage credential mappings in GUI

Last modified 10 Nov 2025 21:05 +01:00
Since 4.9
This functionality is available since version 4.9.
Table of Contents

Manage credentials on your resources in the graphical user interface using the resource wizard for credential mappings.

In midPoint, you can manage various types of credentials, such as passwords, SSH keys, X.509 certificates for TLS, TOTPs for MFA, etc. You can configure credential mappings to transfer credentials between the resource and midPoint, generate new keys that follow your security policies, or run a script to perform any advanced actions on the credentials.

The resource wizard for credential mappings is similar to the wizard used for activation configuration. However, it is generally simpler and does not offer any presets.

You do not need any credential mappings if you do not manage credentials on the resource. That may be, for instance, when you handle authentication by SSO using a separate system.
Configuration menu in the resource account list as an entry point to the credential mapping rules wizard
Figure 1. Configuration menu in the resource account list as an entry point to the credential mapping rules wizard

Add credential mappings

To define credential mappings in the GUI:

  1. In Resources > All resources, go to your resource.

  2. In Accounts, click Configure > Credentials.

  3. Select Inbound or Outbound tab:

    • Inbound: To send credentials to midPoint

    • Outbound: To send credentials to the resource

  4. Click Add inbound (or outbound) to add new mapping rule.

  5. Click Settings on the new tile that appears in the selected tab.

Outbound credential mappings overview with one active mapping to generate password
Figure 2. Outbound credential mappings overview with one active mapping set to generate password

Define basic options

At this point, what you do next highly depends on what your goal is. Here is an outline of your options:

  • Name the mapping descriptively.

    • The requirements are identical to those for other mappings: In general, it is optimal to treat mapping names the same as file names. They need to be unique and it is best to use hyphens instead of spaces. For example, update-user-password.

  • Set strength based on the mapping purpose. See the explanation of the mapping strength options.

  • In Expression, you define how to handle the credentials.

    • As is provides the simplest option to just pass an existing value from midPoint to the resource or vice versa.

    • Generate tells midPoint to create a new random password. This may be used in an outbound weak mapping to generate initial passwords.

    • Literal inserts a static value.

    • Script gives you the option to define conditional behavior, for example.

  • See the section on source and target options below to decide whether you need to adjust them.

When you are done with the basic setup, click Next: Optional.

Source and target mapping options

In some cases, you may also need to specify the source and target options for the mapping.

As a general rule, rely on the default behavior of the connector and leave the source and target options blank. When you use a resource like LDAP, the connector knows where the credentials belong. Similarly, midPoint knows implicitly where to store credentials. Define source and target in credential mappings only when you cannot rely on the ability of the connector to determine which attributes to use for credentials.

For example, if you exchange passwords with a custom resource or handle accounts with multiple credential types per account, you may need to tell midPoint (and, by extension, the connector) which attribute to use in what situation.

  • For Inbound mappings:

    • Source specifies an attribute on the resource side from which to take credentials. This is typically defined in the resource schema and needs not to be specified manually here. However, if your resource objects (e.g., users) have multiple authentication tokens, such as a password and a PIN, you would specify the PIN as an additional credential source and map it to its dedicated target attribute in midPoint. The source value to use in case of a CSV resource could be, for instance, $shadow/attributes/ri:someColumnName.

    • Target specifies an attribute in the midPoint resource object type to which you wish to put authentication tokens. You would use this option to specify destination for PINs from the use case above or to copy passwords to an additional custom attribute, for example.

    • You do not have to explicitly specify both source and target if not required.

  • For Outbound mappings:

    • You can only define source and it is exactly that attribute you would define as target for inbound mappings above (e.g., a custom object type attribute for a PIN).

    • If you cannot rely on the resource schema definition for password target mapping because your users have two passwords, for instance, you need to map the secondary password to the appropriate resource attribute using general outbound mapping rules. In other words, you handle secondary passwords as you would handle any other attribute, such as surname.

Adjust advanced settings

On the screen that follows, define the parameters below as needed. You can safely leave them at defaults and click Done to save the mapping and exit the wizard.

  • Authoritative option defines whether the mapping "tolerates" changes by other means.

  • Exclusive option ensures only one mapping can target the particular attribute.

  • Channel option provides a way to restrict the mapping applicability only to the context of certain channels.

When you are done with the setup, click Done.

New credential mappings are in the Active lifecycle state by default. We suggest you change it to Proposed and test your configuration first.

Example configurations

Here are a few example configurations you can use as starting points for your configuration.

Generate initial password

Let us have a target resource to which you provision accounts as they are creates in a source resource. Some systems, such as LDAP, do not allow passwordless accounts, meaning you have to create some password, even if users need to reset it by means of a help desk, for instance, before actually using the account.

This is the situation to have midPoint generate a random password for new accounts.

  1. Create a new outbound credential mapping.

  2. Name it generate-initial-password, for instance.

  3. Give it a weak strength.

  4. Set the expression option to Generate.

  5. Save the mapping.

This mapping populates the password attribute with a random generated password only if the attribute is empty. Under any other circumstance, the mapping does not change the password because you set it as weak.

Let users change their password from midPoint

To let users change their resource password in midPoint, add an outbound credential mapping that takes the password from the corresponding focus in midPoint and updates it in the resource shadow (and the remote resource, by extension) during reconciliation. Additionally, you may want to prevent midPoint from overwriting the password, should the user change it by other means—e.g., directly on the resource.

  1. Create a new outbound credential mapping.

  2. Name it change-password, for instance.

  3. Give it a normal strength.

  4. Set the expression to As is.

  5. Save the mapping.

The strength of this mapping dictates that it updates the target value when the source changes, but leaves it be in case the source stays the same but the target value is updated not through midPoint (user changed it directly on the resource, for example). The As is expression simply copies the password from midPoint to the resource.

See also

Here are additional resources to explore:

Was this page helpful?
YES NO
Thanks for your feedback