How does Ping Implement Internet user account management?

While many organizations have struggled to deploy a workable enterprise provisioning solution, Cloud computing has created a new provisioning challenge: additional user directories often beyond the reach and control of their enterprise solution. These additional directories must be populated and managed before users can access those external applications.

To meet this challenge, PingFederate and PingConnect now offers two different types of Internet user account management:

• Express Provisioning is a Service Provider-side solution that uses the attributes in incoming SAML assertions to create and update user accounts.
• SaaS Provisioning is an Identity Provider-side solution that integrates a corporate directory with a SaaS provider’s provisioning API to automatically create, update and delete user accounts in the Service Provider’s directory for a selected set of users.
  

PingFederate connects to the SaaS Provider's Provisioning API to duplicate changes made to your corporate directory in the user directory hosted by the SaaS Provider. PingConnect has a similar capability.

Two kinds of provisioning

Express Provisioning uses information passed via Internet SSO inside the SAML assertion to automatically and dynamically create or update user accounts in the destination application directory. This enables the application provider to create user accounts "on-the-fly," adding convenience for users and reducing staff overhead by automating Internet user account management.

Express Provisioning works for both LDAP and JDBC user stores at the Service Provider. It is useful for “arms length” use cases where the user’s identity does not need to be known in advance by the Service Provider such as supply chain portals, collaborative projects and many SaaS applications.

SaaS Provisioning allows SaaS applications to automatically create and remove users by replicating user account information from the SaaS customers' enterprise directories. It works by integrating with the IdP’s existing corporate directory and the SaaS provider’s user account management API to provide near real-time provisioning and de-provisioning.

To use SaaS Provisioning, an administrator creates a group or filter in the SaaS customer's enterprise directory containing all of the users that are authorized to use the SaaS application. When administrators add, remove or update users in the enterprise directory, PingFederate and PingConnect automatically "replicate" those changes to the SaaS application's remote directory.

SaaS Provisioning eliminates the need to manually maintain SaaS user directories. It also eliminates zombie accounts by quickly and automatically disabling accounts when users are removed from the corporate directory. This reduces the risk of data loss and compliance audit failures.

Provisioning standards

Service Provisioning Markup Language (SPML) is a provisioning standard that shows promise as a future way to handle provisioning and de-provisioning requests without requiring proprietary APIs. SPML is an OASIS standard, which is the same organization that manages the SAML standard. While SPML has been publicly available for a number of years, to date it has very little market acceptance. Ping Identity closely monitors the provisioning market and plans to add SPML support to our products once it begins achieving customer acceptance. If you have a need for SPML-based user account provisioning, please contact us. We are always interested in speaking with customers and prospective customers about their requirements.