Mapping the group attribute from an external identity provider
If the external identity provider (IdP) includes group information in its security tokens (ID tokens from an OpenID Connect (OIDC) identity provider or assertions from a Security Assertion Markup Language (SAML) IdP), you can add a mapping between the External Group Names attribute in PingOne and the inbound attribute name from the external IdP.
Steps
-
In the PingOne admin console, go to Integrations > External IdPs and browse or search for the appropriate IdP.
-
Click the IdP to open the details panel.
-
On the Attributes tab, click the Pencil icon.
-
Click Add.
-
For PingOne user profile attribute, select External Group Names.
-
For the external IdP attribute, enter the inbound attribute name from the external IdP.
-
For Update condition, select one of the following:
-
Always: Update the group information in PingOne every time the user authenticates from the external IdP.
-
Empty only: Update the group information in PingOne only if there is no value for the attribute in PingOne.
-
-
Click Save.
Learn more in Just-in-time provisioning of external groups.