PingOne

Just-in-time provisioning of external groups

PingOne can provision group membership from an external source, such as an identity provider (IdP) or Lightweight Directory Access Protocol (LDAP) gateway. Just-in-time (JIT) group provisioning occurs as part of the authentication process.

External IdPs

If the IdP includes group membership information in its Security Assertion Markup Language (SAML) assertions, ID tokens, or UserInfo responses, you can map this information into PingOne. You can populate the information one time or every time the user signs on.

LDAP gateway

When defining a user type, you can map group membership information into PingOne. By default, PingOne populates this information one time. When you enable the Update PingOne user attributes as users sign on option, user attributes update each time a user signs on successfully through the LDAP gateway client.

Because Kerberos authentication is a cloud-only operation, users authenticating with the Kerberos protocol will not trigger an update in their user records.

Learn more about updating group membership through LDAP gateways during sign on in Adding a user type.

Limitations

The following are known limitations to JIT group provisioning:

  • (LDAP gateway only) When a group is nested inside another group, and a user is a member of the nested group but not the parent group, PingOne provisions only the nested group based on direct group membership.

    For example, there are two groups: group A (the parent group) and group B (the nested group). If a user is a member of group B (Group A → Group B → User), provisioning only occurs for group B (the nested group), not group A (the parent group).

  • You can’t change the Group Display Name in PingOne.

  • If a group name is changed, PingOne considers it a new group. The user is removed from the old group and added to the new group.

  • If a user was provisioned to a group in PingOne, you can manually remove the user from the group in PingOne. However, the JIT provisioning feature might add them back to the group later if they were not also removed at the external source.

  • Users cannot be added to an external group directly from PingOne.