How to provision users to Code42 from PingOne

Overview

This article explains how to provision users from PingOne to Code42. Once configured, Code42 automatically adds, updates, and removes users when PingOne syncs to Code42.

This article assumes you are familiar with the concept of provisioning. To learn more, see our Introduction to SCIM provisioning.

The Code42 application in Ping is intended for single sign-on (SSO) as well as provisioning. This article describes only how to set up provisioning. To learn how to set up SSO, see Configure PingOne for SSO in your Code42 cloud environment.

Considerations

  • To use this functionality, you must be assigned the Identity Management Administrator role. 

  • Before you begin, configure your private network, Internet, and VPN settings to allow client devices to communicate with PingOne on port 443. Test client connectivity to PingOne before you proceed.

  • To provision existing users to Code42, don't add existing users to a provisioning group until after you have assigned the group in the Group Access page during configuration.

  • Local users in Code42 cannot be created, updated, or deleted from PingOne. These users can only be managed in the Code42 console.

Deactivate users

Deactivation delay

When PingOne sends an update to deactivate a user, Code42 waits 15 minutes before deactivating that user. This delay applies only when you use provisioning to deactivate users. When you manually deactivate users in the Code42 console, there is no delay.

Backup agent only: The deactivation delay helps protect against moving users' backup archives into cold storage if users are accidentally deactivated in PingOne. Although Code42 waits before deactivating users, Code42 immediately blocks users once they receive a deactivation update from PingOne. Blocked users can no longer sign in to the Code42 agent, but their devices continue to back up. 

To learn more about user deactivation, see Deactivate and reactivate users and devices.

Users on legal hold cannot be deactivated

Backup agent only

If you place users on legal hold, PingOne can't deactivate them. Their data is retained for the legal hold process. Users are blocked instead of deactivated. Once you release users from legal hold, they are automatically deactivated.

Supported products, attributes, and features

Supported PingOne products

The Code42 application for PingOne supports PingOne Directory and PingOne AD Connect.

If you're not sure whether you use PingOne Directory or PingOne AD Connect, in the PingOne cloud dashboard, check Settings > Identity Repository

Supported attributes

The following PingOne attributes are automatically updated in Code42:

PingOne Directory

  • Email
  • First name
  • Last name
  • Job title

PingOne AD Connect

  • Email
  • First name
  • Last name
  • Job title
  • Division
  • Department
  • Employee type
  • City, state, and country code

Supported user provisioning features

Supported 

The following user provisioning features are available in the Code42 PingOne application:

  • Create users: New users created in PingOne are also created in Code42.
  • Deactivate users: Deactivating a user in PingOne deactivates the user in Code42.
  • Update user attributes: PingOne updates users' attributes. These updates overwrite any changes made in Code42.

Not supported 

  • Import users from Code42 to PingOne
  • Password sync
  • Role mapping
  • SCIM groups

Because the Code42 application for PingOne does not support group provisioning, you must manage roles and organizations for provisioned users manually in Code42.

Step 1: Create Code42 organizations

Create the Code42 organization where users from PingOne are added during provisioning. (You will set the organization that receives provisioned users in step 3 below.) If you want to want to move users to other Code42 organizations after they've been provisioned to Code42, create those organizations, too.

Step 2: Add a provisioning provider in the Code42 console

Create the provisioning provider configuration that PingOne uses to connect to Code42.

  1. In the Code42 console, navigate to Administration > Integrations > Identity Management.
  2. Select the Provisioning tab.
    Identity_management_provisioning
  3. Click Add Provisioning Provider > Add SCIM Provider.
  4. Enter a display name and select the Authentication Credential Type:
    • API credentials (default): Generates a password.
    • OAuth token: Generates a token for use with SCIM providers who accept OAuth tokens for credentials.
  5. Click Next
  6. The SCIM Provider Created message appears. Leave this message open. You'll need this information for Step 5 in the provisioning provider setup.
    After you have used the information here for provisioning provider setup, click Done.

    SCIM Provider Created dialog

Step 3: Edit the provisioning provider settings

  1. In the Code42 console, view the provisioning provider details.
  2. (Optional) Edit the Deactivation Delay to adjust how long Code42 waits to deactivate a user after syncing with the provisioning provider. 
  3. Edit Organization Mapping to select the organization in Code42 to which new users are provisioned from PingOne.
    1. Click Edit Edit icon next to Organization Mapping.
      The Edit Organization Mapping Method dialog appears.
    2. Select Create new users in the organization below.
      Do not select the other options. PingOne does not support them. 
    3. Under Select an organization, choose the organization where users from PingOne are provisioned. 
      After users are added to this organization by PingOne provisioning, you can move these users to different organizations in Code42.
    4. Click Save.
  4. Edit Role Mapping to specify that role assignment is done manually in Code42.
    1. Click Edit Edit icon next to Role Mapping
      The Edit Role Mapping dialog appears.
    2. Choose Manually.  
      Do not select the other option. PingOne does not send group membership information to Code42.
    3. Click Save.

Step 4: Add the PingOne application for Code42

  1. Sign in to the PingOne cloud dashboard.
  2. Navigate to Applications > Application Catalog.
  3. Search for Code42.
  4. Select the Code42 application whose Type is SAML with Provisioning (API)
    Do not select the Code42 application whose Type is simply SAML. This is an older application that does not support provisioning. 

