Provisioning the PingOne connection with PingOne environments (early access)
The PingOne provisioning connection links two environments, either within the same organization or across different organizations. By integrating the PingOne connection with PingOne, you can automate the lifecycle of user identities and groups, ensuring that access between your source and target environments is synchronized.
Provisioning capabilities
| Resource | Capability | Description | Inbound | Outbound | ||
|---|---|---|---|---|---|---|
User |
Create |
Generates a new user record in the destination. |
Yes |
Yes |
||
Read |
Retrieves or polls user attributes for synchronization. |
Yes |
Yes |
|||
Update |
Modifies existing attributes, such as |
Yes |
Yes |
|||
Delete |
Deletes a user or temporarily suspends an account. |
Yes |
Yes |
|||
Group |
Create |
Provisions a new group in the target application.
|
No |
Yes |
||
Rename |
Updates the display name or identifier of an existing group. |
No |
Yes |
|||
Delete |
Removes a group from the target application. |
No |
Yes |
|||
Membership |
Add and remove |
Handles additions and removals of users within groups. |
No |
Yes |
Before you begin
Make sure that you have:
-
Administrator access to both the source and target PingOne environments in the same or cross organization.
-
The necessary API access and administrator approvals to test and confirm the connection works.
-
Created a worker application for OAuth authentication in the target PingOne environment and assign the following roles:
-
Environment Admin
-
Identity Data Admin
-
Identity Data Read Only
-
Organization Admin
-
-
The following PingOne configuration values required for OAuth or Token authentication:
-
Service URI
-
Environment ID
-
Authentication Method
-
Client ID
-
Client Secret
-
Token Endpoint
-
Grant Type
-
Authentication Token
-
-
Users assigned to a specific population or group in PingOne designated for provisioning. Learn more in Adding a user in PingOne and Managing groups.
Steps
-
Create a PingOne connection:
-
In the PingOne admin console, go to Integrations > Provisioning.
-
Click the Plus icon (+) and then click New Connection.
-
Click Select for Identity Store.
-
Click Select for the PingOne connection, and click Next.
-
In the Configure Authentication section, enter the following configurations that apply to your PingOne account:
-
Authentication Method: Select one of the following:
-
OAUTH: Enter the following:
Configuration Example Service URI
https://api.test-one-pingone.com/v1Environment ID
11111111-2222-3333-4444-555555555555Client ID
aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeeeClient Secret
example-client-secretToken Endpoint
https://auth.test-one-pingone.com/env_id/as/tokenGrant Type
client_credentials -
Token: Enter the Authentication Token, such as
example-authentication-token.
-
-
-
Click Test Connection to verify that PingOne can establish a connection.
Result:
If there are any issues with the connection, a Test Connection Failed modal opens. Click Next to resume the setup with an invalid connection.
You can’t use the connection for provisioning until you’ve established a valid connection. If the connection fails, click Cancel in the Test Connection Failed modal, verify that you have entered the configuration details in step e correctly, and try again.
-
Click Next.
-
In the User Actions section, select the following as needed:
Field Description Enable users creation
Creates a user in the target identity store when the user is created in the source identity store.
Enable users updation
Updates user attributes in the target identity store when the user is updated in the source identity store.
If Enable users updation is selected, you can choose to select Enable users disable, which disables a user in the target identity store when the user is disabled in the source identity store.
Enable users deprovision
Deprovisions a user in the target identity store when the user is deprovisioned in the source identity store. If Enable users deprovision is selected, the following options appear:
-
Remove Action: Removes or disables a user in the target identity store when the user is deleted in the source identity store. Select Delete or Disable.
Remove Action is only available if you select Enable users disable.
-
Deprovision on rule deletion: Deprovisions users if the associated provisioning rule is deleted.
-
-
Click Save.
-
To enable the connection, click the toggle at the top of the details panel to the right (blue).
You can disable the connection by clicking the toggle to the left (gray).
-
-
Create an inbound or outbound rule and select the existing PingOne connection as the target or source. You can optionally add attribute mappings.
Validation
Confirm users and groups are successfully provisioned to PingOne. View the sync status to review synchronization results and any errors. You can find examples in Outbound provisioning sync summary examples.
PingOne directory attributes
The following table lists common PingOne attributes that can be mapped for user provisioning:
| Attribute | Description |
|---|---|
|
The username value used for the target account. |
|
The email address mapped from PingOne Directory. |
|
Indicates whether the target user account is enabled. |
|
The user’s first name. |
|
The user’s last name. |
|
The unique identifier of the target population where users are provisioned. |