Adding attribute mapping for inbound provisioning
For inbound provisioning, you can specify additional options for onboarding new users.
About this task
For inbound provisioning, the mapping is applied to the attribute coming from the source identity store before it is saved to the PingOne directory.
Steps
-
Go to Integrations → Provisioning.
-
On the Rules tab, find the appropriate rule and click it to open the details panel.
-
Click the Configuration tab.
-
Click Attribute mapping.
You must have a source and target connection configured before you can set up attribute mapping.
-
Click the Pencil icon to edit the attribute mapping.
-
Review the attribute mappings for the configured identity store.
The source attribute mappings for a particular identity store are provided. For more information, see Mapping attributes.
Option Description Add an attribute mapping
Click Add. Enter the source and target attributes.
Add a new source attribute
Enter the attribute name. In the list, select the
ADD:<attribute-name>
attribute. Map the added attribute to a target attribute.Use the expression builder
Click the Gear icon. Learn more in Using the expression builder.
Delete a mapping
Click the Delete icon.
-
Click Next.
For inbound provisioning, you can specify additional options for onboarding new users. For inbound provisioning, the mapping is applied to the attribute coming from the source identity store before it is saved to the PingOne directory.
-
Enter the following as part of PingOne user onboarding:
Option Description Population
Select a population from the list. When users are synced to PingOne, they will be added to the specified population.
Authenticate via AD/LDAP
Specify whether to authenticate the user through the Active Directory or LDAP gateway user directory.
If you select Yes, PingOne will be automatically set as the Authoritative identity provider. If you select Yes, specify a Gateway user type. If you select No, specify an Authoritative identity provider.
Authoritative identity provider
If you selected No for Authenticate via AD/LDAP, select the identity provider that will have authority over user records and credentials.
PingOne is the default, but if you’ve configured another IdP you can select it here. Learn more in Authoritative identity providers.
If you select PingOne as the Authoritative identity provider, specify the following options:
-
Set Password (check box): Determine whether to specify a default password for new users.
-
Set Password (field): Specify the default password in PingOne for users synced in from an external identity store as a source. Click Set password and then enter a literal value. You can also create a complex password using the functions in the expression builder. Learn more in Using the expression builder.
You should use strong passwords, even for temporary passwords.
-
Reset their password on first login: Force users to reset their password the first time they authenticate through PingOne.
Gateway user type
If you selected Yes for Authenticate via AD/LDAP, select a gateway user type. The user type identifies users in the external directory. You must define a user type to use external authentication.
MFA Device Management
If your users have MFA devices that are managed by a PingOne service (e.g. PingOne MFA, PingID), this setting controls how the inbound provisioner can impact those devices. Select from the following options.
-
Merge with devices in PingOne (default): Select this option to add a device from the identity store into a user’s existing device in PingOne.
-
Overwrite devices in PingOne: Select this option to replace configured user devices in PingOne from the identity store. Only new devices mapped under attribute mappings are added.
-
Do not manage: Select this option to disable device management . This option is recommended for users who are using PingID in the same environment and to avoid unexpected device unpairing from nickname conflicts. Inbound provisioning and PingID use the same device nicknames and causes device unpairing.
Learn more about MFA device management in Authentication method management for inbound provisioning.
-
-
Click Finish.
Authentication method management for inbound provisioning
Inbound provisioning manages all mapped email, voice, and SMS MFA attributes.
Nicknames
PingOne assigns nicknames to authentication methods (also called "devices"). The nicknames are used to identify authentication methods on user-facing pages, such as the Device Selection page.
Inbound provisioning uses nicknames when provisioning and synchronizing a user’s authentication methods. The following are the managed nicknames used by inbound provisioning:
-
SMS 1
-
SMS 2
-
SMS 3
-
Email 1
-
Email 2
-
Email 3
-
Voice 1
-
Voice 2
-
Voice 3
The inbound provisioner might unpair existing MFA devices if an existing device has a name that matches a managed nickname, since they are assumed to be devices that the inbound provisioner should manage. In this case, where the managed nicknames are used by either PingID or manually entered, the recommended solution is to use the Do not manage option mentioned in Adding attribute mapping for inbound provisioning. It is also possible to give your MFA device a different nickname, as a workaround. |
Mapping attributes to nicknames
Each device nickname is associated with one attribute on the Attribute Mapping tab of the provisioning rule. For example, the Email
3
nickname holds the value of the MFA Device Email 3
attribute.
You can map these attributes on the Attribute Mapping tab of the provisioning rule.
Synchronization
When synchronizing a user’s authentication methods, inbound provisioning behaves as described in the following scenarios.
Scenario | Action |
---|---|
A device exists with a managed nickname, but the value does not match the value in the identity store. |
The provisioner deletes and re-creates the device with the value from the identity store. |
A value matches between PingOne and the identity store, but the device uses an unmanaged nickname. |
The provisioner deletes and re-creates the device with the appropriate managed nickname. |
A device exists with an unmanaged nickname and the value does not match the value in the identity store. |
The provisioner does not make any changes. |
Maximum number of authentication methods
Although inbound provisioning supports up to three SMS attributes, three email attributes, and three voice attributes, PingOne accepts a maximum of five authentication methods per user by default. You can adjust this in the PingOne settings.