Indicate on the Source Location screen where PingFederate should look for user records in the datastore. The same location may be used to retrieve user-group DNs for maintaining corresponding groups at the service provider.

Source Location

After specifying the required base DN, you have the options to provision users (and groups when applicable) based on group membership information or LDAP search results.

Note:

Groups provisioning is supported for SCIM and the Google Apps Connector (version 2.0 and higher) but may not be supported for other SaaS Connectors. If not, the associated fields under Groups on the Source Location screen are inactive. Support for the feature may become available in future SaaS Connector releases; please refer to documentation in your add-on distribution package.

  1. Enter the base DN where user records are stored in the Base DN.

    PingFederate looks only at this node level or below it for user accounts (and groups when applicable) that need to be provisioned, based on the conditions set in the next step.

  2. Specify group membership information or an LDAP filter to search for users (and groups when applicable) to be provisioned, as described in the following table:
    Object Field description
    Users Group DN

    The distinguished name (DN) of a group in the user repository whose member groups should be provisioned.

    (Optional) Select the Nested Search check box to include users that are members of the specified group through nested group membership. Nested group membership is preserved for SCIM provisioning (and SaaS provisioning if the vendor and the SaaS Connectors support hierarchical structure in groups).
    Note:

    The Nested Search feature is available when Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server is selected as the source user repository (see Identifying the source datastore).

    Filter

    An LDAP search filter that returns user objects representing the users that should be provisioned.

    For information about LDAP filters, refer to your LDAP documentation. Note that you may need to escape any special characters.

    Important:

    The Group DN field is ignored when a Filter field value is configured.

    Groups (when applicable) Group DN

    The distinguished name (DN) of the group in the user repository that should be provisioned.

    (Optional) Select the Nested Search check box to include groups that are members of the specified group through nested group membership. Nested group membership is preserved for SCIM provisioning (and SaaS provisioning if the vendor and the SaaS Connectors support hierarchical structure in groups).
    Note:

    The Nested Search feature is available when Microsoft Active Directory, Oracle Unified Directory, or Oracle Directory Server is selected as the source user repository (see Identifying the source datastore).

    Filter

    An LDAP search filter that returns group objects representing the groups that should be provisioned.

    For information about LDAP filters, refer to your LDAP documentation. Note that you may need to escape any special characters.

    Important:

    The Group DN field is ignored when a Filter field value is configured.

    If both the Group DN field and the Filter field are blank, no groups will be provisioned.

  3. Click Next.