Provisioning for SPs
User provisioning is an important aspect of identity federation. When organizations enable single sign-on (SSO) for their users, they must ensure that some form of account synchronization is in place. Automated user provisioning features within PingFederate free administrators from having to devise a manual strategy for this.
When configured as an service provider (SP), PingFederate offers two provisioning options: inbound provisioning or just-in-time (JIT) provisioning.
Inbound provisioning
System for Cross-domain Identity Management (SCIM) inbound provisioning provides support for incoming SCIM messages containing requests to create, read, update, delete, or deactivate user and group records in Microsoft Active Directory datastores or custom user stores through the identity store provisioners. PingFederate supports SCIM attributes in the core schema and custom attributes through a schema extension. Configuring this provisioning feature has two options: by itself or in conjunction with SSO or other connection types.
In effect, inbound provisioning provides an organization with a dedicated SCIM service provider, which routes user-managment requests to an organization’s centralized user store. The requests usually originate from trusted applications within an organization, such as a human-resources onboarding software as a service (SaaS) product, or from a trusted partner identity provider (IdP).
Learn more about configuration in Configuring SCIM inbound provisioning.
Learn more about integrating inbound provisioning with custom user stores in Configuring Identity Store Provisioners.
Learn more about application development using PingFederate endpoints for SCIM provisioning in SCIM inbound provisioning endpoints.
Just-in-time provisioning
At an SP site, PingFederate creates and updates local user accounts in an external LDAP directory or Microsoft SQL Server as part of SSO processing, called just-in-time (JIT) provisioning or, formerly, express provisioning. When provisioning requires local accounts, this feature allows SPs to maintain accounts for users who authenticate through IdP partners without having to provision accounts manually.
When configured, the PingFederate SP server writes user information to the local user store using attributes from the incoming SAML assertion. For SAML 2.0 partner connections, supplement assertion attributes with user attributes returned from an attribute query.
PingFederate also updates existing user accounts based on assertions. Using this option, PingFederate adds or overwrites attributes for a local user account each time PingFederate processes SSO for a user.
Learn more about enabling JIT Provisioning in Choosing IdP connection options.
Learn more about configuration in Configuring just-in-time provisioning.