Ping Identity user provisioning integration with SCIM

If your organization uses Ping Identity to manage your employees’ access to tools and services, you can take advantage of the “Provisioning” feature to automatically grant access to Contentful to your users, and even optionally synchronize membership in select Ping Identity Groups with Contentful Teams.

The integration between Ping Identity and Contentful that enables this provisioning to occur is built around an industry-standard protocol known as SCIM (System for Cross-domain Identity Management). To learn more about how Ping Identity works with SCIM, please see this article.

Please read the text below to learn how to configure both Contentful and Ping Identity to get provisioning up and running for your organization.

Features

Currently Contentful supports the following provisioning features:

  • Create Users - Users in Ping Identity that are assigned to the Contentful application in Ping Identity are automatically added as members to your organization in Contentful.

  • Remove Users - Users in Contentful are removed when they do not need access anymore.

  • Provision Users into Teams - Import Groups from Ping Identity to provision users into Teams. Teams can be used within Contentful to assign Space access and permissions for groups of users within your organization.

The following Ping Identity provisioning features are not supported by Contentful currently, but might be supported in future:

  • Update user attributes.

  • Disable (Deactivate) / Enable (reactivate) users.

Requirements

SCIM-based user provisioning is available to Premium/Enterprise customers on High Availability and Scale platform plans.

Configure provisioning

Please follow the instructions below to configure your Provisioning settings for Contentful.

Enable provisioning functionality

In Contentful

  1. If you have not already done so, create a “Service User” account in Contentful to use with Ping Identity provisioning. All provisioning permissions for Ping Identity will be provided through this account. Contentful recommends that you choose “Owner” as the organization role for this account when you add it to your organization.

  2. Log out of Contentful with your normal user account and log in as the Service User you created in Step 1.

  3. Under the Organization settings & subscriptions, click Access Tools tab and select User provisioning from the drop-down menu. The User Provisioning page is displayed.

    NOTE: On the User Provisioning page, you will find the configuration details to be used in Ping Identity.

  4. Click Generate personal access token to create an authentication token to be used for the provisioning tool in Ping Identity. A new window will open. 

  5. In the Token name field, enter a meaningful name for your Personal Access Token and click Generate. This name is used to distinguish your Personal Access Token in the list of tokens on your Account settings page.

  6. The configuration details required by Ping Identity will now be available for copying to Ping Identity.

  7. Leave the browser window open, and log in to your Ping Identity instance to complete the configuration on the Ping Identity side.

User provisioning organization settings

In Ping Identity

Configure provisioning on the Ping Identity side by following the steps described in the Ping Identity tutorial.

Provision users

After enabling provisioning functionality, it is necessary to provision Ping Identity users to Contentful. For more information, see User provisioning.

Provision users into Contentful teams

As an option, Ping Identity Groups and their members can be pushed to Contentful as teams and team members. For more information about managing groups, see User and group management.

Troubleshooting

If you have questions or difficulties with your Contentful/Ping Identity integration, please contact Contentful support via support@contentful.com.