Adding attribute mapping for inbound provisioning

For inbound provisioning, you can specify additional options for onboarding new users.

About this task

For inbound provisioning, the mapping is applied to the attribute coming from the source identity store before it is saved to the PingOne directory.

Steps

In the PingOne admin console, go to Integrations > Provisioning.
On the Rules tab, find the appropriate rule and click it to open the details panel.
Click the Configuration tab.
Click Attribute mapping.

You must have a source and target connection configured before you can set up attribute mapping.
Click the Pencil icon to edit the attribute mapping.

Review the attribute mappings for the configured identity store.

The source attribute mappings for a particular identity store are provided. For more information, see Mapping attributes.

Option Description

Option	Description
Add an attribute mapping	Click Add. Enter the source and target attributes.
Add a new source attribute	Enter the attribute name. In the list, select the `ADD:<attribute-name>` attribute. Map the added attribute to a target attribute.
Use the expression builder	Click the Gear icon. Learn more in Using the expression builder.
Delete a mapping	Click the Delete icon.

Add an attribute mapping

Click Add. Enter the source and target attributes.

Add a new source attribute

Enter the attribute name. In the list, select the ADD:<attribute-name> attribute. Map the added attribute to a target attribute.

Use the expression builder

Click the Gear icon. Learn more in Using the expression builder.

Delete a mapping

Click the Delete icon.

Click Next.

For inbound provisioning, you can specify additional options for onboarding new users. For inbound provisioning, the mapping is applied to the attribute coming from the source identity store before it is saved to the PingOne directory.

Enter the following as part of PingOne user onboarding:

Option

Description

Population

Select a population from the list. When users are synced to PingOne, they will be added to the specified population.

Authenticate via AD/LDAP

Specify whether to authenticate the user through the Active Directory or LDAP gateway user directory.

If you select Yes, PingOne will be automatically set as the Authoritative identity provider. If you select Yes, specify a Gateway user type. If you select No, specify an Authoritative identity provider.

Authoritative identity provider

If you selected No for Authenticate via AD/LDAP, select the identity provider that will have authority over user records and credentials.

PingOne is the default, but if you’ve configured another IdP you can select it here. Learn more in Authoritative identity providers.

If you select PingOne as the Authoritative identity provider, specify the following options:

Set Password (check box): Determine whether to specify a default password for new users.
Set Password (field): Specify the default password in PingOne for users synced in from an external identity store as a source. Click Set password and then enter a literal value. You can also create a complex password using the functions in the expression builder. Learn more in Using the expression builder.

You should use strong passwords, even for temporary passwords.

Reset their password on first login: Force users to reset their password the first time they authenticate through PingOne.

Gateway user type

If you selected Yes for Authenticate via AD/LDAP, select a gateway user type. The user type identifies users in the external directory. You must define a user type to use external authentication.

MFA Device Management

If your users have MFA devices that are managed by a PingOne service (e.g. PingOne MFA, PingID), this setting controls how the inbound provisioner can impact those devices. Select from the following options.

Merge with devices in PingOne (default): Select this option to add a device from the identity store into a user’s existing device in PingOne.
Overwrite devices in PingOne: Select this option to replace configured user devices in PingOne from the identity store. Only new devices mapped under attribute mappings are added.
Do not manage: Select this option to disable device management . This option is recommended for users who are using PingID in the same environment and to avoid unexpected device unpairing from nickname conflicts. Inbound provisioning and PingID use the same device nicknames and causes device unpairing.

Click Finish.

Authentication method management for inbound provisioning

Inbound provisioning manages all mapped email, voice, and SMS MFA attributes.

Nicknames

PingOne assigns nicknames to authentication methods (also called "devices"). The nicknames are used to identify authentication methods on user-facing pages, such as the Device Selection page.

Inbound provisioning uses nicknames when provisioning and synchronizing a user’s authentication methods. The following are the managed nicknames used by inbound provisioning:

SMS 1
SMS 2
SMS 3
Email 1
Email 2
Email 3
Voice 1
Voice 2
Voice 3

The inbound provisioner might unpair existing MFA devices if an existing device has a name that matches a managed nickname, since they are assumed to be devices that the inbound provisioner should manage. In this case, where the managed nicknames are used by either PingID or manually entered, the recommended solution is to use the Do not manage option mentioned in Adding attribute mapping for inbound provisioning. It is also possible to give your MFA device a different nickname, as a workaround.

Mapping attributes to nicknames

Each device nickname is associated with one attribute on the Attribute Mapping tab of the provisioning rule. For example, the Email 3 nickname holds the value of the MFA Device Email 3 attribute.

You can map these attributes on the Attribute Mapping tab of the provisioning rule.

Synchronization

When synchronizing a user’s authentication methods, inbound provisioning behaves as described in the following scenarios.

Synchronization scenarios
Scenario	Action
A device exists with a managed nickname, but the value does not match the value in the identity store.	The provisioner deletes and re-creates the device with the value from the identity store.
A value matches between PingOne and the identity store, but the device uses an unmanaged nickname.	The provisioner deletes and re-creates the device with the appropriate managed nickname.
A device exists with an unmanaged nickname and the value does not match the value in the identity store.	The provisioner does not make any changes.

Maximum number of authentication methods

Although inbound provisioning supports up to three SMS attributes, three email attributes, and three voice attributes, PingOne accepts a maximum of five authentication methods per user by default. You can adjust this in the PingOne settings.