User provisioning is an important aspect of identity federation. Often when organizations enable SSO for their users, they must ensure that some form of account synchronization is in place. Automated user provisioning features within PingFederate free administrators from having to devise a manual strategy for this.
For IdP sites, PingFederate provides built-in automated provisioning and user-account management to SCIM-enabled services providers and to selected SaaS providers, via their proprietary provisioning APIs.
Outbound provisioning also provides an automated means of account disabling or deprovisioning, which may be of key importance to system auditors.
Support for provisioning for SaaS applications, including quick-connection templates to expedite the configuration effort, is available separately. Contact firstname.lastname@example.org for more information.
When outbound provisioning is enabled, the PingFederate runtime engine (the provisioner) polls the IdP organization's user store periodically. The server uses a separate database to monitor the state of the user store and keeps user data synchronized between the organization and the target service provider, as illustrated in the following diagram:
- LDAP user store
- PingFederate provides built-in support for PingDirectory, Microsoft Active Directory, Oracle Unified Directory, and Oracle Directory Server; templates are used to pre-configure many provisioning settings. Although these are the only datastores formally tested and supported, other LDAP datastores will likely work as well.
- Internal datastore
- PingFederate is tested with Amazon Aurora (MySQL and PostgreSQL), Microsoft SQL Server, Oracle Database, Oracle MySQL, and PostgreSQL as internal provisioning datastores. A demonstration-only, embedded HSQLDB database is installed by default. Scripts to aid setup are in the directory <pf_install>/pingfederate/server/default/conf/provisioner/sql-scripts.
Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.
Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by PingIdentity.