PingOne

Sync users between two environments

Learn how to set up a SCIM connection from one PingOne environment to another. You’ll use the SCIM protocol to synchronize users between the two environments.

Create two environments and a worker app

Create two environments that PingOne will synchronize, and a Worker application that will handle the synchronization.

Steps

  1. Create the following two environments in PingOne:

    • P1-User-Source

    • P1-User-Destination

    Learn more in Adding an environment.

  2. Go to the P1-User-Destination environment.

  3. Go to Applications > Applications and create a new Worker Application with the following configuration:

    • Grant type: Client Credentials

    • Token Endpoint Authentication Method: Client Secret Basic

    Learn more in Adding an application.

  4. Use the toggle to enable the new Worker application.

  5. In the application details panel, click the Roles tab and add the Identity Data Admin role to your worker app

    Learn more in Configuring roles for a worker application.

  6. In the application details panel, click the Configuration tab. Copy the following values to a secure location to use when making a provisioning connection:

    • Token Endpoint

    • Client ID

    • Client Secret

    • Environment ID

Create users and a group

Create several users to be provisioned, and a group to identify them.

Steps

  1. In the PingOne admin console, go to the P1-User-Source environment.

  2. Go to Directory > Users.

  3. Create several users for provisioning.

  4. Populate the following attributes for each user:

    • Email Address

    • Given Name

    • Family Name

  5. Go to Directory > Groups.

  6. Create a group called Provisioning Users and add any two users to that group.

    Learn more in Managing group membership.

Create a provisioning connection

You can set up provisioning to or from a System for Cross-domain Identity Management (SCIM) identity store. You can also use the PingOne API to set up inbound SCIM for user provisioning. Learn more about SCIM in the PingOne API documentation.

Before you begin

Locate the values that you copied in Create two environment and a worker app.

Steps

  1. In the PingOne admin console, go to the P1-User-Source environment.

  2. Go to Integrations > Provisioning.

  3. Click and then click New Connection.

  4. Select the Identity Store.

  5. Select SCIM Outbound and click Next.

  6. Enter a name and description for this provisioning connection.

    Result:

    The connection name appears in the Provisioning list after you save the connection.

  7. Click Next.

  8. In the Configure Authentication step, enter the values for the following fields:

    • SCIM Base URL: https://scim-api.pingone.<region>/environments/<envID>/v2

      Replace <region> with the appropriate value for your geographic region, such as .com, .ca, or .eu. Learn more in IP address and domain reference. Replace <envID> with the value you copied when you created the worker app.

    • Users Resource: /Users

    • SCIM Version: 2.0

    • Groups Resource: /Groups

    • Authentication Method: OAuth 2 Client Credentials

    • OAuth Token Request: Paste the Token Endpoint value that you copied from Create two environments and a worker app.

    • OAuth Client ID: Paste the Client ID value that you copied from Create two environments and a worker app.

    • OAuth Client Secret: Paste the Client Secret value that you copied from Create two environments and a worker app.

    • Auth Type Header: Select OAuth Client Credentials.

  9. Click Test Connection to verify that PingOne can establish a connection to the SCIM resource.

    Result:

    If there are any issues with the connection, a Test Connection Failed dialog box opens. Click Continue to resume the setup with an invalid connection.

    You can’t use the connection for provisioning until you have established a valid connection to SCIM. To retry, click Cancel in the Test Connection Failed dialog box and repeat step 8.

    Troubleshooting:

    Learn more about troubleshooting your connection in Troubleshooting test connection failure.

  10. In the Configure Preferences step, enter the user filter and the action to take when deprovisioning users.

    The filtering parameters are optional.

    Option Description

    User Filter Expression

    Determines how the connection uses the specified User Identifier to match existing users in the target identity store to the users being provisioned from the source identity store. Learn more in SCIM filter expression.

    User Identifier

    The identifier for the user filter expression.

    Custom Attribute Schema URNs (optional)

    A comma-delimited list of schema URNs to define a location for custom attributes. Use this option if the SCIM provider doesn’t follow the standard naming convention for schema extensions in which custom attributes are defined. URNs of the form urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User.

    Allow Users to be Created

    Determines whether to create a user in the target identity store when the user is created in the source identity store.

    Allow Users to be Updated

    Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.

    Allow Users to be Disabled

    Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.

    Allow Users to be Deprovisioned

    Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.

    Remove Action

    The action to take when removing a user from the target identity store.

    Deprovision on Rule Deletion

    Determines whether to deprovision users if the associated provisioning rule is deleted.

  11. Click Save.

  12. To enable the connection, click the toggle at the top of the details panel to the right (blue).

    You can’t enable the new connection until you add the Identity Data Admin role to your worker app. Learn more in Configuring roles for a worker application.

Create a provisioning rule

Create a provisioning rule to identify which identities will be provisioned.

Steps

  1. Go to the P1-User-Source environment.

  2. Go to Integrations > Provisioning.

  3. Click the button and then click New Rule.

  4. Enter a name for the rule.

  5. On the Configuration tab, click the Target button, then select the SCIM connection you created in Create a provisioning connection.

  6. Click Save.

  7. On the Configuration tab, click the User Filter button, then click the pencil icon.

  8. Set the filter to Group Names- Contains- Provisioning Users.

  9. Click Save.

  10. On the Configuration tab, click the Attribute Mapping button.

  11. Verify the default attribute mappings.

  12. On the rule overview page, use the toggle to enable the rule, which will initiate the provisioning process.

Verify the sync operation

After you have set up a connection and a rule, you can use the Sync summary and the Audit page to confirm that the sync is working.

Steps

  • Do one of the following:

    • To use the Sync summary, click the rule entry to open the rule details panel.

    • To use the Audit page, go to Monitoring > Audit.

    For more information, see Viewing sync status.

Result

In the P1-User-Source environment, any users in the Provisioning Users group will be provisioned to the P1-User-Destination environment. You can add or remove users from the group to see the changes synchronized between the two PingOne environments.

Next steps

You can add or remove users from the group to see the changes synchronized between the two PingOne environments.