Code42 Integration Guide for PingOne

Creating a provisioning connection in PingOne

To enable PingOne to manage users in Code42, create a provisioning connection.

Before you begin

If you don’t want to provision users from an existing PingOne population, you can add a new one. For help, see Adding a population in the PingOne documentation.

Steps

  1. In PingOne, go to Integrations → Provisioning.

  2. Click , then click New Connection.

  3. In the Choose a connection type section, select Identity Store.

  4. On the SCIM Outbound tile, click Select, and then click Next.

  5. Enter a name and description for the provisioning connection, then click Next.

    The connection name will appear in your configured connections list after you complete and save the connection.

  6. In the Configure Authentication section, enter the Code42 details:

    1. In the SCIM base URL field, enter the base URL that you noted in Adding PingOne as SCIM provider in Code42.

    2. For Users Resource, use the default value of /Users.

    3. For SCIM Version, use the default selection, 2.0.

    4. In the Authentication Method list, select OAuth 2 Bearer Token.

    5. In the OAuth Access Token field, enter the Token that you noted in Adding PingOne as SCIM provider in Code42.

    6. For the Auth Type Header, use the default selection, Bearer.

    7. Click Test Connection.

    8. Resolve any issues that are reported, and then click Next.

  7. In the Configure Preferences section, enter the provisioning options.

    1. Use the following default filter and deprovisioning actions:

      Table
      Setting Value

      User Filter Expression

      username Eq "%s"

      User Identifier

      userName

      Remove Action

      Disable

      Code42 doesn’t support user deletion.

    2. Optional: Customize the provisioning options in the following table:

      Setting Description

      Allow users to be created

      Determines whether PingOne creates a user in Code42 when the user is created in PingOne.

      Allow users to be updated

      Determines whether PingOne updates a user’s attributes in Code42 when the user attributes change in PingOne.

      Allow users to be disabled

      Determines whether PingOne disables a user in Code42 when the user is disabled in PingOne.

    3. Click Save.

  8. To enable your new provisioning connection, in its details pane, click the toggle.

Creating a provisioning rule in PingOne

Before you begin

Complete the Creating a provisioning connection in PingOne procedure.

About this task

Create a provisioning rule and assign the provisioning connection that you created in the previous procedure as the Target connection.

To create a provisioning rule:

Steps

  1. Go to Integrations → Provisioning.

  2. Click , then New Rule.

  3. Enter a name and description for the rule, and then click Create Rule.

    Description is an optional field.

  4. On the Configuration tab, assign a target connection:

    1. Click Target.

    2. In the Available Connections section, in the row for the provisioning connection that you created in the previous procedure, click to add it as the target connection.

      You can add a disabled connection to the target, but you must enable the connection before you can enable the associated rule.

      Result:

      PingOne is automatically selected as the Source connection.

  5. Click Save.

    Result:

    The rule’s name appears in the list on the Rules tab.

  6. To enable the new rule, in its details pane, click the toggle.

Configuring a user filter on the provisioning rule

Before you begin

Complete the following procedures in order:

  1. Creating a provisioning connection in PingOne

  2. Creating a provisioning rule in PingOne

About this task

Configure a user filter on the provisioning rule that you created in the Creating a provisioning rule in PingOne procedure to specify which PingOne user populations to provision to Code42:

Steps

  1. On the Configuration tab of the provisioning rule, click User Filter.

  2. Click the Pencil icon to edit the filter.

  3. Define the filter that determines which identities to provision to Code42.

    For more information, see adding a user filter and example user filters.

    1. Enter the first condition:

      All

      Select All or Any to determine how to evaluate the linked conditions. All functions as the boolean logical operator AND.

      Any

      Select All or Any to determine how to evaluate the linked conditions. Any functions as the boolean logical operator OR.

      Attribute

      The user attribute to filter by.

      Use the Population Name attribute.
      Operator

      The operator determines the context of the attribute and its value.

      Equals is the only operator supported at this time.
      Value

      Enter an appropriate value for the specified attribute.

      • For outbound provisioning rules, you must specify either a population or a group to define the users to be provisioned.

      • If you select a group in the filter, then updating or deleting the group can cause the provisioning rule to re-sync.

      • If you select a group in the filter, the filter includes all users with any kind of membership in the group, whether direct, dynamic membership based on a user filter, or inherited from parent groups. For more information, see Groups.

    2. Click Add to add more conditions or condition sets until you’ve specified all the PingOne user populations that you want to provision to Code42.

  4. Click Save.

Configuring attribute mapping on the provisioning rule

Before you begin

Complete the following procedures in order:

  1. Creating a provisioning connection in PingOne

  2. Creating a provisioning rule in PingOne

About this task

Configure attribute mapping on the provisioning rule that you created in the Creating a provisioning rule in PingOne procedure to map the PingOne user attributes from the SCIM attributes in the Code42 identity store. For outbound provisioning, the mapping is applied to the attribute coming from the PingOne directory before it is saved to the target identity store.

To configure attribute mapping:

Steps

  1. On the Configuration tab of the provisioning rule, click Attribute Mapping.

  2. Click the Pencil icon to edit the mapping and confirm that the following default attributes are within the mapping.

    Default Code42 SCIM attributes
    Code42 SCIM Attribute PingOne PingOneUser Attribute

    userName

    Username

    givenName

    Given Name

    familyName

    Family Name

    workPhone

    Primary Phone

    workEmail

    Email Address

    1. If any of the default attributes are missing from the attribute mapping, add them. To add an attribute mapping, click Add, then select the source and target attribute.

      You must click Add for each attribute that you need to map.

      Learn more about configuring attribute mapping in Adding attribute mapping for outbound provisioning.

  3. Map the following Code42 SCIM attributes.

    Remaining Code42 SCIM attributes
    Code42 SCIM Attribute PingOne PingOneUser Attribute

    externalId

    External ID

    workCity

    Locality

    workStreetAddeess

    Street Address

    workCountry

    Country Code

    workPostalCode

    Postal Code

    userType

    Type

    title

    Title

    nickName

    Nickname

    formattedName

    Formatted

  4. Click Save.