PingOne

Editing an inbound provisioning rule (early access)

You can edit an existing inbound rule to change the custom filter and attribute mapping.

You can’t change the source or target connection after a rule is created.

Steps

  1. In the PingOne admin console, go to Integrations > Provisioning

  2. On the Rules tab, click the appropriate rule to open the details panel to edit the following:

    • On Overview tab, click the Pencil icon () to edit the Name or Description.

    • On the Directory tab, click next to Users to enter or edit the following:

      • Click Add + to add another condition or condition set.

        • Select All or Any to determine how the linked conditions will be evaluated: Boolean logical AND or OR.

        • Attribute: The user attribute to filter on.

        • Operator: Equals is the only operator supported at this time.

        • Value: Enter the appropriate value.

          If you select a group in the filter, updating or deleting the group can cause the provisioning rule to resync.

          If you select a group in the filter, the filter will include all users with any kind of membership in the group. Learn more in Groups.

      • To delete a condition, click the the Delete icon ().

    • On the Attribute Mapping tab, click and enter or edit the following:

      • To add an attribute mapping, click Add and enter the source and target attributes.

      • To add a new source attribute, enter the attribute name. In the list, select the ADD:ADD:<attribute-name> attribute. Map the added attribute to a target attribute.

      • To use the expression builder, click the Gear icon (). Learn more in Using the expression builder.

      • To delete a mapping, click the Delete icon.

    • On the Onboarding Settings tab, click and enter or edit the following:

      • In the Populations list, select a population. When users are synced to PingOne, they’re added to the specified population.

      • In Authoritative Identity Provider, PingOne is automatically set as the authoritative identity provider (IdP).

      • Select the Set default password for new users checkbox to specify the default password in PingOne for users synced in from an external identity store as a source.

      • Click Define Password Logic, to create a complex password using the functions in the expression builder. Learn more in Using the expression builder.

      • Select the Force password reset on first sign on checkbox to force users to reset their password the first time they authenticate through PingOne.

      • In the MFA Device Management list, select one of the following to control how the provisioner can impact MFA devices that are managed by a PingOne service (for example, PingOne MFA and PingID):

        • Merge with devices in PingOne (default): Select this option to add a device from the identity store into a user’s existing device in PingOne.

        • Overwrite devices in PingOne: Select this option to replace configured user devices in PingOne from the identity store. Only new devices mapped under attribute mappings are added.

        • Do not manage devices: Select this option to disable device management. This option is recommended for users using PingID in the same environment and to avoid unexpected device unpairing from nickname conflicts. Inbound provisioning and PingID use the same device nicknames and cause device unpairing.

  3. Click Save.