SCIM Integration with Ping Identity (new)

Here is a quick demo of how it works with Ping Identity.

1. Overview

We consider the case when PingOne provisioning propagates user identity information from the PingOne directory to a target identity store (Jira/Confluence/Bitbucket).

We’ll create a Connection that defines the target identity store for identities. We can then set up Rules to define which identities from the source identity store are provisioned. Rules define which users are provisioned and how attributes are mapped between the source identity store (Ping) and the target identity store (Jira/Confluence/Bitbucket).

Rules include:

  • Source. The connection to the source identity store.

  • Target. The connection to the target identity store.

  • Filter. Determine which identities are provisioned, based on factors such as population or user attributes.

  • Attribute mapping. Map attributes from one identity store to another.

2. Create a SCIM connection

2.1. Select Connections > Provisioning from the left-hand menu.

2.2. Click + and then click New connection.

2.3. For Identity Store, click the Select button:

2.4. Under SCIM, click Select and then click Next:

2.5. Enter a name and description for this provisioning connection. The connection name will appear in the list when you've completed and saved the connection. Click Next.

2.6. Before proceeding, we need to get parameter values from the target store. Please get SCIM API URL and Bearer token on the Jira/Confluence/Bitbucket side, for example:

2.7. On the Configure authentication screen, fill in the fields SCIM base URL, Users resource, SCIM version, Authentication method:

Click Test Connection. After that, you may see an error message:

This may be due to an incompatible filter expression. Click Continue, we will make corrections on the next step.

2.8. Finalise connection preferences:

Please change User Filter Expression value to lower case.

2.8. Enable configured Connection

Now, if we go to Jira/Confluence/Bitbucket and open the plugin's Audit Log, we can see the requests received from Ping:

So, the SCIM provisioning profile is complete and is added to the list of provisioning profiles on the Provisioning page.

3. Create a Rule

Rule define which users are provisioned and how attributes are mapped between PingOne and the external identity store (Jira/Confluence/Bitbacket).

  1. Go to Connections > Provisioning.

  2. Click + and then click New rule.

  3. Enter a name and description for the rule.

  4. Click Create rule.

5. On the Configuration tab, assign a source and target connection for the rule. Click the Target icon. Under Available connections, click + to add a connection as a target:

6. Click Save.

4. Add attribute mapping

We need to adjust map PingOne user attributes to attributes in an external identity store (Jira/Confluence/Bitbacket). The mapping is applied to the attribute coming from the PingOne directory before it is saved to the target identity store.

  1. Go to Connections > Provisioning.

  2. Click the Rules tab.

  3. Find the appropriate rule and click it to show the details panel.

  4. Click the Configuration tab.

  5. Click Attribute mapping. Delete mappings for unavailable fields in Jira/Confluence/Bitbucket.

  6. Click Save.

4. Add a user filter

Add a user filter to specify which identities are provisioned, based on factors such as population, group, or other user attributes.

  1. Go to Connections > Provisioning.

  2. Click the Rules tab.

  3. Find the appropriate rule and click it to show the rule details.

  4. Click the Configuration tab.

  5. Click User filter.

6. Click the pencil icon to edit the filter. Define the filter that determines which identities are provisioned.

7. If needed, click Add + to add another condition or condition set.

8. Click Save.

5. Test your configuration

5.1. Now we ready to activate Rule

5.2. Check the Jira (Confluence/Bitbucket) info

Â