---
title: Provisioning the PingOne connection with PingOne environments (early access)
description: The PingOne provisioning connection links two environments, either within the same organization or across different organizations.
component: pingone
page_id: pingone:early-access-features:ea_p1_provisioning_connection_pingone
canonical_url: https://docs.pingidentity.com/pingone/early-access-features/ea_p1_provisioning_connection_pingone.html
llms_txt: https://docs.pingidentity.com/pingone/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: April 10, 2026
section_ids:
  provisioning-capabilities: Provisioning capabilities
  before-you-begin: Before you begin
  steps: Steps
  result: Result:
  validation: Validation
  pingone-directory-attributes: PingOne directory attributes
---

# Provisioning the PingOne connection with PingOne environments (early access)

The PingOne provisioning connection links two environments, either within the same organization or across different organizations. By integrating the PingOne connection with PingOne, you can automate the lifecycle of user identities and groups, ensuring that access between your source and target environments is synchronized.

## Provisioning capabilities

| Resource   | Capability     | Description                                                                                                                              | Inbound | Outbound |
| ---------- | -------------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------- | -------- |
| User       | Create         | Generates a new user record in the destination.                                                                                          | Yes     | Yes      |
|            | Read           | Retrieves or polls user attributes for synchronization.                                                                                  | Yes     | Yes      |
|            | Update         | Modifies existing attributes, such as `job title`.                                                                                       | Yes     | Yes      |
|            | Delete         | Deletes a user or temporarily suspends an account.                                                                                       | Yes     | Yes      |
| Group      | Create         | Provisions a new group in the target application.&#xA;&#xA;Only internal and native PingOne groups are supported for group provisioning. | No      | Yes      |
|            | Rename         | Updates the display name or identifier of an existing group.                                                                             | No      | Yes      |
|            | Delete         | Removes a group from the target application.                                                                                             | No      | Yes      |
| Membership | Add and remove | Handles additions and removals of users within groups.                                                                                   | No      | Yes      |

## Before you begin

Make sure that you have:

* Administrator access to both the source and target PingOne environments in the same or cross organization.

* The necessary API access and administrator approvals to test and confirm the connection works.

* Created a worker application for OAuth authentication in the target PingOne environment and assign the following roles:

  * **Environment Admin**

  * **Identity Data Admin**

  * **Identity Data Read Only**

  * **Organization Admin**

* The following PingOne configuration values required for OAuth or Token authentication:

  * **Service URI**

  * **Environment ID**

  * **Authentication Method**

  * **Client ID**

  * **Client Secret**

  * **Token Endpoint**

  * **Grant Type**

  * **Authentication Token**

* Users assigned to a specific population or group in PingOne designated for provisioning. Learn more in [Adding a user in PingOne](../directory/p1_adduser.html) and [Managing groups](../directory/p1_managing_groups.html).

## Steps

1. Create a PingOne connection:

   1. In the PingOne admin console, go to **Integrations > Provisioning**.

   2. Click the **Plus** icon (+) and then click **New Connection**.

   3. Click **Select** for **Identity Store**.

   4. Click **Select** for the **PingOne** connection, and click **Next**.

   5. []()In the **Configure Authentication** section, enter the following configurations that apply to your PingOne account:

      * **Authentication Method**: Select one of the following:

        * **OAUTH**: Enter the following:

          | Configuration      | Example                                             |
          | ------------------ | --------------------------------------------------- |
          | **Service URI**    | `https://api.test-one-pingone.com/v1`               |
          | **Environment ID** | `11111111-2222-3333-4444-555555555555`              |
          | **Client ID**      | `aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee`              |
          | **Client Secret**  | `example-client-secret`                             |
          | **Token Endpoint** | `https://auth.test-one-pingone.com/env_id/as/token` |
          | **Grant Type**     | `client_credentials`                                |

        * **Token**: Enter the **Authentication Token**, such as `example-authentication-token`.

   6. Click **Test Connection** to verify that PingOne can establish a connection.

      ### Result:

      If there are any issues with the connection, a **Test Connection Failed** modal opens. Click **Next** to resume the setup with an invalid connection.

      |   |                                                                                                                                                                                                                                                                                                               |
      | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
      |   | You can't use the connection for provisioning until you've established a valid connection. If the connection fails, click **Cancel** in the **Test Connection Failed** modal, verify that you have entered the configuration details in [step e](#p1_configure_authentication_step) correctly, and try again. |

   7. Click **Next**.

   8. In the **User Actions** section, select the following as needed:

      | Field                        | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
      | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
      | **Enable users creation**    | Creates a user in the target identity store when the user is created in the source identity store.                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
      | **Enable users updation**    | Updates user attributes in the target identity store when the user is updated in the source identity store.If **Enable users updation** is selected, you can choose to select **Enable users disable**, which disables a user in the target identity store when the user is disabled in the source identity store.                                                                                                                                                                                                                                     |
      | **Enable users deprovision** | Deprovisions a user in the target identity store when the user is deprovisioned in the source identity store. If **Enable users deprovision** is selected, the following options appear:- **Remove Action**: Removes or disables a user in the target identity store when the user is deleted in the source identity store. Select **Delete** or **Disable**.

        &#xA;&#xA;Remove Action is only available if you select Enable users disable.

      - **Deprovision on rule deletion**: Deprovisions users if the associated provisioning rule is deleted. |

   9. Click **Save**.

   10. To enable the connection, click the toggle at the top of the details panel to the right (blue).

       |   |                                                                           |
       | - | ------------------------------------------------------------------------- |
       |   | You can disable the connection by clicking the toggle to the left (gray). |

2. Create an [inbound](../integrations/p1_create_provisioning_rule_inbound.html) or [outbound](../integrations/p1_create_provisioning_rule_outbound.html) rule and select the existing PingOne connection as the target or source. You can optionally add [attribute mappings](#pingone-directory-attributes).

## Validation

Confirm users and groups are successfully provisioned to PingOne. View the [sync status](../integrations/p1_view_sync_status.html) to review synchronization results and any errors. You can find examples in [Outbound provisioning sync summary examples](../integrations/p1_outbound_group_provisioning_sync_summary_examples.html).

## PingOne directory attributes

The following table lists common PingOne attributes that can be mapped for user provisioning:

| Attribute       | Description                                                                 |
| --------------- | --------------------------------------------------------------------------- |
| `Username`      | The username value used for the target account.                             |
| `Email`         | The email address mapped from PingOne Directory.                            |
| `Enabled`       | Indicates whether the target user account is enabled.                       |
| `Given Name`    | The user's first name.                                                      |
| `Family Name`   | The user's last name.                                                       |
| `Population ID` | The unique identifier of the target population where users are provisioned. |
