Aquera Provisioner

User and group management

The Aquera Provisioner synchronizes users and groups from your datastore to the target service. The behavior of each provisioning capability is described below.

Learn more about configuring these capabilities in the Creating a provisioning connection step of the setup process.

Synchronizing existing users

PingFederate synchronizes users based on the userName attribute in the target service. If a user already exists in your datastore and the target service, mapping this attribute correctly links the two records together.

For example:

  • In the target service, Janet’s userName is jsmith.

  • In your datastore, Janet’s sAMAccountName is jsmith.

  • On the Attribute Mapping tab of your provisioning connection configuration, you map the userName attribute to sAMAccountName.

  • When the provisioning connector runs, the datastore user is provisioned with a userName of jsmith. That matches Janet’s existing userName in the target service, so her information in the datastore is synchronized to her the target service account.

User provisioning

PingFederate provisions users when one of the following happens:

  • A user is added to the datastore group or filter that is targeted by the provisioning connector.

  • A user with "disabled" status is added to the datastore group or filter that is targeted by the provisioning connector, and the Provision disabled users provisioning option is enabled.

The Source Location tab of your provisioning connection configuration defines which users PingFederate targets for provisioning.

User updates

PingFederate updates users when a user attribute changes in your datastore.

The Attribute Mapping tab of your provisioning connection configuration defines which attributes PingFederate monitors for changes.

User deprovisioning

PingFederate deprovisions users when one of the following happens:

  • A user is deleted from the user store.

  • A user is disabled in the user store.

  • A user is removed from the datastore group or filter that is targeted by the provisioning connector.

The Remove User Action setting in your provisioning connection configuration defines whether PingFederate disables or deletes the user.

Some Aquera apps also include a deleteOnDeactivation setting on the Aquera console.

Synchronizing existing groups

PingFederate synchronizes groups from the datastore to the target service based on the group name.

For example:

  • In the target service, there is a group is named Accounting.

  • In your datastore, there is a group with a CN of Accounting.

  • When the provisioning connector runs, the two groups are synchronized.

Group provisioning

PingFederate provisions groups when a group is added to the datastore filter that is targeted by the provisioning connector.

The Source Location tab in your provisioning connection configuration defines which groups PingFederate targets for provisioning and monitors for changes.

Some Aquera apps do not support group creation. In this case, create groups manually in the target service. The connector will then be able to update the groups.

Group name updates

PingFederate renames groups when they are renamed in the datastore.

Group membership updates

PingFederate updates group memberships when memberships change in the datastore, whether the change is in the group’s properties or a user’s properties.

Group memberships in the datastore overwrite the group memberships in the target service.

Group deletion

PingFederate deletes groups when any of the following happen:

  • The group is deleted in the datastore.

  • The group is removed from the datastore group or filter that is targeted by the provisioning connector.

Group deletions are permanent and cannot be undone.

Some Aquera apps do not support group deletion. In this case, delete groups manually in the target service.