Implement the IdentityStoreProvisionerWithFiltering interface to provision and deprovision users, and optionally groups, to an external user store with list/query and filtering support.

Note:

If you do not need to support list/query and filtering, you can implement the IdentityStoreProvisioner interface instead.

The following Java packages are needed, at a minimum, for implementing this interface:

  • com.pingidentity.sdk.provision
  • com.pingidentity.sdk.provision.exception
  • com.pingidentity.sdk.provision.users.request
  • com.pingidentity.sdk.provision.users.response
  • com.pingidentity.sdk.provision.groups.response
  • com.pingidentity.sdk.provision.groups.request
Note:

Group support is optional (see Check for group provisioning support).

For each Identity Store Provisioner implementation, in addition to the methods described under Shared interfaces, you must implement the following:

  • Create user
  • Read user
  • Read users (not applicable to the IdentityStoreProvisioner interface)
  • Update user
  • Delete user
  • Check for group provisioning support
  • Create group
  • Read group
  • Read groups (not applicable to the IdentityStoreProvisioner interface)
  • Update group
  • Delete group

Create user

UserResponseContext createUser(CreateUserRequestContext createRequestCtx) 
throws IdentityStoreException

PingFederate invokes the createUser() method of your Identity Store Provisioner in response to create-user requests made to PingFederate services, for example inbound provisioning. This method is responsible for creating the user in the user store managed by the Identity Store Provisioner.

The CreateUserRequestContext will contain all information needed to fulfill the request (for example, user attributes). If the user was successfully provisioned, a UserResponseContext should be returned and contain the user attributes used to provision the user. An IdentityStoreException should be thrown if an error occurred during the creation process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Read user

UserResponseContext readUser(ReadUserRequestContext readRequestCtx)  
throws IdentityStoreException

PingFederate invokes the readUser() method of your Identity Store Provisioner in response to get-user requests made to PingFederate services, for example Inbound Provisioning. This method is responsible for retrieving user data from the user store managed by the Identity Store Provisioner.

The ReadUserRequestContext will contain all information needed to fulfill the request (for example, a user ID). If the user data was successfully retrieved, a UserResponseContext should be returned and contain the user attributes for the user. An IdentityStoreException should be thrown if an error occurred during the retrieval process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Read users

UsersResponseContext readUsers(ReadUsersRequestContext readRequestCtx) 
throws IdentityStoreException

PingFederate invokes the readUsers() method of your Identity Store Provisioner in response to list/query requests for user attributes made to PingFederate services, for example inbound provisioning. This method is responsible for retrieving user data from the user store managed by the Identity Store Provisioner.

Note:

The readUsers method is applicable only to the IdentityStoreProvisionerWithFiltering interface; it does not apply to the IdentityStoreProvisioner interface.

The ReadUsersRequestContext will contain all information needed to fulfill the request (for example, a filter). If the user data was successfully retrieved, a UsersResponseContext should be returned and contain the user attributes satisfying the filter. An IdentityStoreException should be thrown if an error occurred during the retrieval process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Update user

UserResponseContext updateUser(UpdateUserRequestContext updateRequestCtx)
throws IdentityStoreException

PingFederate invokes the updateUser() method of your Identity Store Provisioner in response to update-user requests made to PingFederate services, for example inbound provisioning. This method is responsible for updating the user in the user store managed by the Identity Store Provisioner.

The UpdateUserRequestContext will contain all information needed to fulfill the request (for example, user attributes). If the user data was successfully updated, a UserResponseContext should be returned containing the user's updated attributes. An IdentityStoreException should be thrown if an error occurred during the update process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Delete user

void deleteUser(DeleteUserRequestContext deleteRequestCtx)
throws IdentityStoreException

PingFederate invokes the deleteUser() method of your Identity Store Provisioner in response to delete-user requests made to PingFederate services, such as Inbound Provisioning. This method is responsible for deprovisioning the user in the user store managed by the Identity Store Provisioner.

