--- title: Specifying a source location description: On the Source Location tab, you can specify where PingFederate should look for user records in the datastore. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_specifying_source_location canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_specifying_source_location.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: May 12, 2026 page_aliases: ["help_saaschanneltasklet_saassourcelocationstate.adoc"] section_ids: about-this-task: About this task steps: Steps --- # Specifying a source location On the **Source Location** tab, you can specify where PingFederate should look for user records in the datastore. ## About this task You can also use this location to retrieve user and group distinguished names (DNs) *(tooltip: \
\

A name uniquely identifying an object within the hierarchy of a directory tree.\

\
)* for maintaining corresponding groups at the service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)*. ![Screen capture illustrating the Source Location tab in the administrative console.](_images/lyu1564003445267.jpg) After you specify the required base DN, you can provision users and groups when applicable, based on group membership information or Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* search results. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Group provisioning is supported for System for Cross-domain Identity Management (SCIM) *(tooltip: \
\

An application-level, HTTP-based protocol for provisioning and managing user identity information. SCIM supplies a common schema for representing users and groups and provides a REST API.\

\
)* and the Google Apps Connector (version 2.0 and higher) but might not be supported for other software as a service (SaaS) connectors. If not supported, the associated fields under **Groups** on the **Source Location** tab are inactive. Support for the feature might become available in future SaaS Connector releases. See the documentation in your add-on distribution package. | ## Steps 1. Go to **Applications > Integration > SP Connections > Configure Channels > Channel**. In the **Base DN** field, enter the base DN where user records are stored. PingFederate looks only at this node level, or below it, for user accounts and groups (when applicable) that need to be provisioned based on the conditions set in the next step. 2. Specify group membership information or an LDAP filter to search for users and groups (when applicable) to provision. The following table describes the available fields: | Object | Field description | | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Users** | **Group DN**The DN of a group in the user repository whose member users should be provisioned.Optionally, select the **Nested Search** checkbox to include users that are members of the specified group through nested group membership. Nested group membership is preserved for SCIM provisioning, and SaaS provisioning if the vendor and the SaaS connectors support hierarchical structure in groups. The Nested Search feature is available when PingDirectory, Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server is selected as the source user repository. For more information, refer to Identifying the source datastore.**Filter**An LDAP search filter that returns user objects representing the users to be provisioned.Learn more about LDAP filters in your LDAP documentation. You might need to escape any special characters. The Group DN field is ignored when a Filter value is configured.If you are using Active Directory, the filter must include `objectClass=user` for the provisioner to retrieve users. | | **Groups** (when applicable) | **Group DN**The DN of the group in the user repository to be provisioned.Optionally, select the **Nested Search** checkbox to include groups that are members of the specified group through nested group membership. Nested group membership is preserved for SCIM provisioning, and SaaS provisioning if the vendor and the SaaS connectors support hierarchical structure in groups. The Nested Search feature is available when PingDirectory, Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server is selected as the source user repository. You can find more information in Identifying the source datastore.**Filter**An LDAP search filter that returns group objects representing the groups to be provisioned.Learn more about LDAP filters in your LDAP documentation. You might need to escape any special characters. The Group DN field is ignored when a Filter value is configured. If both the Group DN field and the Filter field are blank, no groups are provisioned. | 3. Click **Next**.