Create a provisioning connection
Create a provisioning connection to define the source and target for provisioning.
Before you begin
Locate the values that you copied in Create two environments and a Worker app.
Steps
-
Go to the P1-User-Source environment.
-
Go to Integrations > Provisioning.
-
Click the button and then click New Connection.
-
For connection type, select Identity Store.
-
Locate the SCIM tile and then click Select.
-
Click Next.
-
Enter a name and description. Click Next.
-
On the Authentication step, enter the following values:
-
SCIM Base URL: https://scim-api.pingone.<region>/environments/<envID>/v2
Replace <region> with the appropriate value for your geographic region, such as .com, .ca, or .eu. For more information, see IP address and domain reference. Replace <envID> with the value you copied when you created the Worker app.
-
Users Resource: /Users
-
SCIM Version: 2.0
-
Groups Resource: /Groups
-
Authentication Method: OAuth 2 Client Credentials
-
OAuth Token Request: Paste the Token Endpoint value that you copied from Create two environments and a Worker app.
-
OAuth Client ID: Paste the Client ID value that you copied from Create two environments and a Worker app.
-
OAuth Client Secret: Paste the Client Secret value that you copied from Create two environments and a Worker app.
-
Auth Type Header: Select OAuth Client Credentials
-
-
Click Test connection to verify that PingOne can establish a connection to the SCIM resource.
Result:
If there are any issues with the connection, a Test Connection Failed dialog box opens. Click Continue to resume the setup with an invalid connection.
You cannot use the connection for provisioning until you have established a valid connection to SCIM. To retry, click Cancel in the Test Connection Faileddialog box and repeat step 8.
Troubleshooting:
Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.
-
On the Configure preferences page, enter the user filter and the action to take when deprovisioning users.
The filtering parameters are optional.
Option Description User filter expression
Determines how the connection uses the specified User Identifier to match existing users in the target identity store to the users being provisioned from the source identity store. Learn more in SCIM filter expressions.
User identifier
The identifier for the user filter expression.
Custom Attribute Schema URNs (optional)
A comma-delimited list of schema URNs to define a location for custom attributes. Use this option if the SCIM provider does not follow the standard naming convention for schema extensions in which custom attributes are defined. That is, URNs of the form
urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User
.Allow users to be created
Determines whether to create a user in the target identity store when the user is created in the source identity store.
Allow users to be updated
Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.
Allow users to be disabled
Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.
Allow users to be deprovisioned
Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.
Remove action
The action to take when removing a user from the target identity store.
Deprovision on rule deletion
Determines whether to deprovision users if the associated provisioning rule is deleted.
-
Click Save.
-
Use the toggle to enable the new connection.
You cannot enable the new connection until you add the Identity Data Admin role to your worker app. Learn more in Configuring roles for a worker application.