Setting multiple possible values for AD/LDAP profile attributes

lihua.zhang · September 1, 2023, 12:33am

Problem statement

We have a requirement to check if a new Active Directory attribute: otherEmail has a value, then use this value to map to the ‘email’ field, otherwise if the new Active Directory attribute: otherEmail is empty (null), then map the ‘email’ field to the value of Active Directory Email attribute.

i.e.
If Active Directory otherEmail = $null
then email = Active Directory Email
else email = Active Directory otherEmail

Solution

In this case, you can do the mappings in the profileMapper so that this mapping logic is completely invisible to Auth0, which will only see an “email” (regardless of how it was calculated), as you can see here:

github.com

auth0/ad-ldap-connector/blob/master/lib/profileMapper.js#L11


      
          module.exports = function (raw_data) {
            var profile = {
              id:          raw_data.objectGUID || raw_data.uid || raw_data.cn,
              displayName: raw_data.displayName,
              name: {
                familyName: raw_data.sn,
                givenName: raw_data.givenName
              },
              nickname: raw_data['sAMAccountName'] || raw_data['cn'] || raw_data['commonName'],
              groups: raw_data['groups'],
              emails: (raw_data.mail ? [{value: raw_data.mail }] : undefined)
            };
          
            profile['dn'] = raw_data['dn'];
            profile['st'] = raw_data['st'];
            profile['description'] = raw_data['description'];
            profile['postalCode'] = raw_data['postalCode'];
            profile['telephoneNumber'] = raw_data['telephoneNumber'];
            profile['distinguishedName'] = raw_data['distinguishedName'];
            profile['co'] = raw_data['co'];
            profile['department'] = raw_data['department'];

You can set this up similar to the following:

emails: raw_data.otherEmail ? [{value: raw_data.otherEmail }] : (raw_data.mail ? [{value: raw_data.mail }] : undefined)