During the Workspace ONE Access directory setup process, you select the user attributes to sync from your enterprise directory to the Workspace ONE Access directory. You manage the the list of user attributes from the page in the Workspace ONE Access console.
Default Attributes
The User Attributes page lists the default Workspace ONE Access directory attributes that can be mapped to Active Directory or LDAP directory attributes.
You select which attributes are required and which ones are optional. Attributes marked required must be populated for all synced user records. User records that are missing values for the required attributes will not be synced to Workspace ONE Access. Also keep in mind that you can only mark attributes required before any directory is created in the Workspace ONE Access service. After a directory is created, you can no longer change an attribute to be a required attribute.
The following table lists the attributes that have default mappings to Active Directory attributes. You can update the mappings when you create the Workspace ONE Access directory.
| Workspace ONE Access Directory Attribute Name | Default Mapping to Active Directory Attribute |
|---|---|
| userPrincipalName | userPrincipalName |
| domain | canonicalName Adds the fully qualified domain name of object. |
| disabled (external user disabled) | userAccountControl. Flagged with UF_Account_Disable. When an account is deactivated, users cannot log in to access their applications and resources. The resources assigned to users are not removed from the account so that when the flag is removed from the account users can log in and access their assigned resources. |
| distinguishedName | distinguishedName |
| employeeID | employeeID |
| First Name | givenName |
| Last Name | sn |
| sourceAnchor | objectGUID |
| Phone | telephoneNumber |
| Username | sAMAccountName |
Custom Attributes
On the User Attributes page, you can also enter additional attributes that you want to sync to the directory. When you add attributes, the attribute name you enter is case-sensitive. For example, address, Address, and ADDRESS are different attributes.
The following attributes cannot be used as custom attribute names because the Workspace ONE Access service uses these attributes internally for user identity management.
| active | externalId | locale | phoneNumbers | timezone |
| addresses | externalUserDisabled | meta | photos | title |
| displayName | groups | name | preferredLanguage | userName |
| emails | id | nickName | profileUrl | userType |
| employeeNumber | ims | password | schemas | x509Certificates |
How Attributes Work
Attributes on the User Attributes page apply to all directories in the Workspace ONE Access service. When you make changes to user attributes, consider the effect on all directories. For example, if you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required except for Username. If an attribute is marked required, user records that do not contain a value for that attribute are not synced to the Workspace ONE Access service.
When you create a directory, the list of attributes from the User Attributes page appears in the Map Attributes section of the wizard, and you can specify the mapping between the Workspace ONE Access attributes and the Active Directory or LDAP directory attributes. After you create the directory, you can view and update the attribute mappings from the directory's Sync Settings tab.
After any directory is created in the Workspace ONE Access service, you can no longer mark attributes required on the User Attributes page. The following changes to user attributes are still allowed:
- Add custom attributes (User Attributes page)
- Delete custom attributes (User Attributes page)
- Change required attributes to optional (User Attributes page)
- Change the mapping of attributes (directory's Sync Settings tab)
Changes that are made and saved in the User Attributes page after a directory is created are applied to the directory with the next sync.
Important Requirements
- If you map any user attribute to the Active Directory attribute objectGUID or mS-DS-ConsistencyGuid, all users must have a non-empty value for the attribute in Active Directory and the value must be exactly 16 bytes in length. Also, you must map the Workspace ONE Access attribute to the correct Active Directory attribute name, using the correct case. If the attribute names do not match, a null value is returned, and directory sync fails. For example, if you use the mS-DS-ConsistencyGuid attribute in Active Directory and you specify ms-DS-ConsistencyGuid in Workspace ONE Access, directory sync cannot succeed.
- The sourceAnchor attribute has the following requirements:
- The sourceAnchor attribute is case-sensitive.
- Attribute values cannot be changed after users are synchronized to Workspace ONE Access.
- Attribute values must be fewer than 60 characters in length. Characters that are not a-z, A-Z, or 0-9 are encoded and counted as 3 characters.
- Attribute values must not contain a special character: \ ! # $ % & * + / = ? ^ ` { } | ~ < > ( ) ' ; : , [ ] " @ _
- If you map the sourceAnchor attribute to an attribute that is not of type string, then Base64 encode the attribute values to ensure that no special characters appear and make sure the values match the Microsoft encoding format.
- If you map the sourceAnchor attribute to a binary attribute, make sure the values adhere to the proper GUID format.
- See Selecting a good sourceAnchor Attribute in the Microsoft documentation for the full list of requirements for the attribute.
