Specifying cross-service user relationships during IdP configuration
Custom Identity Mappings allow you to define relationships between user identities and groups across different systems integrated with Veza. When your organization's access federation doesn't automatically create these connections in Veza, you can specify patterns to map users between systems (for example, connecting an Okta user [email protected] to a SQL Server login DOMAIN\tshaw).
Use custom identity mappings to:
Connect IdP users (such as Okta users) to local accounts (such as Trino users)
Connect IdP groups to groups in downstream systems (such as Active Directory Group to Okta Group, or Azure AD Group to GitHub Team)
Define custom mapping rules for each integration, or use one mapping rule to link IdP identities or groups across multiple connected systems
Veza automatically creates identity relationships for certain integration pairs without requiring custom configuration. This is called native identity mapping.
The following integration pairs automatically create bidirectional identity relationships:
When do you need custom identity mappings?
You're connecting integrations that don't have native mapping
You need to map users/groups using different attributes than the native logic
You're connecting custom applications or custom identity providers built with OAA
Important: For Active Directory ↔ Azure AD and Okta ↔ Google Workspace, configuring a custom identity mapping will disable native mapping between those integrations. Remove the custom mapping configuration to restore native behavior.
You can configure mappings for one or more target data sources based on entity attributes or use templates to correlate identities and groups across multiple destination data sources.
Active Directory to SQL Server:
Source: AD User email [email protected]
Destination: SQL Login YOURDOMAIN\admin
Azure AD to GitHub:
Source: Azure AD Group Engineering-Team
Destination: GitHub Team Engineering Team
AWS integrations support mapping IAM Roles directly to local users in downstream applications. This is useful when IAM roles represent service accounts or federated identities that correspond to application-level users.
AWS IAM Role to Custom Application User:
Source: AWS IAM Role DataAnalyticsRole
Destination: Custom Application User analytics-service
To configure role to user mapping:
Edit your AWS integration and navigate to Mapping Configuration
Select Roles to Users as the Mapping Mode
Choose a destination data source type (Custom Application, Snowflake, SQL Server, etc.)
The Roles to Users mapping mode is currently only available for AWS integrations.
Before configuring identity mappings:
Ensure both the source and destination systems are successfully integrated with Veza
Verify you have the necessary permissions to modify integration configurations
Identify the common attributes or patterns used to correlate identities across your systems
To enable custom mappings for an Identity or Cloud Provider:
Navigate to the Integrations page
Select a cloud or identity provider from the list and click Edit
Scroll down to the Mapping Configuration tab
If you configure any property matchers, the Use Email By Default setting is ignored. For example, Use Email By Default is enabled along with a property matcher for username → user_id, Veza will only use the username mapping and ignore the email default setting.
Add identity matchers to correlate specific identities that don't meet the conditions of another property matcher:
Click Add Identity Matcher to add a mapping rule
In the leftmost dropdown, choose a specific identity from the source integration
Use the rightmost dropdown to pick the corresponding identity in the destination data source
Note: When you select Template as a Property Matcher option, Veza presents a dropdown menu of pre-configured attribute mappings. You don't write these templates yourself, but select from available patterns. The sections below document the transformation logic Veza uses internally to help you choose the right option.
Template transformations use property values and transformation functions to match identities across systems with different naming conventions. This feature is particularly useful when:
Source and destination systems use different naming conventions
You need to normalize user identifiers across systems
You want to define global mapping rules that work across multiple applications
The following sections document the template patterns and transformation functions that Veza uses internally to match identities. When you select a template from the dropdown menu, Veza applies these patterns automatically. This reference helps you understand which pre-configured template option to choose for your identity matching needs.
Templates use property placeholders with optional transformation functions:
For example, a template pattern that transforms a user's name from "JOHN DOE" to "jdoe" would be written as:
Templates support the user properties:
FirstName: User's first name
LastName: User's last name
FirstInitial: First character of first name (equivalent to {FirstName | SUB_STRING,0,1}
Templates can use transformation functions to map identities based on a partial match or a variation of the source attribute.
SUB_STRING
Extracts a portion of text.
Parameters:
start_index: Starting position (0-based)
length: Number of characters to extract
UPPER
Converts all characters to uppercase.
Example: {FirstName | UPPER} for "John" returns "JOHN"
LOWER
Converts all characters to lowercase.
Example: {FirstName | LOWER} for "John" returns "john"
TRIM
Removes leading and trailing whitespace.
