--- title: Creating an inbound rule description: Create a rule to define which users are provisioned to PingOne. component: pingone page_id: pingone:integrations:p1_create_provisioning_rule_inbound canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_create_provisioning_rule_inbound.html revdate: June 4, 2025 page_aliases: ["p1_adding_attribute_mapping_inbound_provisioning.adoc"] section_ids: before-you-begin: Before you begin steps: Steps result: Result p1_example_user_filters: Example user filters example-1: Example 1 example-2: Example 2 example-3: Example 3 example-4: Example 4 authentication-method-management-for-inbound-provisioning: Authentication method management for inbound provisioning nicknames: Nicknames mapping-attributes-to-nicknames: Mapping attributes to nicknames synchronization: Synchronization maximum-number-of-authentication-methods: Maximum number of authentication methods --- # Creating an inbound rule Create an inbound rule to define which users are provisioned to PingOne and how attributes are mapped between the external identity store and PingOne. If you're creating a inbound rule for a connection through an LDAP gateway, refer to [Creating an inbound rule for a connection through an LDAP gateway](p1_create_inbound_provisioning_rule_gateway.html). ## Before you begin Make sure you've created a connection. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Not all provisioning connection types support this provisioning. Learn more in [Provisioning](p1_provisioning.html).You can add a disabled connection to a source or target of a rule, but it must be enabled. Learn more in [Connections](p1_connections_provisioning.html). | ## Steps 1. In the PingOne admin console, go to **Integrations > Provisioning**. 2. Click **[icon: plus, set=fa]**and then click **New Rule**. 3. For **Sync Direction**, select **PingOne as Target**. 4. For **Available Connections**, click **[icon: plus, set=fa]**next to the appropriate connection to set it as the source and then click **Continue**. 5. In the **Rule Details** panel, enter a **Name** and **Description** for the rule and then click **Next**. 6. In the **Directory Configuration** panel: * For **User Filter**, click **Add Condition** and define which users to include in provisioning based on population or user attributes. Learn more in [Example user filters](#p1_example_user_filters). * Enter the first condition: * Select **All** or **Any** to determine how the linked conditions will be evaluated: Boolean logical AND or OR. * **Attribute**: The user attribute on which to filter. * **Operator**: Supports operators `sw` (starts with), `ew` (ends with), `co` (contains), `eq` (equals) and is case-sensitive for software as a service (SaaS) provisioners. * **Value**: Enter the appropriate value. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you select a group in the filter, updating or deleting the group can cause the provisioning rule to resync. The filter will also include all users with any kind of membership in the group. Learn more in [Groups](../directory/p1_groups.html). | * (Optional) Click **Add [icon: plus, set=fa]**to add another condition or condition set. * To delete a condition, click the **Delete** icon ([icon: trash, set=fa]). 7. Click **Next**. 8. In the **Attribute Mapping** panel, map attributes between the source and PingOne to ensure users are provisioned correctly. * To add an attribute mapping, click **[icon: plus, set=fa]Add** and enter the source and target attributes. * To add a new source attribute, enter the attribute name. In the list, select the **ADD:ADD:\** attribute. Map the added attribute to a target attribute. * To use the expression builder, click the **Gear** icon ([icon: gear, set=fa]). Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html). * To delete a mapping, click the **Delete** icon ([icon: trash, set=fa]). | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Custom attributes created and mapped with the same name as an existing user `sub` attribute override the existing user `sub` attribute.For example, if you create a custom attribute called `country` and the user `sub` attribute `country` already exists, the custom attribute overrides it even if you configure the attribute with a different letter case. | 9. In the **Onboarding Settings** panel, define how users are matched, linked, and managed when onboarding into PingOne: 1. In the **Populations** list, select the population into which you want to sync users. 2. For **Authoritative Identity Provider**, PingOne is automatically set as the authoritative identity provider (IdP). 3. Select the **Set default password for new users** checkbox to specify the default password in PingOne for users synced in from an external identity store as a source. 4. Click **Define Password Logic** to create a complex password using the functions in the expression builder. Learn more in [Using the expression builder](../pingone_expression_language/p1_use_expression_builder.html). 5. Select the **Force password reset on first sign on** checkbox to force users to reset their password the first time they authenticate through PingOne. 