PingOne

Creating an outbound provisioning rule (early access)

Create an outbound rule to define which users are provisioned and how attributes are mapped between PingOne and the external identity store.

If you are creating an outbound rule for a connection through an LDAP gateway, refer to Creating an outbound provisioning rule for a connection through an LDAP gateway (early access).

Before you begin

Make sure you have created a connection.

Not all provisioning connection types support inbound provisioning. Learn more in Provisioning.

You can add disabled connection to a source or target of a rule, but it must be enabled. Learn more in Connections.

Steps

  1. In the PingOne admin console, go to Integrations > Provisioning.

  2. Click and then click New Rule.

  3. For Sync Direction, select PingOne as Source.

  4. For Available Connections, click next to the appropriate connection to set it as the target and then click Continue.

  5. In the Rule Details panel, enter a Name and Description for the rule and then click Next.

  6. In the Directory Configuration panel:

    • For User Filter, click Add Condition and define which users to include in provisioning based on population or user attributes. Learn more in Example user filters.

      • Enter the first condition:

        • Select All or Any to determine how the linked conditions will be evaluated: Boolean logical AND or OR.

        • Attribute: The user attribute to filter on.

        • Operator: Equals is the only operator supported at this time.

        • Value: Enter the appropriate value.

          If you select a group in the filter, updating or deleting the group can cause the provisioning rule to resync.

          If you select a group in the filter, the filter will include all users with any kind of membership in the group. Learn more in Groups.

      • (Optional) Click Add + to add another condition or condition set.

      • To delete a condition, click the Delete icon.

    • For Groups, click Add Groups to select an existing group in outbound sync.

      • To search groups, enter a group name in the Search Group Name field.

      • To add groups, select a group in All Groups.

      • To remove a group, clear the checkbox for the group in All Groups.

      • To view provisioned groups, click Selected Groups.

      • To accept a merge or overwrite memberships when a group with the same name exists on the target, select the checkbox next to I understand and want to continue in the Merge Group Memberships or Overwrite Group Memberships modal.

        Merging or overwriting memberships applies only to SCIM, Slack, and GitHub EMU provisioning connections. Learn more in Creating a Slack connection, Creating a SCIM connection, and Creating a GitHub EMU connection.

  7. Click Next.

  8. In the Attribute Mapping panel, map attributes between the source and PingOne to ensure users are provisioned correctly.

    The default attributes are based on the directory type of the gateway used. For outbound provisioning, the RDN attribute defaults to cn for Active Directory.

    • To add an attribute mapping, click Add and enter the source and target attributes.

    • To use the expression builder, click the Gear icon. Learn more in Using the expression builder. You can also use list values in the expression builder to create advanced expressions, such as conditional statements.

      • Select values from the Expression list. Some attributes have metadata that define potential values.

        For example, for Salesforce attribute mapping, you can see a list of values from Salesforce in the form of an Expression list. In the expression builder, enter a single quote to see potential values.

        You can use a switch statement or an if-else statement to evaluate an expression based on a pattern match.

        For example, to match an accountId attribute, enter the following in the expression builder:

        #core.switchExpr(#root.accountId, '0000EXAMPLEID', 'Valid' , 'Invalid')

        For a switch statement with multiple cases and a match, enter the following in the expression builder:

        #core.switchExpr(#root.accountId, '0000EXAMPLEID1', 'Full Access', '0000EXAMPLEID2', 'Restricted Access' , '0000EXAMPLEID3', 'Read-only Access', 'No Access')

    • (Optional) For Salesforce, Salesforce Communities, and Salesforce Leads and Contacts, select the Update checkbox to include the attribute mapping in updates.

      The email attribute mapping is selected by default and included in updates.

    • To delete a mapping, click the Delete icon.

  9. Click Save.

  10. To enable the rule, click the toggle at the top of the details panel to the right (blue).

    You can disable the rule by clicking the toggle to the left (gray).

Result

The Sync Status appears and the rule is listed under Rules. Learn more about Sync status.

Example user filters early access

This section shows some example user filters to define users for provisioning.

Example 1

A filter that includes users from the USA and Canada. Include users that match the following:

Country Code Equals US

OR

Country Code Equals CA

A screen capture of a user filter that matches users from the US and Canada

Example 2

A filter that includes users from the following populations:

Population Name Equals Marketing

OR

Population Name Equals HR

A screen capture of a user filter that matches users from the Marketing and HR populations

Example 3

A filter that includes enabled users from the following populations:

Population Name Equals Marketing

OR

Population Name Equals HR

AND

Enabled Equals true

A screen capture of a user filter that matches enabled users from the Marketing and HR populations

Example 4

A filter that includes users from the Engineering and Marketing groups. Include users that match the following:

Group Names Contains Engineering

OR

Group Names Contains Marketing

A screen capture of a user filter that matches users from the Engineering and Marketing groups