User provisioning is an important aspect of identity federation. When organizations enable SSO for their users, they must ensure that some form of account synchronization is in place. Automated user provisioning features within PingFederate free administrators from having to devise a manual strategy for this.

Outbound provisioning also provides an automated means of account disabling or deprovisioning, which might be of key importance to system auditors.


Support for provisioning for SaaS applications, including quick-connection templates to expedite the configuration effort, is available separately. Contact for more information.

With outbound provisioning enabled, the PingFederate runtime engine, the provisioner, polls the IdP organization's user store periodically. The server uses a separate database to monitor the state of the user store and keeps user data synchronized between the organization and the target service provider, as illustrated in the following diagram.

Diagram depicting the outbound provisioning processing that occurs between PingFederate and the service provider.
LDAP user store
PingFederate provides built-in support for PingDirectory, Microsoft Active Directory, Oracle Unified Directory, and Oracle Directory Server; pre-configuration of many provisioning settings uses templates. Although Ping Identity has only formally tested these datastores for support, other LDAP datastores will likely work as well.
Internal datastore
PingFederate is tested with Amazon Aurora (MySQL and PostgreSQL), Microsoft SQL Server, Oracle Database, Oracle MySQL, and PostgreSQL as internal provisioning datastores. A demonstration-only, embedded HSQLDB database is installed by default. Scripts to aid setup are in the directory <pf_install>/pingfederate/server/default/conf/provisioner/sql-scripts.

Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.

Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by PingIdentity.