PingOne can provision group membership from an external source, such as an identity provider or LDAP Gateway.
Just-in-time (JIT) group provisioning occurs as part of the authentication process. For external identity providers, the group associated with the user is provisioned to PingOne each time the user signs on to PingOne. For LDAP Gateways, the group associated with the user is provisioned to PingOne only on the initial user migration.
If a user’s group membership changes in the external identity provider, PingOne will update the group membership the next time the user signs on.
Limitations
Nested groups are not supported.
You can’t change the Group Display Name in PingOne.
In Active Directory user stores, if a group name is changed, PingOne considers it a new group. The user is removed from the old group and added to the new group.
If a user was provisioned to a group in PingOne, you can manually remove the user from the group in PingOne. However, the JIT-provisioning feature might re-add them to the group later, unless they were also removed at the external source.
Users cannot be added to an external group directly from PingOne.
Related information
For more information, see: