Outbound provisioning for IdPs

User provisioning is an important aspect of identity federation. Often when organizations enable SSO for their users, they must ensure that some form of account synchronization is in place. Automated user provisioning features within PingFederate® free administrators from having to devise a manual strategy for this.

For IdP sites, PingFederate provides built-in automated provisioning and user-account management to SCIM-enabled services providers and to selected SaaS providers, via their proprietary provisioning APIs.

Outbound provisioning also provides an automated means of account disabling or deprovisioning, which may be of key importance to system auditors.

TipSupport for provisioning for SaaS applications, including quick-connection templates to expedite the configuration effort, is available separately. Contact sales@pingidentity.com for more information.

When outbound provisioning is enabled, the PingFederate runtime engine (the provisioner) polls the IdP organization's user store periodically. The server uses a separate database to monitor the state of the user store and keeps user data synchronized between the organization and the target service provider, as illustrated in the following diagram:

LDAP user store
PingFederate provides built-in support for PingDirectory (formerly known as UnboundID Data Store), Microsoft Active Directory, and Oracle Directory Server; templates are used to preconfigure many provisioning settings. Although these are the only data stores formally tested and supported, other LDAP data stores will likely work as well.
Internal data store
Tested internal data stores used for synchronization include HyperSQL, Microsoft SQL Server, Oracle Databases, and Oracle MySQL. A demonstration-only, embedded HyperSQL database is installed by default. Again, any relational database may be used; scripts are provided to aid setup.

Tags Capability > User Provisioning; Hosting Environment > On-Premises; Product > PingFederate > PingFederate 8.3; Product > PingFederate; Task Type > Configuration