User Attributes

WorkOS can automatically find and normalize most common attributes from directory providers into the Directory User object, which represents an enterprise user. More unique cases can be mapped by your customers; i.e. IT Admins.

{
  "id": "directory_user_01E1X7B89OH8Z3SXFJR4H7RGX7",
  "idp_id": "821991",
  "first_name": "Jane",
  "last_name": "Doe",
  "email": "jane@example.com",
  "state": "active",
  "created_at": "2021-06-25T19:07:33.155Z",
  "updated_at": "2021-06-25T19:07:33.155Z",
  "object": "directory_user",
  "directory_id": "directory_01E1X194NTJ3PXMAY79DYV0F0P",
  "organization_id": "org_01EHWNCE74X7JSDV0X3SZ3PJNY",
  "custom_attributes": {
    "emails": [
      {
        "type": "work",
        "value": "jane@example.com",
        "primary": true
      }
    ],
    "employee_type": "Full Time",
    "employment_start_date": "2021-06-27T12:00:00.000Z",
    "department_name": "Engineering",
    "manager_email": "john@example.com",
    "division_name": "Analytics",
    "cost_center_name": "IT",
    "job_title": "Software Engineer",
    "addresses": [
      {
        "type": "work",
        "street_address": "101 123rd Ave",
        "locality": "Brooklyn",
        "region": "New York",
        "postal_code": "12345",
        "country": "USA",
        "raw_address": "101 123rd Ave, Brooklyn,  New York, 12345, USA",
        "primary": true
      },
      {
        "type": "home",
        "street_address": "102 W 321st St",
        "locality": "Brooklyn",
        "region": "New York",
        "postal_code": "54321",
        "country": "USA",
        "raw_address": "102 W 321st St, Brooklyn,  New York, 54321, USA",
        "primary": false
      }
    ],
    "username": "jane@example.com",
    "my_new_key": "<custom-mapped value>"
  },
  "raw_attributes": {
    "name": {
      "givenName": "Jane",
      "familyName": "Doe"
    },
    "active": true,
    "emails": [
      {
        "type": "work",
        "value": "jane@example.com",
        "primary": true
      }
    ],
    "groups": [],
    "locale": "en_US",
    "schemas": ["urn:directory:schemas:core:1.0"],
    "password": "redacted",
    "userName": "jane@example.com",
    "externalId": "821991",
    "displayName": "Jane Doe"
  }
}

In this guide, we’ll explain how to map data from directory providers to the Directory Users.

Standard attributes

The most common user information, normalized across providers.

Auto-mapped attributes

Detailed user attributes for specific use cases, normalized across providers. You can opt-in to each attribute you want to receive.

Custom-mapped attributes

For unique cases, you can create your own attributes that your customers can map when setting up a directory.

Every Directory User comes with the following standard attributes. These are the core set of attributes that are common across all identity providers. These are structured fields with a guaranteed schema in the top-level Directory User payload.

For more detailed user information, you can opt-in to auto-mapped custom attributes and define your own custom-mapped custom attributes. Custom attributes will appear in the custom_attributes field. These attributes can be configured in the WorkOS Dashboard.

When enabled, the values will be mapped without additional setup. Not every directory provider has data for every field, so they are always optional if enabled. These fields are named and schematized by WorkOS – they cannot be renamed.

Enable or disable an auto-mapped attribute

Auto-mapped attributes can be enabled or disabled in the WorkOS Dashboard under Directory Sync configuration.

The following support table outlines the attribute availability across directory providers.

If your application may require additional fields, this is where custom-mapped fields are useful. You can create attributes that appear as fields in the Admin Portal. Your customers can map these fields to the correct values in their system when setting up Directory Sync with their directory provider.

Nested attributes

Nested attributes are not currently supported. These admin-defined attributes must be defined as top-level flat keys.

For instance, in the following example top_level_attribute can be mapped, but top_level_with_nested.nested_attribute cannot be mapped:

{
  "top_level_attribute": "value",
  "top_level_with_nested": {
    "nested_attribute": "nested_value"
  }
}

Create a custom-mapped attribute

Custom-mapped attributes can be created in the WorkOS Dashboard under Directory Sync configuration. For attributes set as Required, your customers must map the field to a relevant field in their HRIS or SCIM provider. This can be done via the Admin Portal.

These are unfiltered and unstructured attributes that are unique to each directory provider. These attributes are included as fields in the raw_attributes object that is included in the Directory User. The raw_attributes property will be phased out by July 22, 2025. IdP role assignment or custom attributes should be used instead.

Are existing directories required to update the attribute mapping when new required custom attributes are added?

No, when you add a new required custom attribute to your settings, this won’t be retroactively required for directories that have already been set up and configured. However, in the WorkOS dashboard, you will be able to navigate directly to the existing directory and fill in details for those attributes manually.

Can our customers add their own custom attributes outside of what is defined in the WorkOS dashboard?

We do not currently support this functionality, as you have to define any custom attributes in the dashboard first. Please reach out to support if you have a specific use case that you would like to discuss.

What happens if an attribute cannot be mapped from the IdP?

Attributes that cannot be mapped for a particular Directory User will result in a null value for the attribute. dsync.user.updated events are not emitted when an attribute changes from null to undefined or vice versa.