Ping Identity SCIM Integration

swimlane turbine supports scim 2 0 integration with ping identity this integration enables administrators to automatically provision and de provision users and groups from ping to swimlane turbine using the scim standard scim helps customers manage onboarding and offboarding of users centrally in ping without logging in to swimlane turbine for manual user management how to configure ping identity scim use this section to configure a scim outbound provisioning connection and provisioning rules in ping identity sign in to the ping identity (pingone) administrative console in the left navigation menu, under integrations , click provisioning on the provisioning page, click the plus (+) icon click new connection under choose a connection type , click select next to identity store from the available options, select provisioning identity store scim outbound click next customize the connection details name (required) description icon (optional) click next configure authentication settings under authentication configuration , enter the following values true 220,441 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type 1 1 unhandled content type 1 1 unhandled content type to obtain the pat in swimlane turbine, go to edit profile click personal access token copy the token value configure preferences ensure the username attribute is mapped to the email field in the attribute mapping before configuring preferences the username value must be in email format under configure preferences , configure the following fields true 268,421 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type 1 1 unhandled content type 1 1 unhandled content type under user actions , enable the following options enable users creation enable users updation enable users disable enable users deprovision under remove action , select delete (optional) click test connection to validate the configuration click save the scim connection is now created for detailed configuration steps, refer to the https //docs pingidentity com/pingone/integrations/p1 create scim connection html creating a provisioning rule after creating the scim connection, you must create a provisioning rule to define how users and groups are synced on the provisioning page, click the plus (+) icon click new rule from the list of available connections, locate the scim connection you just created click the plus (+) icon next to the connection click continue enter the rule details name (required) click next configure directory settings the directory configuration includes user filter and groups configure user filter under user filter , click add condition configure the filter as follows attribute population name operator equals value default (or a custom population you created) click save population name is a mandatory condition and determines which users are provisioned configure groups under groups , click add groups select the ping identity groups to include in provisioning click next field mapping requirements ping identity requires the scim username attribute as the primary identifier for swimlane integration, the ping email field must be mapped to the scim username attribute swimlane uses this value as the user’s email and unique identifier swimlane turbine requires additional attributes, including display name, first name, and last name if ping sends empty or missing values, swimlane automatically populates them to ensure successful provisioning configure attribute mappings as shown in the following screenshot and table true 220,220,221 unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type unhandled content type 1 1 unhandled content type 1 1 unhandled content type 1 1 unhandled content type verify that required attributes are mapped correctly the provisioning rule is now active use cases user provisioning users are provisioned to swimlane based on the population name defined in the provisioning rule in ping identity user provisioning in ping identity is controlled by population based rules every user in ping identity is assigned to a population a provisioning rule defines which population(s) are eligible for user provisioning only users that match the population criteria defined in the rule are synced to swimlane turbine user sync behavior users are provisioned to swimlane only if they match the population rule users outside the defined population are not provisioned, even if they belong to a synced group take the following steps to create new user in ping identity in the left navigation menu, click directory click users click the plus (+) icon click create new user enter the required user details given name family name username email population (defaults to default ) authoritative identity provider pingone click save the user is provisioned to swimlane turbine based on the configured rule and group mappings group provisioning group provisioning in ping identity is controlled through provisioning rules and is evaluated independently from user population rules group sync behavior groups selected in the provisioning rule are synced to swimlane turbine if a group already exists in swimlane the group is updated to reflect new users existing users, roles, and permissions remain unchanged group names are treated as case insensitive interaction between groups and user population rules group synchronization and user synchronization are evaluated independently behavior if a group is included in the provisioning rule but users do not match the population criteria the group is synced to swimlane users within the group are not provisioned if a user matches the population rule but the group is not included the user is provisioned no group association is created in swimlane group deprovisioning removing groups from a provisioning rule when a group is removed from a provisioning rule in ping identity the group is removed from swimlane turbine all user group associations for that group are removed users continue to be provisioned as long as they still match the user population rule users are not deleted or disabled as a result of removing a group from the rule n otes scim cannot provision superadmin or account admin users attempts are rejected and logged as high severity security events scim does not support role creation required roles must already exist in swimlane and be associated with groups scim sync is one way ping identity → swimlane turbine changes in swimlane are not pushed back