Mapping the group attribute from an external identity provider
If the external identity provider includes group information in its security tokens (ID tokens from an OIDC identity provider or assertions from a SAML identity provider), you can add a mapping between the External Group Names attribute in PingOne and the inbound attribute name from the external identity provider.
Steps
-
Go to Integrations → External IdPs.
-
Locate the appropriate identity provider.
-
Click the Details icon to expand the identity provider, and then click the pencil icon.
-
Click the Attributes tab.
-
Click Add Attribute.
-
For PingOne user profile attribute, select External Group Names.
-
For the external identity provider attribute, enter the inbound attribute name from the external identity provider.
-
For Update condition, select one of the following:
-
Always. Update the group information in PingOne every time the user authenticates from the external identity provider.
-
Empty only. Update the group information in PingOne only if there is no value for the attribute in PingOne.
-
-
Click Save.
For more information, see Just-in-time provisioning of external groups.