Ping solutions include numerous out-of-the-box integrations that allow you to automatically provision, update and deprovision users to a wide range of applications. Provisioning from cloud and on-premises HR application sources helps you maintain accurate, up-to-date user profile information, with full CRUD (create, read, update and delete) capabilities for user or group provisioning, so you can eliminate manual processes and profile synchronization challenges.
In keeping with Ping’s standards-based approach to IAM, our user provisioning is based on the System for Cross-domain Identity Management (SCIM) standard. SCIM was developed nearly a decade ago using protocols like REST and JSON in order to reduce complexity and provide a more straightforward approach to user management, and it enables easier, more powerful and standardized communication between identity data stores.
Ping’s provisioning capabilities fall into two main categories: inbound HR provisioning and outbound application provisioning.
Inbound HR Provisioning
Inbound HR provisioners automatically provision, update and deprovision users from your HR system into your identity solution, making for more efficient communication between HR and IT about employee onboarding and offboarding. It takes user information from HR datastores to create users, place them in groups and then determine the HR hierarchy. It can also write back to the HR source (for example, creating an email address and sending it back to the HR information system). By having your HR system as the source of truth, your IAM platform will always have accurate user accounts and updated group memberships. A new employee is created automatically, a promotion is reflected in group memberships, and ex-employees are automatically deprovisioned.
Our partnership with Aquera has enabled us to greatly expand our inbound provisioning capabilities. Ping now offers inbound provisioning from 27 different HR systems, including Workday, Ultimate Software’s UltiPro, Oracle HCM, ADP Workforce Now, ADP Vantage HCM and Ceridian Dayforce HCM.
Let’s take a look at the Workday integration. Workday acts as the user system of record and The Workday Onboarding Bridge provides the integration required to import users and their attributes on an ongoing basis. Aquera built and maintained this bridge, and the Aquera platform is a SOC 2 Type II audited service running in Amazon Web Services:
Outbound Provisioning
If HR inbound provisioning is the first step in user provisioning, outbound provisioning covers the last mile: creating user accounts in cloud or on-premises apps. It features “just in time” access so that you aren’t creating an account until a user tries to access a specific app, saving your company time and lessening security risks. Easy to administer and configure, it offers real-time updates and is integrated with PingFederate and PingOne.
Ping offers outbound provisioning to 308 SaaS applications, including Snowflake, Kronos, Salesforce, HubSpot and Concur. For example, Snowflake user provisioning lets you automatically provision, update and deprovision users to Snowflake Business: