PingOne for Enterprise

Adding user groups

PingOne for Enterprise user groups authorize user access to applications based on a user’s group membership.

About this task

You’ll need to add the relevant groups to PingOne for Enterprise from the identity repository associated with your identity bridge

You can create user groups in the following ways:

  • PingOne for Enterprise creates groups automatically based on a user’s group membership during single sign-on (SSO). For example, PingOne for Enterprise will create a group based on the user’s memberOf attribute in the Security Assertion Markup Language (SAML) response.

  • If you’re using an identity provider (IdP) that supports provisioning, you can also create groups through provisioning. AD Connect and PingOne for Enterprise Directory do this automatically. Learn more in PingOne for Enterprise identity repositories.

    PingFederate requires you to configure group provisioning on the PingFederate side. Learn more in Creating a provisioning connection in the PingFederate SCIM Provisioner documentation.

  • Follow the steps below to create groups manually.

Provisioned groups appear automatically at Users > User Groups. Groups are removed when they’re deprovisioned.

If you don’t use provisioning, groups will appear when you create groups manually or after a user SSOs into the group.

You can remove old groups manually. Learn more in Delete groups.

If you’re using Microsoft Entra ID (formerly known as Azure AD) as your IdP, PingOne for Enterprise has a Sync Groups button on the User Groups page that fetches groups from Azure. This adds new groups to PingOne for Enterprise and removes old groups that no longer exist in Azure. You can also create groups manually or have a user SSO to create a group. Learn more in Connect to Azure.

If you haven’t added any applications for SSO, no applications will be listed when you add a group, but you can assign the groups to applications when you add SAML, OpenID Connect (OIDC), or Application Catalog apps.

For all other applications and general use, follow the steps in Authorize group access to applications. The applications you’ve added then will be displayed.

Unless you specify group authorization for an application when you add the application, all members of all groups are given access to the application by default.

Steps

  1. Go to Users > User Groups.

  2. Do one of the following, depending on whether or not you’re using an Azure identity bridge with group synchronization:

    Choose from:

    • For an Azure identity bridge configured for group synchronization, the initial group synchronization has already occurred as part of the Azure identity bridge setup. To resynchronize the PingOne for Enterprise groups when additions or changes have occurred on your Azure provider, click Synchronize Groups.

    • For all other identity bridges as well as for Azure identity bridges without group synchronization, click Add New Groups and enter the name of one of your groups in the entry field.

  3. Click Save. The new group is added to PingOne for Enterprise and will appear in the groups listing on the User Groups page.

  4. Repeat these steps for each of the groups to add to PingOne for Enterprise.