The DeleteUserRequestContext will contain all information needed to fulfill the request (for example, a user ID). An IdentityStoreException should be thrown if an error occurred during the deprovision process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Note:

The plugin implementation for delete MAY choose not to permanently delete the resource, but MUST return a NotFoundException for all readUser(), updateUser(), and deleteUser() operations associated with the previously deleted Id. In addition, the plugin MUST not consider the deleted user in conflict calculation. For example, a createUser() request for a user with a previously deleted ID should NOT throw a ConflictException.

Check for group provisioning support

boolean isGroupProvisioningSupported() 
throws IdentityStoreException

Implement this isGroupProvisioningSupported() method to return true if group provisioning is supported by your Identity Store Provisioner or false otherwise. An IdentityStoreException should be thrown if an error occurred during the query process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Create group

GroupResponseContext createGroup(CreateGroupRequestContext createRequestCtx) 
throws IdentityStoreException

PingFederate invokes the createGroup() method of your Identity Store Provisioner in response to create-group requests made to PingFederate services, for example inbound provisioning. This method is responsible for creating the group in the user store managed by the Identity Store Provisioner if the isGroupProvisioningSupported() returns true; otherwise, it should throw NotImplementedException.

The CreateGroupRequestContext will contain all information needed to fulfill the request (for example, group attributes). If the group was successfully provisioned, a GroupResponseContext should be returned and contain the group attributes used to provision the group. An IdentityStoreException should be thrown if an error occurred during the creation process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Read group

GroupResponseContext readGroup(ReadGroupRequestContext readRequestCtx) 
throws IdentityStoreException

PingFederate invokes the readGroup() method of your Identity Store Provisioner in response to get-group requests made to PingFederate services, for example inbound provisioning. This method is responsible for retrieving group data from the user store managed by the Identity Store Provisioner if the isGroupProvisioningSupported() returns true; otherwise, it should throw NotImplementedException.

The ReadGroupRequestContext will contain all information needed to fulfill the request (for example, group ID). If the group data was successfully retrieved, a GroupResponseContext should be returned and contain the group attributes for the group. An IdentityStoreException should be thrown if an error occurred during the retrieval process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Read groups

GroupsResponseContext readGroups(ReadGroupsRequestContext readRequestCtx) 
throws IdentityStoreException

PingFederate invokes the readGroups() method of your Identity Store Provisioner in response to list/query requests for group attributes made to PingFederate services, for example inbound provisioning. This method is responsible for retrieving group data from the user store managed by the Identity Store Provisioner if the isGroupProvisioningSupported() returns true; otherwise, it should throw NotImplementedException.

Note:

The readGroups method is applicable only to the IdentityStoreProvisionerWithFiltering interface; it does not apply to the IdentityStoreProvisioner interface.

The ReadGroupsRequestContext will contain all information needed to fulfill the request (for example, a filter). If the group data was successfully retrieved, a GroupsResponseContext should be returned and contain the group attributes for the groups. An IdentityStoreException should be thrown if an error occurred during the retrieval process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Update group

GroupResponseContext updateGroup(UpdateGroupRequestContext updateRequestCtx) 
throws IdentityStoreException

PingFederate invokes the updateGroup() method of your Identity Store Provisioner in response to update-group requests made to PingFederate services, for example inbound provisioning. This method is responsible for updating the group in the user store managed by the Identity Store Provisioner if the isGroupProvisioningSupported() returns true; otherwise, it should throw NotImplementedException.

The UpdateGroupRequestContext will contain all information needed to fulfill the request (for example, group attributes). If the group data was successfully updated, a GroupResponseContext should be returned containing the group's updated attributes. An IdentityStoreException should be thrown if an error occurred during the update process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.

Delete group

void deleteGroup(DeleteGroupRequestContext deleteRequestCtx) 
throws IdentityStoreException

PingFederate invokes the deleteGroup() method of your Identity Store Provisioner in response to delete-group requests made to PingFederate services, such as inbound provisioning. This method is responsible for deprovisioning the group in the user store managed by the Identity Store Provisioner if the isGroupProvisioningSupported() returns true; otherwise, it should throw NotImplementedException.

The DeleteGroupRequestContext will contain all information needed to fulfill the request (for example, a group ID). An IdentityStoreException should be thrown if an error occurred during the deprovision process. See com.pingidentity.sdk.provision.exception package for different exceptions that can be thrown.