Auto-Provisioning in PingCastle

What is a one sentence summary of your feature request?

Introduce auto-provisioning and automatic account updates for external users accessing PingCastle through AzureAD, establishing “no permissions” by default and leveraging the Claims Feature for permission assignments.

Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.

Currently, external accounts accessing PingCastle via AzureAD do not have corresponding accounts created or updated within PingCastle, leading to significant management challenges.

Without an automated process, IT administrators must manually create and maintain these accounts, which increases the likelihood of errors and requires considerable time and resources. The proposed solution of auto-provisioning would not only streamline account creation but also ensure that any updates to AzureAD configurations are reflected in PingCastle accounts automatically.

A preferred setting of “no permissions” by default enhances security by preventing unintended access. The existing Claims Feature can be utilized to assign appropriate permissions based on AzureAD roles or attributes, ensuring that users have the necessary access when appropriate while maintaining a high security posture.

How do you currently solve the challenges you have by not having this feature?

Currently, the absence of this feature necessitates a cumbersome manual process for managing external accounts.
Administrators have to create accounts, and ensure that permissions are appropriately assigned.
This process is inefficient, increases administrative overhead, and opens up the potential for security risks if accounts are not properly managed.

By implementing the auto-provisioning and updating feature, these challenges would be significantly alleviated, allowing IT teams to focus on more strategic initiatives rather than repetitive account management tasks.

Great stuff here Philipp. This is one that was on my internal list of stuff to get done as thought it would be causing the issues you mentioned here but would love to hear your feedback on the potential implementation here.

Current Implementation

PingCastle implements automatic provisioning on the Windows Authentication provider via successful authentication. No automatic provisioning for SAML/OpenIDConnect/Entra

Potential Implementations

Automatic Provisioning via successful authentication

When a user successfully authenticates via a configured SAML/OpenIDConnect provider we could provision an account with no access.

Pros

• Simplified setup
• Access just works when claims are assigned.

Cons

• No automatic de-provisioning, manual account management tasks would still be needed.
• All users can technically login to the product.

Automatic Provisioning and De-provisioning via SCIM

This would require further development and setup but is a more robust solution for account lifecycle management as supports account provisioning and de-provisioning of accounts.
PingCastle would need to be made SCIM aware and then it would be possible to use Entra ID/Okta etc to support provisioning via SCIM endpoints.

In Entra ID this would use the provisioning feature and an on-premise provisioning agent.
Here are some documentation links on SCIM

• What is automated app user provisioning in Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn
• Microsoft Entra on-premises app provisioning to SCIM-enabled apps - Microsoft Entra ID | Microsoft Learn

Pros

• Fully automated management of user accounts in PingCastle rather than allowing anyone to login who can authenticate with SAML.
• Standardized protocol for provisioning and de-provisioning

Cons

• A slightly more complex setup

Would love to get your and anyone else’s feedback but I think I am leaning towards SCIM at the moment as seems like the proper solution.

I believe supporting both SCIM and automatic account creation is a smart and flexible approach. Here’s why:

• Flexibility & Convenience:
  By allowing automatic account creation through successful authentication, the product provides a straightforward option for customers with simpler needs.
  It acts as a convenient fallback for setups that don’t require full lifecycle control.

• Enhanced Lifecycle Management with SCIM:
  Integrating SCIM is ideal when comprehensive account management is required. SCIM handles both provisioning and de-provisioning, being essential for enterprise environments using identity platforms like Entra ID or Okta.

Offering both options makes the product versatile, catering to a wide range of customer requirements without adding unnecessary complexity for those who don’t need the full SCIM integration.

• For quick setups or less critical systems, the simpler, authentication-triggered provisioning works well.
• For robust security and lifecycle management, SCIM is the preferred route.

Philipp

Thanks for the insights. I have spent the last couple of hours scoping this out and added this to the backlog to do as part of further enterprise enhancements to PingCastle Pro and Enterprise.

I think aiming to support both with options to have both options or a single option active makes sense to accommodate all different sizes and maturity of customers.