PingOne

User and group management

The PingOne Integration Kit synchronizes users and groups from your datastore to PingOne. The behavior of each provisioning capability is described below.

You can configure these capabilities in the Creating a provisioning connection step of the setup process.

Synchronizing existing users

PingFederate synchronizes users based on the Username attribute in PingOne. If a user already exists in your datastore and PingOne, mapping this attribute correctly links the two records together.

For example:

  • In PingOne, Janet’s Username is jsmith.

  • In your datastore, Janet’s sAMAccountName is jsmith.

  • On the Attribute Mapping tab of your provisioning connection configuration, you map the Username attribute to sAMAccountName.

  • When the provisioning connector runs, the datastore user is provisioned with a Username of jsmith. That matches Janet’s existing Username in PingOne, so her information in the datastore is synchronized to her PingOne account.

You can map the matching data store attribute when you configure your channel in Creating a provisioning connection.

User provisioning

PingFederate provisions users when one of the following happens:

  • A user is added to the datastore group or filter that is targeted by the provisioning connector.

  • A user with "disabled" status is added to the datastore group or filter that is targeted by the provisioning connector, and the Provision disabled users provisioning option is enabled.

The Source Location tab of your provisioning connection configuration defines which users PingFederate targets for provisioning.

User updates

PingFederate updates users when a user attribute changes in your datastore.

The Attribute Mapping tab of your provisioning connection configuration defines which attributes PingFederate monitors for changes.

User deprovisioning (disabling)

PingFederate deprovisions users when one of the following happens:

  • A user is deleted from the user store.

  • A user is disabled in the user store.

  • A user is removed from the datastore group or filter that is targeted by the provisioning connector.

Synchronizing existing groups

PingFederate synchronizes groups from the datastore to the target service based on the group name.

For example:

  • In PingOne, there is a group is named Accounting.

  • In your datastore, there is a group with a CN of Accounting.

  • When the provisioning connector runs, the two groups are synchronized.

Group provisioning

PingFederate provisions groups when a group is added to the datastore filter that is targeted by the provisioning connector.

The Source Location tab in your provisioning connection configuration defines which groups PingFederate targets for provisioning and monitors for changes.

Group name updates

PingFederate renames groups when they are renamed in the datastore.

Group membership updates

PingFederate updates group memberships when memberships change in the datastore, whether the change is in the group’s properties or a user’s properties.

Group memberships in the datastore overwrite the group memberships in PingOne.

Group deletion

PingFederate deletes groups when any of the following happen:

  • The group is deleted in the datastore.

  • The group is removed from the datastore group or filter that is targeted by the provisioning connector.

Group deletions are permanent and cannot be undone.