For identity provider (IdP) sites, PingFederate provides built-in automated provisioning and user-account management to system for cross-domain identity management (SCIM)-enabled services providers and to selected software as a service (SaaS) providers through their proprietary provisioning APIs.
User provisioning is an important aspect of identity federation. When organizations enable SSO for their users, they must ensure that some form of account synchronization is in place. Automated user provisioning features within PingFederate free administrators from having to devise a manual strategy for this.
Outbound provisioning also provides an automated means of account disabling or deprovisioning, which might be of key importance to system auditors.
Support for provisioning for SaaS applications, including quick-connection templates to expedite the configuration effort, is available separately. Contact firstname.lastname@example.org for more information.
With outbound provisioning enabled, the PingFederate runtime engine, the provisioner, polls the IdP organization's user store periodically. The server uses a separate database to monitor the state of the user store and keeps user data synchronized between the organization and the target service provider, as illustrated in the following diagram.
- LDAP user store
- PingFederate provides built-in support for PingDirectory, Microsoft Active Directory, Oracle Unified Directory, and Oracle Directory Server; pre-configuration of many provisioning settings uses templates. Although Ping Identity has only formally tested these datastores for support, other LDAP datastores will likely work as well.
- Internal datastore
- PingFederate is tested with Amazon Aurora (MySQL and PostgreSQL), Microsoft SQL Server, Oracle Database, Oracle MySQL, and PostgreSQL as internal provisioning datastores. A demonstration-only, embedded HSQLDB database is installed by default. Scripts to aid setup are in the directory <pf_install>/pingfederate/server/default/conf/provisioner/sql-scripts.
Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.
Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by PingIdentity.