Information on the Target screen indicates the provider's Web-service endpoint for provisioning users and, if required, credentials that PingFederate uses for authentication to the provisioning API for the service provider.


The target configuration settings vary among SCIM outbound provisioning and various SaaS provisioning.

For SCIM provisioning to PingOne® for Enterprise, sign on to the PingOne admin portal and review the target information on the Setup > Identity Repository tab.

For any SaaS Connector target, please refer to documentation in the add-on distribution package.

The following steps describe the fields required for the bundled PingFederate provisioning plugin for SCIM partners.

  1. Enter the endpoint for managing users in the Users Resource URL field; for example,
    This field is always required for SCIM outbound provisioning.
  2. Configure the rest of the outbound provisioning settings.
    Refer to the following table for detailed information about each field.
    Field Description
    Groups Resource URL The partner's group management endpoint; for example,

    Required if the partner supports this notion and groups should be provisioned.

    Authentication Method The authentication scheme that the partner's endpoints support.
    Available options:
    • None
    • Basic Authentication (Default)
    • OAuth 2.0 Bearer Token
    User, and


    Valid credentials to access the partner's endpoint.

    Required if Basic Authentication is the selected authentication method.

    Client ID, Client Secret, and

    Token Endpoint URL

    Valid OAuth client credentials and token endpoint to access the partner's endpoint.

    Required if OAuth 2.0 Bearer Token is the selected authentication method.

    SCIM SP Supports Patch Updates Clear this check box if the partner does not support PATCH updates.

    SCIM specification (

    This check box is selected by default.

    Provision Groups with Distinguished Name Select this check box to provision groups by supplying complete LDAP DNs, rather than only common names (CNs), to identify groups.

    Some SCIM partners, including For information about PATCH, see the PingOne for Enterprise, allow administrators to parse full DNs when necessary (for example, in the case of duplicate CNs) to determine group access mapping to specific applications based on other DN elements. Consult the partner for its requirement.

    This check box is selected by default.

    Deprovision Method Deprovisioning is triggered when previously provisioned users no longer meet the condition set in the Manage Channels > Channel > Source Location screen.
    Available options:
    • Disable User (Default)

      This option deactivates the user accounts.

    • Delete User

      For information about PATCH,This option removes the user accounts.


      For SaaS provisioning, the provisioner does not necessarily remove deprovisioned users from target data stores in accordance with common practice. Rather their status is changed to indicate that the accounts are no longer active.

    Rate Limit Error Code The expected error code returned by the partner based on its rate-limiting threshold.

    The default value is 429.

  3. Click Next.

    For some provisioning plugins (including the built-in SCIM outbound provisioner),when you first enter or change credentials and click Next, PingFederate immediately tests connectivity to the target.