User provisioning allows you to manage your users' status and permissions in your IdP and your applications from the PingOne for Enterprise admin console. Provisioning saves your admins time and improves security by ensuring consistency across your user experience.

How provisioning works

Your IdP must be configured to provision both users and groups to PingOne for Enterprise. PingOne for Enterprise Directory and AD Connect are automatically configured to do this. You must manually configure PingFederate.

For more information, seeConfiguring outbound provisioning in the PingFederate documentation.

PingOne for Enterprise will provision users to a target application when:

  • The IdP sends a group update with a membership change that references a user that already exists in PingOne for Enterprise.
  • The IdP sends a user update for a user that already exists in PingOne for Enterprise and is already a member of a tracked group.

Creating a new user and adding them to a provisioning group will result in outbound provisioning. The IdP provisions the user and PingOne for Enterprise takes no action. Then the IdP updates the group to include the new user and PingOne for Enterprise creates the user in the target application.

Editing a user that already exists in a provisioning group will result in outbound provisioning. The IdP provisions the user update and PingOne for Enterprise updates the user in the target application.

Group provisioning

PingOne for Enterprise doesn't support outbound group provisioning. To provision groups, you must configure provisioning in PingFederate.

For more information, see User provisioning in the PingFederate documentation.

Identity providers

PingOne for Enterprise supports user provisioning using the following IdPs:

Provisioning applications

The following Application Catalog applications support provisioning:

Provisioning setup

For general directions about configuring an Application Catalog application, see Add an application from the Application Catalog. For application-specific instructions, find the application in the PingOne for Enterprise Application Catalog documentation.

Note:

While configuring your application, keep the following in mind:

  • On the Connection Configuration tab, select the Set Up Provisioning check box.
  • On the Attribute Mapping tab, attributes marked as (provisioning) are used only for provisioning. Attributes marked as (sso) are used only for single sign-on (SSO).

After you finish configuring the application, ensure that your user groups have provisioning enabled. Go to Users > User Groups. Click Edit, and select the SSO and Provisioning check boxes for each application you want to enable for that group.

Provisioning troubleshooting

If you encounter provisioning problems, go to Dashboard > Reporting > Run New Report > Provisioning and run a provisioning activity report.

  • If you don't see any outbound requests for an application, check that the group mapped to that application is actually being updated by the IdP.
  • If you do see requests, but they result in errors, the error messages will usually indicate whether the issue is with the target application, the attribute mapping, or something else.
  • If you see group updates but no user updates, or user updates but no group updates, check the IdP configuration to ensure that the IdP is configured to provision both users and groups.