Provisioning for SPs

include::partial$pf_rc_sciminboundprovisioning_intro.adoc[tags=pf_p_scimInboundProvisioning_intro]In effect, inbound provisioning provides an organization with a dedicated SCIM service provider, which routes user-managment requests to an organization’s centralized user store. The requests usually originate from trusted applications within an organization, such as a human-resources on-boarding software as a service (SaaS) product, or from trusted partner identity providers (IdPs).

For setup information, see Configuring SCIM inbound provisioning. To integrate inbound provisioning with custom user stores, see Configuring Identity Store Provisioners. For application-development information about using PingFederate endpoints for SCIM provisioning, see SCIM inbound provisioning endpoints.

At an SP site, PingFederate creates and updates local user accounts in an external LDAP directory or Microsoft SQL Server as part of SSO processing, called Just-in-time (JIT) provisioning or, formerly, Express Provisioning. When provisioning requires local accounts, this feature allows SPs to maintain accounts for users who authenticate through IdP partners without having to provision accounts manually.

When configured, the PingFederate SP server writes user information to the local user store using attributes from the incoming SAML assertion. For SAML 2.0 partner connections, supplement assertion attributes with user attributes returned from an Attribute Query.

PingFederate also updates existing user accounts based on assertions. Using this option, PingFederate adds or overwrites attributes for a local user account each time PingFederate processes SSO for a user.

For information about enabling JIT Provisioning, see Choosing IdP connection options. For configuration information, see Configuring just-in-time provisioning.