Ping Identity > Resource Center > Automated Cloud User Provisioning 

Automated Cloud User Provisioning


While many organizations struggle to deploy a workable enterprise provisioning solution, cloud computing has created a new challenge: additional user directories often beyond the reach and control of their enterprise solution. However, integration and automation allow for centralized user account management, providing users access to external applications, but keeping track of accounts in one active directory.

How it Works

PingFederate®  now offers two different types of user account management: 

  • Just-in-time (JIT) Provisioning (sometimes called Express Provisioning) is a service provider-side solution, which uses the attributes in incoming SAML assertions to create and update user accounts. 
  • SaaS Provisioning is an identity provider-side solution, which integrates a corporate directory with a Sofware-as-a-Service (SaaS) provider’s provisioning API to automatically create, update and delete user accounts in the service provider’s directory for a selected set of users.

PingFederate connects to the SaaS Provider's Provisioning API to duplicate changes made to your corporate directory in the user directory hosted by the SaaS Provider. PingConnect has a similar capability.

PingFederate connects to the SaaS Provider's Provisioning API to duplicate changes made to your corporate directory in the user directory hosted by the SaaS Provider.

JIT Provisioning uses information passed via Internet Single Sign-On (SSO) inside the SAML assertion to dynamically create or update user accounts “on-the-fly” in the destination application directory and works for both LDAP and JDBC user stores at the service provider. It is useful for “arm's length” use cases where the user’s identity does not need to be known in advance by the service provider such as supply chain portals, collaborative projects and many SaaS applications.

SaaS Provisioning allows SaaS applications to automatically create and remove users by replicating user account information from the SaaS customers' enterprise directories. It works by integrating with the IdP’s existing corporate directory and the SaaS provider’s user account management API to provide near real-time provisioning and de-provisioning. To use SaaS Provisioning, an administrator creates an authorized user group or filter in the SaaS customer's enterprise directory. When administrators add, remove or update users in the enterprise directory, PingFederate  automatically "replicates" those changes to the SaaS application's remote directory.

Service Provisioning Markup Language (SPML) is a provisioning standard that shows promise as a future way to handle provisioning and de-provisioning requests without requiring proprietary APIs. SPML is an OASIS standard, which is the same organization that manages the SAML standard.


Through user account automation, JIT Provisioning increases user convenience and reduces staff overhead and administrative burden. SaaS Provisioning automation also eliminates zombie accounts by quickly and automatically disabling accounts when users are removed from the corporate directory, mitigating the risk of data loss and compliance audit failures.

For more information on Cloud Identity Basics, download the "Learn More" resources in the right column.

<Previous: The 4 A's of Cloud Identity  |  Next: SAML >