1. Go to Integrations > Provisioning.
  2. Click + and then click New connection.
  3. On the Identity Store row, click Select.
  4. Click SCIM Outbound, click Select, and then click Next.
  5. Enter a name and description for this provisioning connection.
    The connection name appears in the provisioning list after you've saved the connection.
  6. Click Next.
  7. On the Configure authentication panel, enter the following
    • SCIM base URL: The fully qualified URL to use for the SCIM resources, such as https://scim-example.com/v2/.
    • Users resource: The endpoint for the SCIM User resource.
    • SCIM version: The SCIM version to use for the connection.
    • Authentication method: The SCIM authentication method to use for the connection.
    You can choose to use no authentication (None). For all other methods, additional entry fields are displayed, depending on the selected authentication method.
    Note:

    Basic Authentication provides limited security:

    • The identity store configuration will have the provided Basic Auth credentials.
    • The authentication scope is exactly that of the Basic Auth user, rather than some subset of the user data.

    If possible, you should use the OAuth 2 Bearer Token or OAuth 2 Client Credentials authentication methods.

    • Basic Authentication
      • Basic Auth User: Enter the Basic Auth user for the identity store.
      • Basic Auth Password: Enter the Basic Auth user password for the identity store.
      • Auth Type Header: Select Basic, Bearer, OAuth Client Credentials, or Custom (to supply your own header configuration).
        If you select Custom, the Custom Header entry field is displayed. Enter the custom header configuration.
        Note:

        Custom headers added here will be added only as authorization headers in the request.

    • OAuth 2 Bearer Token
      • OAuth Access Token: Enter the OAuth access token value supplied by the authorization server for the identity store.
      • Auth Type Header: Select Basic, Bearer, OAuth Client Credentials, or Custom (to supply your own header configuration).
        If you select Custom, the Custom Header entry field is displayed. Enter the custom header configuration.
        Note:

        Custom headers added here will be added only as authorization headers in the request.

    • OAuth 2 Client Credentials
      • OAuth Token Request: Enter the endpoint URL used to obtain an access token, such as https://scim-example.com/as/token.oauth2.
      • OAuth Client ID: Enter the client ID registered with the OAuth server for the provisioning identity store.
      • OAuth Client Secret: Enter the client secret value associated with the OAuth client ID.
      • Auth Type Header: Select Basic, Bearer, OAuth Client Credentials, or Custom (to supply your own header configuration).
        If you select Custom, the Custom Header entry field is displayed. Enter the custom header configuration.
        Note:

        Custom headers added here will be added only as authorization headers in the request.

  8. Click Test connection to verify that PingOne can establish a connection to the SCIM resource.

    If there are any issues with the connection, a Test Connection Failed dialog box opens. Click Continue to resume the setup with an invalid connection.

    Important:

    You cannot use the connection for provisioning until you have established a valid connection to SCIM. Click Cancel in the Test Connection Failed dialog box and follow step 7, to try again.

    Learn more about troubleshooting your connection in Troubleshooting Test Connections Failure.
  9. On the Configure preferences page, enter the user filter and the action to take when deprovisioning users.

    The filtering parameters are optional.

    Option Description

    User filter expression

    Determines how the connection uses the specified User Identifier to match existing users in the target identity store to the users being provisioned from the source identity store. For more information, see SCIM filter expressions.

    User identifier

    The identifier for the user filter expression.

    Custom Attribute Schema URNs (optional)

    A comma-delimited list of schema URNs to define a location for custom attributes. Use this option if the SCIM provider does not follow the standard naming convention for schema extensions in which custom attributes are defined. That is, URNs of the form urn:ietf:params:scim:schemas:extension:<Organization Name>:2.0:User.

    Allow users to be created

    Determines whether to create a user in the target identity store when the user is created in the source identity store.

    Allow users to be updated

    Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.

    Allow users to be disabled

    Determines whether to disable a user in the target identity store when the user is disabled in the source identity store.

    Allow users to be deprovisioned

    Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.

    Remove action

    The action to take when removing a user from the target identity store.

    Deprovision on rule deletion

    Determines whether to deprovision users if the associated provisioning rule is deleted.
  10. Click Finish.

The SCIM provisioning profile is complete and is added to the list of provisioning profiles on the Provisioning page.

To sync group members out of PingOne into a software as a service (SaaS) application, follow the instructions in Configuring outbound group provisioning.