Your external datastore acts as the source of data for provisioning. PingFederate also uses an internal datastore to store the state of synchronization between the source datastore and the target datastore.

For more information, see Datastores in the PingFederate documentation.

  1. Configure the datastore for PingFederate to use as the source of user data.

    For instructions, see Datastores in the PingFederate documentation.


    When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to PingOne for Enterprise. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.

  2. Do one of the following:
    • For PingFederate 10.1 or later: Go to System > Server > Protocol Settings.
    • For PingFederate 10.0 or earlier: Enable the identity provider (IdP) and outbound provisioning roles:
      1. Go to System > Protocol Settings > Roles & Protocols.
      2. Select Enable Identity Provider IdP Role and Support the Following.
      3. Select Outbound Provisioning. Click Next.
  3. On the Outbound Provisioning tab, select the PingFederate internal datastore. Click Save.

    For help, see Configuring outbound provisioning settings in the PingFederate documentation.