Step 5: Configure PingOne provisioning 

Use the PingOne console to configure provisioning for the Code42 application. For more information, see the PingOne documentation.

  1. In the PingOne cloud dashboard, navigate to Applications > My Applications.
  2. Select the Code42 application whose Type is SAML with Provisioning (API)
  3. Click Setup.
    The configuration screen appears. 
  4. Click Edit at the bottom of the configuration screen.
    Use the default configuration values unless otherwise specified below.
  5. In SSO Instructions, click Continue to Next Step.
  6. In Connection Configuration, perform the following steps:
    1. In the provided connection fields, replace ${yourserver} with your Code42 cloud domain.
      For example: 
      • ACS URL: https://console.us.code42.com/api/SsoAuthLoginResponse
      • Entity ID: https://console.us.code42.com
      • Target Resource: https://console.us.code42.com 
    2. Ensure that the Set Up Provisioning box is checked.
      Leave the rest of the settings on the page unchanged. 
    3. Click Continue to Next Step.
  7. In Provisioning Instructions, review the directions and click Continue to Next Step.
  8. In Application Configuration, perform the following steps using the information from the SCIM Provider Created dialog in Code42 in Step 2.
    1. In SCIM_URL, enter the Base URL.
    2. In AUTHENTICATION METHOD, select whether the method is basic authentication (the default) or an OAuth 2.0 bearer token.
    3. In BASIC_AUTH_USER, enter the Username.
    4. If you used basic authentication, enter the password in BASIC_AUTH_PASSWORD.
      If you used a token, enter it in OAUTH_ACCESS_TOKEN.
    5. Click Continue to Next Step.
  9. In Attribute Mapping, map attributes from PingOne to Code42. Click Continue to Next Step when you finish.
    Following are suggested values. Change the mapping as needed for your situation.
    Application Attribute Identity Bridge Attribute or Literal Value Notes
    uid

    Email, mail, or userPrincipalName
    (when using PingOne Directory)

     

    SAML_SUBJECT

    (when using PingOne AD Connect)

    SSO
    mail Email, mail, or userPrincipalName SSO
    givenName First Name SSO
    sn Last Name SSO
    userName Username Provisioning (PingOne Directory or AD Connect)
    givenName First Name Provisioning (PingOne Directory or AD Connect)
    familyName Last Name Provisioning (PingOne Directory or AD Connect)
    workEmail Email (Work) Provisioning (PingOne Directory or AD Connect)
    title Job Title Provisioning (PingOne Directory or AD Connect)
    externalId externalId Provisioning (AD Connect only)
    userType User Type Provisioning (AD Connect only) 
    roles Leave the value empty. You cannot map roles to Code42 using PingOne.
    workCity Locality (Work) Provisioning (AD Connect only)
    workState Region (Work) Provisioning (AD Connect only)
    workCountry Country (Work) Provisioning (AD Connect only)
    division Division Provisioning (AD Connect only)
    department Department Provisioning (AD Connect only)
    manager Leave the value empty. The manager attribute is not currently supported for mapping from PingOne to Code42.
  10. In PingOne App Customization, customize your app display and click Continue to Next Step.
  11. In Group Access, select the groups that have access to the Code42 application.
    Users added to these groups are provisioned to Code42. Users removed from these groups are deactivated in Code42. First add a group with no members and add a test user to that group as described in Step 6. After verifying that the test user is successfully provisioned, edit the configuration to add additional groups. 
    1. Click Add by the groups to have access. 
    2. Click Continue to Next Step.
  12. In Review Setup, ensure the settings are correct.
    1. If you need to change any settings, click Back at the bottom of the page.
    2. When you're sure the settings are correct, click Finish.
      After configuration is complete, the Code42 application appears on the My Applications tab with its status shown as Active.Code42 app with active status

Step 6: Add users to groups in PingOne

Once you add users to the groups you enabled in the Group Access panel, PingOne syncs and provisions the users to Code42. Users removed from the groups are automatically deactivated in Code42.

Create a test user in PingOne and add that user to a group before adding all users to groups. Once you've verified that the user is automatically provisioned into the expected organization in Code42 (as set in Step 3 above), add the rest of the users to groups. 

For more information on adding users to groups, see PingOne's documentation.

Syncing

  • To view information about provisioning changes and logs, see the Sync Log in the Code42 console. It contains details of all of the users that have been created, updated, or deleted due to provisioning. 
  • Once provisioning is configured in Code42, make all user changes in Ping. Code42 does not sync changes back to Ping, so any changes you make to user values on the Code42 side causes the two apps to become out-of-sync. 
  • Updating the Code42 console does not start a sync between PingOne and Code42. Only adding or removing a user from a group in PingOne starts a sync. 

Troubleshooting

  • To troubleshoot why users or attributes aren't being sent to Code42, run a "Provisioning" report in PingOne to review provisioning errors. 
  • If everything is configured properly but users aren't being provisioned, assign an empty group to the Code42 application in Ping, then add users to that group. This initiates new provisioning calls for those users.
Need more help?
Contact our Technical Support Engineers​ for Code42 for Enterprise support

External resources