6. In the **MFA Device Management** list, select one of the following to control how the provisioner can impact MFA devices that are managed by a PingOne service, such as PingOne MFA and PingID: * **Merge with devices in PingOne** (default): Select this option to add a device from the identity store into a user's existing device in PingOne. * **Overwrite devices in PingOne**: Select this option to replace configured user devices in PingOne from the identity store. Only new devices mapped using attribute mappings are added. * **Do not manage devices**: Select this option to disable device management. This option is recommended if you're using PingID in the same environment. Inbound provisioning and PingID use the same device nicknames and cause device unpairing, which this option helps avoid. 10. Click **Save**. 11. To enable the rule, click the toggle at the top of the details panel to the right (blue). | | | | - | ------------------------------------------------------------------- | | | You can disable the rule by clicking the toggle to the left (gray). | ## Result The **Sync Status** appears and the rule is listed under **Rules**. Learn more in [Sync status](p1_provisioning_sync_status.html). ## Example user filters This section shows some example user filters to define users for provisioning. ### Example 1 A filter that includes users from the USA and Canada. Include users that match the following: Country Code Equals **US** OR Country Code Equals **CA** ![A screen capture of a user filter that matches users from the US and Canada](_images/eif1676044320679.png) ### Example 2 A filter that includes users from the following populations: Population Name Equals **Marketing** OR Population Name Equals **HR** ![A screen capture of a user filter that matches users from the Marketing and HR populations](_images/cbk1676044354415.png) ### Example 3 A filter that includes enabled users from the following populations: Population Name Equals **Marketing** OR Population Name Equals **HR** AND Enabled Equals **true** ![A screen capture of a user filter that matches enabled users from the Marketing and HR populations](_images/xxn1676044395316.png) ### Example 4 A filter that includes users from the Engineering and Marketing groups. Include users that match the following: Group Names Contains **Engineering** OR Group Names Contains **Marketing** ![A screen capture of a user filter that matches users from the Engineering and Marketing groups](_images/fdg1676044441287.png) ## Authentication method management for inbound provisioning Inbound provisioning manages all mapped email, voice, and SMS MFA attributes. ### Nicknames PingOne assigns nicknames to authentication methods (also called devices). The nicknames are used to identify authentication methods on user-facing pages, such as the **Device Selection** page. Inbound provisioning uses nicknames when provisioning and synchronizing a user's authentication methods. The following are the managed nicknames used by inbound provisioning: * `SMS 1` * `SMS 2` * `SMS 3` * `Email 1` * `Email 2` * `Email 3` * `Voice 1` * `Voice 2` * `Voice 3` | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The inbound provisioner might unpair existing MFA devices if an existing device has a name that matches a managed nickname, as they're assumed to be devices that the inbound provisioner should manage. In this case, where the managed nicknames are used by either PingID or manually entered, the recommended solution is to use the **Do not manage**. You can also give your MFA device a different nickname as a workaround. | ### Mapping attributes to nicknames Each device nickname is associated with one attribute on the **Attribute Mapping** tab of the provisioning rule. For example, the `Email 3` nickname holds the value of the `MFA Device Email 3` attribute. You can map these attributes on the **Attribute Mapping** tab of the provisioning rule. ### Synchronization When synchronizing a user's authentication methods, inbound provisioning behaves as described in the following scenarios. **Synchronization scenarios** | Scenario | Action | | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | | A device exists with a managed nickname, but the value does not match the value in the identity store. | The provisioner deletes and recreates the device with the value from the identity store. | | A value matches between PingOne and the identity store, but the device uses an unmanaged nickname. | The provisioner deletes and recreates the device with the appropriate managed nickname. | | A device exists with an unmanaged nickname and the value does not match the value in the identity store. | The provisioner does not make any changes. | ### Maximum number of authentication methods Although inbound provisioning supports up to three SMS attributes, three email attributes, and three voice attributes, PingOne accepts a maximum of five authentication methods per user by default. You can adjust this in the [Configuring MFA settings](../authentication/p1_configure_mfa_settings.html).