The identity propagation API provides for configurable and audit-capable propagation of identities and their attributes between identity stores owned or managed by a customer.
An identity propagation configuration consists of:
The configuration revision instances of the state of the plan, store, rule, and mapping, entities of a configuration taken at a point in time. For more information, see Propagation revisions.
A collection of unidirectional provisioning relationships between pairs of identity stores. For more information, see Propagation plans.
A connection to an identity store owned by a customer. For more information, see Propagation stores.
The configuration properties for the store type. For more information, see Propagation store metadata.
A unidirectional provisioning relationship between a subset of identities on a source identity store and a target identity store. For more information, see Propagation rules.
The attribute mappings associated with identity propagation rules. For more information, see Propagation mappings.
Identity propagation configuration revision instances are snapshots of the state of the plan, store, rule, and mapping, entities of a configuration taken at a point in time. A new configuration revision can be created at any time, capturing the current state of those resources.
The API supports the configuration of one or more identity propagation plans on behalf of a customer environment. After configuration, the identity propagation plans are executed in response to changes on watched identity stores. Over time, identities become consistent across all watched (source) and unwatched (target) identity stores defined in an identity propagation plan. Identities are created, updated, and deleted as specified by each plan.
Creating, modifying, or deleting an identity propagation plan can occur at any time with no effect on the contents of the source identity store, which is the PingOne directory. All actions taken by the can be audited after-the-fact. The contents of identity stores can be modified at any time by external parties, such as administrators or other automated systems. The identity propagation system detects and logs any modifications.
The system monitors the availability of identity stores identified in the plans. If an identity store becomes unavailable, plan execution is paused until the store becomes available again.
Identities from managed identity stores are never duplicated or stored in full by the identity propagation system or its component services. Change summaries and change orders containing some attributes of identities are stored briefly during the provisioning process and can be present in audit logs.