User provisioning in PingOne for Enterprise
PingOne for Enterprise supports user provisioning for certain identity providers (IdPs) and applications.
User provisioning allows you to manage your users' status and permissions in your IdP and your applications from the PingOne for Enterprise admin console. Provisioning saves your admins time and improves security by ensuring consistency across your user experience.
How provisioning works
Your IdP must be configured to provision both users and groups to PingOne for Enterprise. PingOne for Enterprise Directory and AD Connect are automatically configured to do this. You must manually configure PingFederate.
For more information, refer to Configuring outbound provisioning in the PingFederate documentation.
PingOne for Enterprise will provision users to a target application when:
-
The IdP sends a group update with a membership change that references a user that already exists in PingOne for Enterprise.
-
The IdP sends a user update for a user that already exists in PingOne for Enterprise and is already a member of a tracked group.
Creating a new user and adding them to a provisioning group will result in outbound provisioning. The IdP provisions the user and PingOne for Enterprise takes no action. Then the IdP updates the group to include the new user and PingOne for Enterprise creates the user in the target application.
Editing a user that already exists in a provisioning group will result in outbound provisioning. The IdP provisions the user update and PingOne for Enterprise updates the user in the target application.
Group provisioning
PingOne for Enterprise doesn’t support outbound group provisioning. To provision groups, you must configure provisioning in PingFederate.
For more information, see User provisioning in the PingFederate documentation.
Identity providers
PingOne for Enterprise supports user provisioning using the following IdPs:
-
PingOne for Enterprise Directory
-
PingFederate.
For more information, see Configuring Provisioning for PingFederate Bridge.
-
AD Connect
Provisioning applications
The following Application Catalog applications support provisioning:
-
AWS Single Sign-On
-
Atlassian Cloud
-
Code42
-
Contentful SCIM
-
Google Gmail
-
Jive - Production
-
Jive - UAT
-
Ping IDaaS Directory Provisioner
-
PingOne Provisioner
-
Ping SCIM SaaS Provisioner
-
Ping SCIM SaaS Provisioner 2
-
Ping SCIM SaaS Provisioner 3
-
Salesforce Communities
-
Salesforce Communities Sandbox
-
Zscaler Internet Access
-
Zscaler Private Access 2.0
Provisioning setup
For general directions about configuring an Application Catalog application, see Add an application from the Application Catalog. For application-specific instructions, find the application in the PingOne for Enterprise Application Catalog documentation.
While configuring your application, keep the following in mind:
|
After you finish configuring the application, ensure that your user groups have provisioning enabled. Go to Users → User Groups. Click Edit, and select the SSO and Provisioning check boxes for each application you want to enable for that group.
Provisioning troubleshooting
If you encounter provisioning problems, go to Dashboard → Reporting → Run New Report → Provisioning and run a provisioning activity report.
-
If you don’t see any outbound requests for an application, check that the group mapped to that application is actually being updated by the IdP.
-
If you do see requests, but they result in errors, the error messages will usually indicate whether the issue is with the target application, the attribute mapping, or something else.
-
If you see group updates but no user updates, or user updates but no group updates, check the IdP configuration to ensure that the IdP is configured to provision both users and groups.