Example: {FirstName | TRIM} for " John " returns "John"
Multiple functions can be chained together, applied left to right:
For a user "John Smith", this produces: "J.smith"
Here are some frequently used template patterns:
First initial + last name:
Example: "John Smith" → "jsmith"
First name + last initial:
Example: "John Smith" → "john.s"
Multiple property matchers can be combined using OR logic. The builder indicates these combinations with "OR" separators. For example:
This configuration would match any of these patterns for a user "John Smith":
john.smith
jsmith
When using templates with multiple property matchers, a match on any single pattern is sufficient to create the identity mapping.
You cannot map an identity provider to itself (for example, between two Okta domains).
Common identity mapping combinations include:
Target Systems:
AWS IAM
AWS Redshift
AWS RDS MySQL
AWS RDS Postgres
Identity Providers:
Active Directory
Azure AD
Google Workspace
Okta
AWS-Specific:
AWS IAM Roles → Local Users in any destination system (Roles to Users mode)
Map IdP users to local users in a custom application (as an alternative to using ids)
Define access-granting relationships for any user or group with the same name, email, or another property in the Veza graph database
Identify local account ownership using consistent naming patterns
Configuration: Map email to unique ID, enable "ignore domain"
Okta to Custom Application:
Source: Okta user email [email protected]
Destination: App username jdoe
Configuration: Map email to custom property username
Azure AD to PingOne:
Source: Azure AD user principal name [email protected]
Destination: PingOne user [email protected]
Configuration: Mapping User Principal Name to Email for cross-service access reviews
Configuration: Map name to name, enable "ignore special characters"
Okta to Snowflake:
Source: Okta Group DataAnalysts
Destination: Snowflake Role DATA_ANALYSTS
Configuration: Map name to name, apply "UPPER" transformation
Azure AD to PingOne:
Source: Azure AD Group Engineering-Team
Destination: PingOne Group Engineering Team
Configuration: Map name to name, enable "ignore special characters"
Okta to Custom Application:
Source: Okta Group Engineering-Team
Destination: Custom Application Group Engineering-Team
Configuration: Map name to name for group-based access visibility in custom OAA applications
Multiple Resource Mapping:
Source: Active Directory Security Group Finance-Staff
Destinations:
Salesforce Group Finance Users
AWS IAM Group finance-users
Box Group Finance Department
Configuration: Single mapping configuration applying to multiple destination systems
Configuration: Map role name to custom property service_account
AWS IAM Role to Snowflake User:
Source: AWS IAM Role DataEngineerRole
Destination: Snowflake User data_engineer
Configuration: Map role name to unique ID
Enable Use Email By Default to automatically create an email-to-email property matcher when no other matchers are configured. Configuring explicit property matchers below will take precedence and this setting will be ignored.
For Mapping Mode, choose:
Users to correlate individual identities across systems
Groups to connect source and destination groups
Roles to Users (AWS only) to map AWS IAM Roles to application local users
For Destination Data Source Type, select the target system for identity mapping
Identity Mapping for Multiple Resources: If you need to configure identity mappings to many target systems, Veza supports using a single identity mapping configuration to connect users in the IdP to any number of destinations. Contact your Veza support representative to enable this feature. When enabled, you can select more than one Destination Data Source Types from the dropdown menu.
Click Add Property Matcher to create a mapping rule
Under Property Matchers, choose the source system attribute:
Email or Unique ID for native integrations like Okta
Template for pattern-based matching (see Template Transformations below)
Select the matching destination system property (Email, Unique ID, Template, or Custom)
Configure optional transformations:
Ignore Special Characters: Match identities that differ only by special characters (_, -, .)
Add additional property matchers as needed (combined with OR logic)
Click Save Configuration
LastInitial: First character of last name (equivalent to {LastName | SUB_STRING,0,1})
{FirstName | SUB_STRING,0,3} for "John" returns "Joh"SQL Server
Trino
Snowflake
GitHub
Salesforce
Box
PingOne
Custom Application (OAA data provider)
Custom IDP (OAA identity provider)
OneLogin
AWS Identity Center
PingOne
Custom IDP (OAA identity provider)
Active Directory ↔ Azure AD
Users and Groups
Azure AD onPremisesUserPrincipalName matches AD User Principal Name (requires onPremisesSyncEnabled flag)
Okta ↔ Google Workspace
Users and Groups
Okta App User email matches Google Workspace user email (requires matching domain)
{PropertyName | FUNCTION1 | FUNCTION2,...}{FirstInitial | LOWER}{LastName | LOWER}{FirstName | TRIM | SUB_STRING,0,1 | UPPER}.{LastName | LOWER}{FirstInitial}{LastName}{FirstName}.{LastInitial}Template: {FirstName}.{LastName} OR
Template: {FirstInitial}{LastName} OR
Property: emailCustom Property for OAA template integrations (enter the , e.g. idp_id)