Map user accounts

On the Account Mapping page, configure how the login information is mapped to the application’s user accounts.

Available options vary depending on your application type.

Option	Description
Directory Service Field	Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from theCyberArk Cloud Directory. Also see Authentication security options for information on the option to use the password supplied by Active Directory users.
All users share one name	Use this option if you want to share access to an account (for example, some people share an application developer account). Check Allow users to view credentials to allow users to view User Identity (User Name and Password) for an application in the User Portal > Application Settings (select the gear icon in the application tile). Users must have the View permission enabled. This can help users who may need offline access to the application. The ability to view the User Identity information in the application only applies to application passwords stored in CyberArk Identity. It does not apply to applications where passwords are stored in the PAM - Self-Hosted Vault. If this option is not checked (default), User Identity information for an application is not shared in the User Portal > Application Settings. Contact CyberArk Support to disable the Allow users to view credentials option. Use the Authentication Key to enable TOTP for admin-added applications. For instructions, see Enable time-based one-time passwords (TOTP) for two-factor authentication.
Prompt for user name	Use this option if you want users to supply their own user name and password. This option only applies to some application types such as user password, custom NTLM, and browser extension applications. The first time that users launch the application, they enter their login credentials for that application. The CyberArk Cloud Directory stores the user name and password so that the next time the user launches the application, the CyberArk Cloud Directory logs in the user automatically.
Account Mapping Script	You can customize the user account mapping here by supplying a custom JavaScript. For example, you could use the following line as a script: `LoginUser.Username = LoginUser.Get('mail')+'.ad';` The script sets the login user name to the user’s mail attribute value in Active Directory and adds ‘.ad’ at the end. For example, if the user’s mail attribute value is Adele.Darwin@acme.com then the account mapping script sets LoginUser.Username to Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting. Also see Authentication security options for information on the option to use the password supplied by Active Directory users.

Option

Description

Directory Service Field

Use this option if the user accounts are based on user attributes.
For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from theCyberArk Cloud Directory.

Also see Authentication security options for information on the option to use the password supplied by Active Directory users.

All users share one name

Use this option if you want to share access to an account (for example, some people share an application developer account).

Check Allow users to view credentials to allow users to view User Identity (User Name and Password) for an application in the User Portal > Application Settings (select the gear icon in the application tile). Users must have the View permission enabled. This can help users who may need offline access to the application.

The ability to view the User Identity information in the application only applies to application passwords stored in CyberArk Identity. It does not apply to applications where passwords are stored in the PAM - Self-Hosted Vault.

If this option is not checked (default), User Identity information for an application is not shared in the User Portal > Application Settings.

Contact CyberArk Support to disable the Allow users to view credentials option.

Use the Authentication Key to enable TOTP for admin-added applications. For instructions, see Enable time-based one-time passwords (TOTP) for two-factor authentication.

Prompt for user name

Use this option if you want users to supply their own user name and password. This option only applies to some application types such as user password, custom NTLM, and browser extension applications. The first time that users launch the application, they enter their login credentials for that application. The CyberArk Cloud Directory stores the user name and password so that the next time the user launches the application, the CyberArk Cloud Directory logs in the user automatically.

Account Mapping Script

You can customize the user account mapping here by supplying a custom JavaScript. For example, you could use the following line as a script:

LoginUser.Username = LoginUser.Get('mail')+'.ad';

The script sets the login user name to the user’s mail attribute value in Active Directory and adds ‘.ad’ at the end. For example, if the user’s mail attribute value is Adele.Darwin@acme.com then the account mapping script sets LoginUser.Username to Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting.

Also see Authentication security options for information on the option to use the password supplied by Active Directory users.