--- title: Sync users between two environments description: Set up a SCIM connection from one PingOne environment to another. component: pingone page_id: pingone:pingone_tutorials:p1_sync_users_between_two_environments canonical_url: https://docs.pingidentity.com/pingone/pingone_tutorials/p1_sync_users_between_two_environments.html revdate: May 3, 2023 section_ids: p1_create_environment_and_worker_app: Create two environments and a worker app steps: Steps create-users-and-a-group: Create users and a group steps-2: Steps p1_tutorial_provisioning_connection: Create a provisioning connection before-you-begin: Before you begin steps-3: Steps result: Result: result-2: Result: troubleshooting: Troubleshooting: create-a-provisioning-rule: Create a provisioning rule steps-4: Steps verify-the-sync-operation: Verify the sync operation steps-5: Steps result-3: Result next-steps: Next steps --- # Sync users between two environments Learn how to set up a SCIM connection from one PingOne environment to another. You'll use the SCIM protocol to synchronize users between the two environments. ## Create two environments and a worker app Create two environments that PingOne will synchronize, and a Worker application that will handle the synchronization. ### Steps 1. Create the following two environments in PingOne: * P1-User-Source * P1-User-Destination Learn more in [Adding an environment](../settings/p1_addenvironment.html). 2. Go to the **P1-User-Destination** environment. 3. Go to **Applications > Applications** and create a new Worker Application with the following configuration: * **Grant type**: Client Credentials * **Token Endpoint Authentication Method**: Client Secret Basic Learn more in [Adding an application](../applications/p1_applications_add_applications.html). 4. Use the toggle to enable the new Worker application. 5. In the application details panel, click the **Roles** tab and add the **Identity Data Admin** role to your worker app. Learn more in [Configuring roles for a worker application](../applications/p1_configurerolesforworkerapplication.html). 6. In the application details panel, click the **Configuration** tab. Copy the following values to a secure location to use when making a provisioning connection: * **Token Endpoint** * **Client ID** * **Client Secret** * **Environment ID** ## Create users and a group Learn how to create several users to be provisioned, and then create a group to identify them. ### Steps 1. In the PingOne admin console, go to the **P1-User-Source** environment. 2. Go to **Directory > Users**. 3. Create several users for provisioning. 4. Populate the following attributes for each user: * **Email Address** * **Given Name** * **Family Name** 5. Go to **Directory > Groups**. 6. Create a group called **Provisioning Users** and add any two users to that group. Learn more in [Managing group membership](../directory/p1_add_members_to_group.html). ## Create a provisioning connection You can set up provisioning to or from a System for Cross-domain Identity Management (SCIM) *(tooltip: \
\

An application-level, HTTP-based protocol for provisioning and managing user identity information. SCIM supplies a common schema for representing users and groups and provides a REST API.\

\
)* identity store. You can also use the PingOne API to set up inbound SCIM for user provisioning. Learn more about [SCIM](https://developer.pingidentity.com/pingone-api/platform/scim.html) in the PingOne API documentation. ### Before you begin Locate the values that you copied in [Create two environment and a worker app](#p1_create_environment_and_worker_app). ### Steps 1. In the PingOne admin console, go to the **P1-User-Source** environment. 2. Go to **Integrations > Provisioning**. 3. Click **[icon: plus, set=fa]**and then click **New Connection**. 4. Select the **Identity Store**. 5. Select **SCIM Outbound** and click **Next**. 6. Enter a name and description for this provisioning connection. #### Result: The connection name appears in the **Provisioning** list after you save the connection. 7. Click **Next**. 8. In the **Configure Authentication** step, enter the values for the following fields: * **SCIM Base URL**: https\://scim-api.pingone.\/environments/\/v2 Replace \ with the appropriate value for your geographic region, such as .com, .ca, or .eu. Learn more in [IP address and domain reference](../developer_tools/p1_ip_address_domain_reference.html). Replace \ with the value you copied when you created the worker app. * **Users Resource**: /Users * **SCIM Version**: 2.0 * **Groups Resource**: /Groups * **Authentication Method**: OAuth 2 Client Credentials * **OAuth Token Request**: Paste the **Token Endpoint** value that you copied from [Create two environments and a worker app](#p1_create_environment_and_worker_app). * **OAuth Client ID**: Paste the **Client ID** value that you copied from [Create two environments and a worker app](#p1_create_environment_and_worker_app). * **OAuth Client Secret**: Paste the **Client Secret** value that you copied from [Create two environments and a worker app](#p1_create_environment_and_worker_app). * **Auth Type Header**: Select **OAuth Client Credentials**. 