Gluu Server can perform a direct mapping if you have ePSA attribute and value ( or, something similar ) in your backend AD/LDAP. As for example, you have one attribute and value available in your backend: "userGroupCheck = student@school.edu". You can directly pull that attribute and value in your Gluu Server's ePSA with the help of Gluu Server's GUI. But if you do not have any attribute something like above and your groups are only available in "memberOf" of your backend AD, then a Jython script of Gluu Server can map and calculate the ePSA value for you. As for example you have values like: "memberOf: CN=Student,DC=school,DC=edu" and "memberOf: CN=Staff,DC=school,DC=edu". In this case Gluu Server's script will scan "memberOf" values, then will extract "CN=Student" / "CN=Staff" and calculate ePSA values something like "student@school.edu" or "staff@school.edu" inside of your Gluu Server.