PingOne

Provisioning the PingOne connection with PingOne environments (early access)

The PingOne provisioning connection links two environments, either within the same organization or across different organizations. By integrating the PingOne connection with PingOne, you can automate the lifecycle of user identities and groups, ensuring that access between your source and target environments is synchronized.

Provisioning capabilities

Resource Capability Description Inbound Outbound

User

Create

Generates a new user record in the destination.

Yes

Yes

Read

Retrieves or polls user attributes for synchronization.

Yes

Yes

Update

Modifies existing attributes, such as job title.

Yes

Yes

Delete

Deletes a user or temporarily suspends an account.

Yes

Yes

Group

Create

Provisions a new group in the target application.

Only internal and native PingOne groups are supported for group provisioning.

No

Yes

Rename

Updates the display name or identifier of an existing group.

No

Yes

Delete

Removes a group from the target application.

No

Yes

Membership

Add and remove

Handles additions and removals of users within groups.

No

Yes

Before you begin

Make sure that you have:

  • Administrator access to both the source and target PingOne environments in the same or cross organization.

  • The necessary API access and administrator approvals to test and confirm the connection works.

  • Created a worker application for OAuth authentication in the target PingOne environment and assign the following roles:

    • Environment Admin

    • Identity Data Admin

    • Identity Data Read Only

    • Organization Admin

  • The following PingOne configuration values required for OAuth or Token authentication:

    • Service URI

    • Environment ID

    • Authentication Method

    • Client ID

    • Client Secret

    • Token Endpoint

    • Grant Type

    • Authentication Token

  • Users assigned to a specific population or group in PingOne designated for provisioning. Learn more in Adding a user in PingOne and Managing groups.

Steps

  1. Create a PingOne connection:

    1. In the PingOne admin console, go to Integrations > Provisioning.

    2. Click the Plus icon (+) and then click New Connection.

    3. Click Select for Identity Store.

    4. Click Select for the PingOne connection, and click Next.

    5. In the Configure Authentication section, enter the following configurations that apply to your PingOne account:

      • Authentication Method: Select one of the following:

        • OAUTH: Enter the following:

          Configuration Example

          Service URI

          https://api.test-one-pingone.com/v1

          Environment ID

          11111111-2222-3333-4444-555555555555

          Client ID

          aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee

          Client Secret

          example-client-secret

          Token Endpoint

          https://auth.test-one-pingone.com/env_id/as/token

          Grant Type

          client_credentials

        • Token: Enter the Authentication Token, such as example-authentication-token.

    6. Click Test Connection to verify that PingOne can establish a connection.

      Result:

      If there are any issues with the connection, a Test Connection Failed modal opens. Click Next to resume the setup with an invalid connection.

      You can’t use the connection for provisioning until you’ve established a valid connection. If the connection fails, click Cancel in the Test Connection Failed modal, verify that you have entered the configuration details in step e correctly, and try again.

    7. Click Next.

    8. In the User Actions section, select the following as needed:

      Field Description

      Enable users creation

      Creates a user in the target identity store when the user is created in the source identity store.

      Enable users updation

      Updates user attributes in the target identity store when the user is updated in the source identity store.

      If Enable users updation is selected, you can choose to select Enable users disable, which disables a user in the target identity store when the user is disabled in the source identity store.

      Enable users deprovision

      Deprovisions a user in the target identity store when the user is deprovisioned in the source identity store. If Enable users deprovision is selected, the following options appear:

      • Remove Action: Removes or disables a user in the target identity store when the user is deleted in the source identity store. Select Delete or Disable.

        Remove Action is only available if you select Enable users disable.

      • Deprovision on rule deletion: Deprovisions users if the associated provisioning rule is deleted.

    9. Click Save.

    10. To enable the connection, click the toggle at the top of the details panel to the right (blue).

      You can disable the connection by clicking the toggle to the left (gray).

  2. Create an inbound or outbound rule and select the existing PingOne connection as the target or source. You can optionally add attribute mappings.

Validation

Confirm users and groups are successfully provisioned to PingOne. View the sync status to review synchronization results and any errors. You can find examples in Outbound provisioning sync summary examples.

PingOne directory attributes

The following table lists common PingOne attributes that can be mapped for user provisioning:

Attribute Description

Username

The username value used for the target account.

Email

The email address mapped from PingOne Directory.

Enabled

Indicates whether the target user account is enabled.

Given Name

The user’s first name.

Family Name

The user’s last name.

Population ID

The unique identifier of the target population where users are provisioned.