As part of setting up user provisioning, you specify user attributes to sync from your identity provider to VMware Identity Services. Some of these attributes are required by VMware Identity Services and Workspace ONE services to support basic functionality. Other attributes are optional. VMware Identity Services also supports custom attributes that you can use to sync any user attribute.
Required SCIM Attributes
You must sync the following SCIM attributes from your identity provider to VMware Identity Services to ensure basic Workspace ONE functionality.
In your identity provider, add the attribute listed in the SCIM Attribute column and map it to your identity provider attribute. The Workspace ONE Attribute column displays the name of the attribute as it appears in Workspace ONE services.
| SCIM Attribute | Workspace ONE Attribute | Description |
|---|---|---|
| userName | userName | The unique identifier of the user, often in the format user@domain. userName is typically used by the user to authenticate. All users must have a unique and non-empty userName value. If any user is missing a userName value, provisioning does not succeed. |
| externalId | externalId | The unique identifier for users in the Workspace ONE directory. All users have must a unique and non-empty externalId value. If any user is missing an externalId value, provisioning does not succeed.
Note: VMware Identity Services does not support updating a user's externalId value after the user is provisioned. To update a user's externalId value, you must delete and reprovision the user from the identity provider.
|
| emails | User’s email address, typically the work email address. All users must have a non-empty value for this attribute. |
|
| name.givenName | firstName | User’s first name. All users must have a non-empty value for this attribute. |
| name.familyName | lastName | User’s last name. All users must have a non-empty value for this attribute. |
| active | active | The identifier that indicates whether the user is active or deactivated. All users must have a non-empty value for this attribute. |
Optional SCIM Attributes
In addition to the required attributes, Workspace ONE supports the following optional attributes.
In your identity provider, add the attribute listed in the SCIM Attribute column and map it to your identity provider attribute. The Workspace ONE Attribute column displays the name of the attribute as it appears in Workspace ONE services.
| SCIM Attribute | Workspace ONE Attribute |
|---|---|
| urn:ietf:params:scim:schemas:core:2.0:User:displayName | displayName |
| urn:ietf:params:scim:schemas:core:2.0:User:name.familyName | lastName |
| urn:ietf:params:scim:schemas:core:2.0:User:name.givenName | firstName |
| urn:ietf:params:scim:schemas:core:2.0:User:nickName | nickName |
| urn:ietf:params:scim:schemas:core:2.0:User:phoneNumbers | phone |
| urn:ietf:params:scim:schemas:core:2.0:User:profileUrl | profileUrl |
| urn:ietf:params:scim:schemas:core:2.0:User:title | title |
| urn:ietf:params:scim:schemas:core:2.0:User:userName | userName |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:costCenter | costCenter |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department | department |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:division | division |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber | employeeID |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value | managerId |
| urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:organization | organization |
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:adSourceAnchor | sourceAnchor |
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:distinguishedName | distinguishedName |
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:domain | domain |
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:userPrincipalName | userPrincipalName |
Custom SCIM Attributes
In addition to the required and optional attributes, Workspace ONE supports a few custom attributes. You can use these custom attributes to sync any attribute from your identity provider.
In your identity provider, add the attribute listed in the SCIM Attribute column and map it to the identity provider attribute that you want to sync. Make sure that you use the full attribute path, for example, urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute3. The Workspace ONE Attribute column displays the name of the attribute as it appears in Workspace ONE services.
| SCIM Attribute | Workspace ONE Attribute |
|---|---|
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute1 | Custom1 |
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute2 | Custom2 |
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute3 | Custom3 |
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute4 | Custom4 |
| urn:ietf:params:scim:schemas:extension:ws1b:2.0:User:customAttribute5 | Custom5 |
How to Map Attributes
For specific information about how to map user attributes in your identity provider, see:
- If you are integrating with Azure AD, see Step 3: Map SCIM User Attributes.
- If you are integrating with another identity provider, see Step 3: Map SCIM User Attributes.
