How To
ForgeRock Identity Cloud

How do I map a target user ID generated on creation back to an attribute in Identity Cloud?

Last updated Jan 19, 2023

The purpose of this article is to provide assistance if you want to map a user attribute that is generated by an external system on creation to the user attribute ID (_id) in ForgeRock Identity Cloud, where the external system is the target and Identity Cloud is the source.


Where Identity Cloud is the target and an external system is the source, this is quite simple, because you can just create a mapping from the source ID to an Identity Cloud attribute of your choice.

In this scenario, however, where the external system is the target and the ID is generated upon creation, you need to add some additional logic to the mapping. One way of achieving this is to use the postAction logic described here: Script triggers defined in mappings.


  • You have configured the Remote Connector Server (RCS) and connector to sync identities as described in Sync identities.
  • The attribute corresponding to the target user ID has been defined in the connector for the target system. For example, if you have configured an LDAP connector, you have set the UID Attribute (on the Details tab in the Connector) to an appropriate LDAP attribute (typically entryUUID).

Mapping a target ID generated on create using postAction logic

  1. In the Identity Cloud admin UI, go to Native Consoles > Identity Management > Configure > Mappings and click New Mapping.
  2. Select an Identity Cloud resource as your source and select the external system resource as your target. See Configure a resource mapping for further information.
  3. Within the mapping you just created, select the Behaviors tab and edit the Absent situation.
  4. Select the And On Complete tab and enter a script in the Inline Script field to map the target user ID attribute to the Identity Cloud user attribute. For example, where the target system uses the entryUUID attribute and the attribute being used in Identity Cloud is frUnindexedString1, your script would look similar to this:openidm.patch("managed/alpha_user/" + source._id, null, [{"operation":"add", "field":"frUnindexedString1", "value":target.entryUUID}]);Adjust this script as required according to which attributes you are using and which users you want to patch.

Based on the above script, an alpha user is patched with the frUnindexedString1 attribute, which is set to the value of the entryUUID attribute, when the sync is executed.

Script extensions

You can also extend the script to wrap the logic in an if loop so that it only executes when the source attribute does not equal the target attribute. This extension would stop the script running every time a sync was executed and would prevent loops.

For example:if (source.frUnindexedString1 != target.entryUUID) { openidm.patch("managed/alpha_user/" + source._id, null, [{"operation":"add", "field":"frUnindexedString1", "value":target.entryUUID}]); }

See Also


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.