9. Click **Test Connection** to verify that PingOne can establish a connection to the SCIM resource. #### Result: If there are any issues with the connection, a **Test Connection Failed** dialog box opens. Click **Continue** to resume the setup with an invalid connection. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't use the connection for provisioning until you have established a valid connection to SCIM. To retry, click **Cancel** in the **Test Connection Failed** dialog box and repeat step 8. | #### Troubleshooting: Learn more about troubleshooting your connection in [Troubleshooting test connection failure](../integrations/p1_provisioning_troubleshooting_test_connection_failure.html). 10. In the **Configure Preferences** step, enter the user filter and the action to take when deprovisioning users. The filtering parameters are optional. | Option | Description | | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **User Filter Expression** | Determines how the connection uses the specified **User Identifier** to match existing users in the target identity store to the users being provisioned from the source identity store. Learn more in [SCIM filter expression](../integrations/p1_create_scim_connection.html#p1_scim_filter_expression). | | **User Identifier** | The identifier for the user filter expression. | | **Custom Attribute Schema URNs** (optional) | A comma-delimited list of schema URNs to define a location for custom attributes. Use this option if the SCIM provider doesn't follow the standard naming convention for schema extensions in which custom attributes are defined. URNs of the form `urn:ietf:params:scim:schemas:extension::2.0:User`. | | **Allow Users to be Created** | Determines whether to create a user in the target identity store when the user is created in the source identity store. | | **Allow Users to be Updated** | Determines whether to update user attributes in the target identity store when the user is updated in the source identity store. | | **Allow Users to be Disabled** | Determines whether to disable a user in the target identity store when the user is disabled in the source identity store. | | **Allow Users to be Deprovisioned** | Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store. | | **Remove Action** | The action to take when removing a user from the target identity store. | | **Deprovision on Rule Deletion** | Determines whether to deprovision users if the associated provisioning rule is deleted. | 11. Click **Save**. 12. To enable the connection, click the toggle at the top of the details panel to the right (blue). | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can't enable the new connection until you add the Identity Data Admin role to your worker app. Learn more in [Configuring roles for a worker application](../applications/p1_configurerolesforworkerapplication.html). | ## Create a provisioning rule Create a provisioning rule to identify which identities will be provisioned. ### Steps 1. Go to the **P1-User-Source** environment. 2. Go to **Integrations > Provisioning**. 3. Click the **[icon: plus, set=fa]**button and then click **New Rule**. 4. Enter a name for the rule. 5. On the **Configuration** tab, click the **Target** button, then select the SCIM connection you created in [Create a provisioning connection](#p1_tutorial_provisioning_connection). 6. Click **Save**. 7. On the **Configuration** tab, click the **User Filter** button, then click the pencil icon. 8. Set the filter to **Group Names**- **Contains**- **Provisioning Users**. 9. Click **Save**. 10. On the **Configuration** tab, click the **Attribute Mapping** button. 11. Verify the default attribute mappings. 12. On the rule overview page, use the toggle to enable the rule, which will initiate the provisioning process. ## Verify the sync operation After you have set up a connection and a rule, you can use the Sync summary and the Audit page to confirm that the sync is working. ### Steps * Do one of the following: * To use the **Sync summary**, click the rule entry to open the rule details panel. * To use the **Audit** page, go to **Monitoring > Audit**. For more information, see [Viewing sync status](../integrations/p1_view_sync_status.html). ### Result In the **P1-User-Source** environment, any users in the **Provisioning Users** group will be provisioned to the **P1-User-Destination** environment. You can add or remove users from the group to see the changes synchronized between the two PingOne environments. ### Next steps You can add or remove users from the group to see the changes synchronized between the two PingOne environments.