Provisioning

Create a connection that defines the source or target identity store for identities. You can then set up rules to define which identities from the source identity store are provisioned. Rules define which users are provisioned and how attributes are mapped between the source identity store and the target identity store.

Rules include:

You can use some connection types for outbound provisioning, some for inbound provisioning, and some for both.

For outbound provisioning, identities flow from PingOne to an external identity store. PingOne is the source and the external identity store is the target. For outbound provisioning, changes are near real-time. When there is a change to a user in PingOne, the target identity store is updated immediately.

For inbound provisioning, identities flow from an external identity store to PingOne. The external identity store is the source and PingOne is the target.

For inbound provisioning with the Workday provisioner, a polling mechanism checks the source identity store every 15 minutes. When there is a circuit breaker due to polling failure, reset is 12 hours. After 12 hours, the polling mechanism will attempt to run a full re-sync for the associated provisioning rule. For LDAP inbound poll failure, the reset is 30 minutes. Learn more about sync status in Sync Status and Viewing sync status.

We recommend that you use the SCIM provisioning connection for outbound provisioning only. For importing identities into PingOne, use the SCIM Users API. Learn more in Using the SCIM API to import users.

The following table shows the connection type: