For inbound provisioning, the mapping is applied to the attribute coming from the source identity store before it is saved to the PingOne directory.
  1. Go to Integrations > Provisioning.
  2. On the Rules tab, find the appropriate rule and click it to open the details panel.
  3. Click the Configuration tab.
  4. Click Attribute mapping.

    You must have a source and target connection configured before you can set up attribute mapping.

  5. Click the Pencil icon to edit the attribute mapping.

    For inbound provisioning rules, the display names of some attributes have changed. For more information, see Updates to inbound provisioning attributes.

  6. Review the attribute mappings for the configured identity store.

    The source attribute mappings for a particular identity store are provided. For more information, see Mapping attributes.

    Add an attribute mapping Click + Add. Enter the source and target attributes.
    Add a new source attribute Enter the attribute name. In the list, select the ADD:<attribute-name> attribute. Map the added attribute to a target attribute.
    Use the expression builder Click the Gear icon. Learn more in Using the expression builder.
    Delete a mapping Click the Delete icon.
  7. Click Next.
    For inbound provisioning, you can specify additional options for onboarding new users. For inbound provisioning, the mapping is applied to the attribute coming from the source identity store before it is saved to the PingOne directory.
  8. Enter the following as part of PingOne user onboarding:
    Option Description


    Select a population from the list. When users are synced to PingOne, they will be added to the specified population.

    Authenticate via AD/LDAP

    Specify whether to authenticate the user through the Active Directory or LDAP gateway user directory.

    If you select Yes, PingOne will be automatically set as the Authoritative identity provider. If you select Yes, specify a Gateway user type. If you select No, specify an Authoritative identity provider.

    Authoritative identity provider

    If you selected No for Authenticate via AD/LDAP, select the identity provider that will have authority over user records and credentials.

    PingOne is the default, but if you've configured another IdP you can select it here. Learn more in Authoritative identity providers.

    If you select PingOne as the Authoritative identity provider, specify the following options:
    • Set Password (check box): Determine whether to specify a default password for new users.
    • Set Password (field): Specify the default password in PingOne for users synced in from an external identity store as a source. Click Set password and then enter a literal value. You can also create a complex password using the functions in the expression builder. Learn more in Using the expression builder.

      You should use strong passwords, even for temporary passwords.

    • Reset their password on first login: Force users to reset their password the first time they authenticate through PingOne.

    Gateway user type

    If you selected Yes for Authenticate via AD/LDAP, select a gateway user type. The user type identifies users in the external directory. You must define a user type to use external authentication.

    MFA Device Management

    If your users have MFA devices that are managed by a PingOne service (e.g. PingOne MFA, PingID), this setting controls how the inbound provisioner can impact those devices. Select from the following options.

    • Merge with devices in PingOne (default): Select this option to add a device from the identity store into a user’s existing device in PingOne.
    • Overwrite devices in PingOne: Select this option to replace configured user devices in PingOne from the identity store. Only new devices mapped under attribute mappings are added.
    • Do not manage: Select this option to disable device management . This option is recommended for users who are using PingID in the same environment and to avoid unexpected device unpairing from nickname conflicts. Inbound provisioning and PingID use the same device nicknames and causes device unpairing.

    Learn more about MFA device management in Authentication method management for inbound provisioning.

  9. Click Finish.