Known issues

  • Avoid naming department and location objects with the same format as ServiceNow system IDs, such as 972456281bcc3010dbb0dd7ebd4bcbcc. This might cause users to be provisioned with an incorrect department or location.

Known limitations

  • Attributes
    • Due to limitations in PingFederate, user attributes cannot be cleared after they are set.
    • Due to a limitation with PingFederate 9.0 and 9.0.1, the manager attribute cannot be mapped and used. There is no impact to other functionality.
    • When using the manager attribute, if the user's manager is not managed by the provisioner, the user will be created with an exception thrown. PingFederate will continue to retry the user indefinitely.
    • User role values must contain only URL-safe characters.
    • Due to a limitation in the ServiceNow API, the ServiceNow Connector requires additional security permissions to be able to remove roles from users. If you try to remove a role from a user without granting these permissions, your data store will become out of sync with ServiceNow, and an error will appear in provisioner.log. You can grant the permissions as shown in Adding the Ping Identity provisioning role in ServiceNow.
  • Provisioning
    • PingFederate uses the Username attribute to synchronize users between the data store and ServiceNow, as described in User management. When attempting to provisioning a user that does not have a Username, PingFederate logs an error in provisioner.log and keeps trying until the Username is present.
    • When provisioning users, the username attribute must only contain URL-safe characters.
    • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the create.
    • For department objects that contain the ^ character in the name, the ServiceNow API causes the creation of multiple departments with the same name.
    • For the department and location objects, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments or locations in ServiceNow (such as Accounting and accounting), PingFederate provisions the user with an empty department or location attribute and logs an error in provisioner.log.
  • Deprovisioning
    • When an LDAP user is deleted in a targeted group distinguished name (DN), the provisioning connector does not propagate the deletion until a new user is added to the group. This limitation is compounded when the User Create provisioning option is disabled. For solutions, see SaaS provisioner does not remove the user in the Knowledge Base.
  • Performance
    • When synchronizing user roles, PingFederate performs multiple calls to the ServiceNow API. This can impact provisioning performance.
    • When using the default mapping for the manager attribute, the process for adding a manager involves an Active Directory search, followed by a database lookup to get the ServiceNow manager ID. This can impact provisioning performance. To improve performance, you can use a custom attribute mapping to link the manager attribute to a manager's email.
  • Configuration
    • When using multiple channels, the same Username mapping is required to coordinate manager assignments across different channels.