---
title: Just-in-time provisioning of external groups
description: You can use just-in-time provisioning of external groups in PingOne.
component: pingone
page_id: pingone:directory:p1_provision_external_groups
canonical_url: https://docs.pingidentity.com/pingone/directory/p1_provision_external_groups.html
revdate: July 12, 2024
section_ids:
  external-idps: External IdPs
  ldap-gateway: LDAP gateway
  limitations: Limitations
  related-information: Related information
---

# Just-in-time provisioning of external groups

PingOne can provision group membership from an external source, such as an identity provider (IdP) *(tooltip: \<div class="paragraph">
\<p>A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\</p>
\</div>)* or Lightweight Directory Access Protocol (LDAP) *(tooltip: \<div class="paragraph">
\<p>An open, cross platform protocol used for interacting with directory services.\</p>
\</div>)* gateway. Just-in-time (JIT) group provisioning occurs as part of the authentication process.

These groups are labeled with a **Just-in-time** badge on the **Groups** page.

|   |                                                                                                                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | JIT group provisioning that occurs during the authentication process is not the same thing as provisioning that's configured in the **Provisioning** page of the PingOne admin console. Learn more in [Provisioning](../integrations/p1_provisioning.html). |

## External IdPs

If the IdP includes group membership information in its Security Assertion Markup Language (SAML) *(tooltip: \<div class="paragraph">
\<p>A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\</p>
\</div>)* assertions, ID tokens, or `UserInfo` responses, you can map this information into PingOne. You can populate the information one time or every time the user signs on.

Groups created through an external IdP are labeled with both the **Just-in-time** badge and an **External IdP** badge.

## LDAP gateway

When defining a user type, you can map group membership information into PingOne. By default, PingOne populates this information one time. When you enable the **Update PingOne user attributes as users sign on** option, user attributes update each time a user signs on successfully through the LDAP gateway client.

Groups created through an LDAP gateway are labeled with both the **Just-in-time** badge and an **LDAP Gateway** badge.

|   |                                                                                                                                                              |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------ |
|   | Because Kerberos authentication is a cloud-only operation, users authenticating with the Kerberos protocol will not trigger an update in their user records. |

Learn more about updating group membership through LDAP gateways during sign on in [Adding a user type](../integrations/p1_add_a_user_type.html).

## Limitations

The following are known limitations to JIT group provisioning:

* (LDAP gateway only) When a group is nested inside another group, and a user is a member of the nested group but not the parent group, PingOne provisions only the nested group based on direct group membership.

  For example, there are two groups: group A (the parent group) and group B (the nested group). If a user is a member of group B (Group A → Group B → User), provisioning only occurs for group B (the nested group), not group A (the parent group).

* You can't change the **Group Display Name** in PingOne.

* If a group name is changed, PingOne considers it a new group. The user is removed from the old group and added to the new group.

* If a user was provisioned to a group in PingOne, you can manually remove the user from the group in PingOne. However, the JIT provisioning feature might add them back to the group later if they were not also removed at the external source.

* Users cannot be added to an external group directly from PingOne.

## Related information

Learn more in:

* [Mapping the group attribute from an LDAP gateway](../integrations/p1_map_group_attribute_gateway.html)

* [Mapping the group attribute from an external identity provider](../integrations/p1_map_group_attribute_external_idp.html)

* [Including external groups in an application](../applications/p1_include_external_groups_in_applications.html)

* [Managing administrator roles using external groups](../getting_started_with_pingone/p1_manage_admin_roles.html#p1-manage-roles-external-groups)