PingOne

Provisioning options reference

The PingOne Integration Kit allows you to enable actions independently and customize other provisioning options.

Field Name Description

Region

Determines the PingOne API that the provisioning engine communicates with.

Select the region that appears on Settings > Environment > Properties in PingOne.

User Create
Selected (default)

PingFederate creates users in PingOne.

Cleared

PingFederate doesn’t create users in PingOne.

User Update
Selected (default)

PingFederate updates existing users in PingOne.

Cleared

PingFederate does not update existing users in PingOne.

User Disable / Delete
Selected (default)

PingFederate disables or deletes users in PingOne.

PingFederate can only re-enable a user if User Update is selected.
Cleared

PingFederate does not disable or delete users in PingOne.

Provision Disabled Users

This option applies when the User Create option is selected, and the provisioning engine targets a user in the datastore that has a "disabled" status.

Selected (default)

PingFederate creates the user in PingOne with a "disabled" status.

Cleared

PingFederate does not create the user in PingOne.

If any of the above options are cleared, PingFederate logs a warning in the user workflow section of the provisioner.log when the related action fails.

Remove User Action

This option applies when User Disable / Delete is selected, and either:

  • A previously provisioned user no longer meets the condition set on the Source Location screen.

  • A user has been disabled or deleted from the datastore.

Disable (default)

PingFederate disables the user in PingOne.

Delete

PingFederate deletes the user from PingOne.

MFA User Device Management

If you are using the PingOne MFA service, this setting controls how PingFederate manages user devices:

Merge with devices in PingOne (default)

When a device is added in the datastore, PingFederate adds it to the user’s existing devices in PingOne. PingFederate does not remove any devices added in PingOne by other sources.

When an email or SMS device is updated in the datastore, and the value does not exist in PingOne, PingFederate adds it as a new device.

PingOne accepts a maximum of five authentication methods per user by default. This maximum can be adjusted in the PingOne settings. If adding a new device hits this limit, PingFederate logs the "User Device Limit Exceeded" error. It does not try to add the device again until the user is updated.
Overwrite devices in PingOne

When a device is added or removed in the datastore, PingFederate overwrites the user’s devices in PingOne with those from the datastore.

If a device in PingOne does not exist in the datastore, PingFederate removes it from PingOne.

If a device in the datastore does not exist in PingOne, PingFederate adds it in PingOne.

Default Authentication Method for New Users

Select a default authentication method to set when the connector provisions new users to PingOne:

Users are prompted to authenticate using their default device. If the user has no mapped attribute value (or an invalid value) for the selected method, the primary device pairing is set to the next valid attribute in this order: Email 1, Email 2, Email 3, SMS 1, SMS 2, SMS 3, Voice 1, Voice 2, Voice 3.

PingFederate attempts to provision all the user’s valid MFA devices, which might result in the user not having the selected method as their default device.