If the external identity provider includes group information in its security tokens (ID tokens from an OIDC identity provider or assertions from a SAML identity provider), you can add a mapping between the External Group Names attribute in PingOne and the inbound attribute name from the external identity provider.
- Go to .
- Locate the appropriate identity provider.
- Click the Details icon to expand the identity provider, and then click the pencil icon.
- Click the Attributes tab.
- Click + Add Attribute.
- For PingOne user profile attribute, select External Group Names.
- For the external identity provider attribute, enter the inbound attribute name from the external identity provider.
For Update condition, select one of the following:
- Always. Update the group information in PingOne every time the user authenticates from the external identity provider.
- Empty only. Update the group information in PingOne only if there is no value for the attribute in PingOne.
For more information, see Just-in-time provisioning of external groups.