---
title: Provisioning for SPs
description: User provisioning is an important aspect of identity federation. When organizations enable single sign-on (SSO) for their users, they must ensure that some form of account synchronization is in place. Automated user provisioning features within PingFederate free administrators from having to devise a manual strategy for this.
component: pingfederate
version: 13.1
page_id: pingfederate:introduction_to_pingfederate:pf_provis_for_sp
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/introduction_to_pingfederate/pf_provis_for_sp.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: April 23, 2025
section_ids:
  inbound-provisioning: Inbound provisioning
  just-in-time-provisioning: Just-in-time provisioning
---

# Provisioning for SPs

User provisioning is an important aspect of identity federation. When organizations enable single sign-on (SSO) *(tooltip: \<div class="paragraph">
\<p>The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\</p>
\</div>)* for their users, they must ensure that some form of account synchronization is in place. Automated user provisioning features within PingFederate free administrators from having to devise a manual strategy for this.

When configured as an service provider (SP) *(tooltip: \<div class="paragraph">
\<p>In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\</p>
\</div>)*, PingFederate offers two provisioning options: inbound provisioning or just-in-time (JIT) provisioning.

## Inbound provisioning

System for Cross-domain Identity Management (SCIM) *(tooltip: \<div class="paragraph">
\<p>An application-level, HTTP-based protocol for provisioning and managing user identity information. SCIM supplies a common schema for representing users and groups and provides a REST API.\</p>
\</div>)* inbound provisioning provides support for incoming SCIM messages containing requests to create, read, update, delete, or deactivate user and group records in Microsoft Active Directory datastores or custom user stores through the identity store provisioners. PingFederate supports SCIM attributes in the core schema and custom attributes through a schema extension. Configuring this provisioning feature has two options: by itself or in conjunction with SSO or other connection types.

In effect, inbound provisioning provides an organization with a dedicated SCIM service provider, which routes user-managment requests to an organization's centralized user store. The requests usually originate from trusted applications within an organization, such as a human-resources onboarding software as a service (SaaS) product, or from a trusted partner identity provider (IdP) *(tooltip: \<div class="paragraph">
\<p>A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\</p>
\</div>)*.

Learn more about configuration in [Configuring SCIM inbound provisioning](../administrators_reference_guide/help_idpconnectionconfigtasklet_inboundprovisioningstate.html).

Learn more about integrating inbound provisioning with custom user stores in [Configuring Identity Store Provisioners](../administrators_reference_guide/help_identitystoreprovisionermanagementtasklet_identitystoreprovisionermanagementstate.html).

Learn more about application development using PingFederate endpoints for SCIM provisioning in [SCIM 1.1 inbound provisioning endpoints](../developers_reference_guide/pf_scim_11_inbound_provisioning_endpoints.html).

## Just-in-time provisioning

At an SP site, PingFederate creates and updates local user accounts in an external LDAP directory or Microsoft SQL Server as part of SSO processing, called just-in-time (JIT) provisioning or, formerly, express provisioning. When provisioning requires local accounts, this feature allows SPs to maintain accounts for users who authenticate through IdP partners without having to provision accounts manually.

When configured, the PingFederate SP server writes user information to the local user store using attributes from the incoming SAML assertion. For SAML 2.0 partner connections, supplement assertion attributes with user attributes returned from an attribute query.

PingFederate also updates existing user accounts based on assertions. Using this option, PingFederate adds or overwrites attributes for a local user account each time PingFederate processes SSO for a user.

Learn more about enabling JIT Provisioning in [Choosing IdP connection options](../administrators_reference_guide/help_idpconnectionconfigtasklet_connectionoptionsstate.html).

Learn more about configuration in [Configuring just-in-time provisioning](../administrators_reference_guide/help_idpconnectionconfigtasklet_userprovisioningstate.html).