PingID SDK Provisioner

Configure provisioning

About this task

Configure PingFederate to provision users to PingID SDK.

You can follow these steps to create a new SP connection, or you can modify an existing connection.

Steps

  1. In the PingFederate administrator console, configure the data store that PingFederate will use as the source of user data. For instructions, see Datastores in the PingFederate documentation.

    • When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to PingID SDK. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.

  2. Enable provisioning.

    1. On the System → Protocol Settings → Roles & Protocols screen, select Enable Identity Provider IdP Role and Support the Following.

    2. Select Outbound Provisioning and SAML 2.0. Click Save.

  3. Create an SP connection with the PingID SDK quick connection template.

    1. On the Identity Provider screen, in the SP Connections area, click Create new.

    2. On the Connection Template screen, select Use a template for this connection.

    3. In the Connection Template list, select PingID SDK Connector. Click Next.

  4. On the Connection Type screen, clear Browser SSO Profiles and select Outbound Provisioning. Click Next.

  5. On the General Info screen, click Next.

  6. On the Outbound Provisioning screen, configure the provisioning target and channel.

    See Configuring outbound provisioning in the PingFederate documentation.

    1. Click Configure Provisioning.

    2. On the Target screen, complete the Application ID field with the value that you noted in Get information from the PingID SDK.

      PingFederate verifies the credentials when you activate the channel and SP connection.

    3. Complete the PingID SDK information by doing one of the following:

      Choose from:

      • For PingFederate 9.0 and later: On the PingID SDK Properties line, click Choose File. Select the pingidsdk.properties file that you saved in Get information from the PingID SDK, and then click Open.

      • For PingFederate 8.x: Complete the required fields by copying and pasting the values from the pingidsdk.properties file that you saved in Get information from the PingID SDK.

    4. From the Primary Authentication Method Upon Creation list, select a primary authentication method to set when the connector provisions new users to PingID SDK.

      Users are prompted to authenticate using their primary device. If the user has no mapped attribute value (or an invalid value) for the selected method, the primary device pairing is set to the next valid attribute in this order: email 1, email 2, email 3, SMS 1, SMS 2, SMS 3, voice 1, voice 2, voice 3.

    5. Optional: Under Provisioning Options, enable the provisioning features that you want.

    6. In the Remove User Action list, select the deprovisioning action for users in PingID SDK. This is triggered when a user in the datastore is deleted, disabled, or no longer targeted for provisioning. Click Next.

    7. On the Manage Channels screen, create a channel. Click Done.

      See Managing channels in the PingFederate documentation.

      To set up synchronization, use the SP Connection → Configure Channels → Channel → Attribute Mapping screen to populate the Username attribute with a matching attribute from the data store. See Synchronize existing users.

    8. On the Outbound Provisioning screen, click Next.

  7. On the Activation and Summary screen, above the Summary section, turn on the connection. Click Save.