User provisioning is an important aspect of identity federation. When organizations enable SSO for their users, they must ensure that some form of account synchronization is in place. Automated user provisioning features within PingFederate free administrators from having to devise a manual strategy for this.

When configured as an SP, PingFederate offers two provisioning options:

Inbound provisioning

SCIM inbound provisioning provides support for incoming SCIM messages containing requests to create, read, update, delete, or deactivate user and group records in Microsoft Active Directory datastores or custom user stores through the Identity Store Provisioners. PingFederate supports SCIM attributes in the core schema and custom attributes through a schema extension. Configuring this provisioning feature has two options: by itself or in conjunction with SSO or other connection types.

In effect, inbound provisioning provides an organization with a dedicated SCIM service provider, which routes user-managment requests to an organization's centralized user store. The requests usually originate from trusted applications within an organization, such as a human-resources on-boarding software as a service (SaaS) product, or from trusted partner identity providers (IdPs).

For setup information, see Configuring SCIM inbound provisioning. To integrate inbound provisioning with custom user stores, see Configuring Identity Store Provisioners. For application-development information about using PingFederate endpoints for SCIM provisioning, see SCIM inbound provisioning endpoints.

Just-in-time provisioning

At an SP site, PingFederate creates and updates local user accounts in an external LDAP directory or Microsoft SQL Server as part of SSO processing, called Just-in-time (JIT) provisioning or, formerly, Express Provisioning. When provisioning requires local accounts, this feature allows SPs to maintain accounts for users who authenticate through IdP partners without having to provision accounts manually.

When configured, the PingFederate SP server writes user information to the local user store using attributes from the incoming SAML assertion. For SAML 2.0 partner connections, supplement assertion attributes with user attributes returned from an Attribute Query.

PingFederate also updates existing user accounts based on assertions. Using this option, PingFederate adds or overwrites attributes for a local user account each time PingFederate processes SSO for a user.

For information about enabling JIT Provisioning, see Choosing IdP connection options. For configuration information, see Configuring just-in-time provisioning.