Typically, the identity provider (IdP) repository maintains user accounts in an identity federation. However, a service provider (SP) often has its own set of user accounts, which might not always correspond to IdP users.
The SP might need to establish and maintain parallel accounts for remote single sign-on (SSO) users to enforce authorization policy, customize user experience, comply with regulations, or a combination of such purposes.
PingFederate provides two kinds of user provisioning for browser-based SSO to facilitate cross-domain account management, one designed for an IdP, and one for an SP:
- At an IdP site, an administrator automatically provisions and maintains user accounts for partner SPs who have implement the System for Cross-domain Identity Management (SCIM) or, when using optional plugin software as a service (SaaS) connectors, for selected hosted-software providers..
- At an SP site, an administrator provisions accounts within the organization automatically from SCIM-enabled IdPs or usesinformation from SAML assertions received during SSO events.
For more information, see User provisioning.