PingOne

Creating an inbound rule for a connection through an LDAP gateway (early access)

You can configure an LDAP filter in an inbound rule that specifies which users to provision.

Before you begin

Make sure you:

  • Create an LDAP gateway connection.

    The connection must be enabled before you can use it in a rule. Learn more in Connections.

    Not all provisioning connection types support this provisioning. Learn more in Provisioning.

  • Have the directory path, LDAP base distinguished name (DN). This specifies the LDAP directory location from where users and groups are synced into PingOne.

Steps

  1. In the PingOne admin console, go to Integrations > Provisioning.

  2. Click and then click New Rule.

  3. For Sync Direction, select PingOne as Target.

  4. For Available Connections, click the Plus icon () next to the appropriate LDAP gateway connection to set it as the source and then click Continue.

  5. In the Rule Details panel, enter a Name and Description for the rule and then click Next.

  6. In the Directory Configuration panel, set directory settings for users and groups:

    • In the Directory Path (LDAP Base DN) field, enter the LDAP base DN that specifies the LDAP directory location from where users and groups are synced into PingOne. Learn more in Distinguished Names in the Microsoft LDAP documentation.

    • For Users, enter the User Organizational Units (OUs) that specifies OUs from which to sync users.

      Click Add Condition to enter an LDAP filter to define the users to provision to PingOne. Learn more about LDAP filters in the LDAP documentation.

    • For Groups, enter the Groups Organizational Units (OUs) that specifies OUs from which to sync groups.

  7. Click Next.

  8. In the Attribute Mapping panel, map attributes between the source and PingOne to ensure users are provisioned correctly.

    • On the Users tab:

      • To add an attribute mapping, click Add and enter the source and target attributes.

      • To add a new source attribute, enter the attribute name. In the list, select the ADD:ADD:<attribute-name> attribute. Map the added attribute to a target attribute.

      • To use the expression builder, click the Gear icon (). Learn more in Using the expression builder.

      • To delete a mapping, click the Delete icon ().

On the Groups tab, the group attribute mappings can’t be edited.

  1. Click Next.

  2. In the Onboarding Settings panel, define how users are matched, linked, and managed when onboarding into PingOne:

    • In the Populations list, select a population. When users are synced to PingOne, they’re added to the specified population.

    • For Authoritative Identity Provider, PingOne is automatically set as the authoritative identity provider (IdP).

    • Select the Set default password for new users checkbox to specify the default password in PingOne for users synced in from an external identity store as a source.

    • Click Define Password Logic to create a complex password using the functions in the expression builder. Learn more in Using the expression builder.

    • Select the Force password reset on first sign on checkbox to force users to reset their password the first time they authenticate through PingOne.

    • In the MFA Device Management list, select one of the following to control how the provisioner can impact multi-factor authentication (MFA) devices that are managed by a PingOne service such as PingOne MFA and PingID:

      • Merge with devices in PingOne (default): Select this option to add a device from the identity store into a user’s existing device in PingOne.

      • Overwrite devices in PingOne: Select this option to replace configured user devices in PingOne from the identity store. Only new devices mapped under attribute mappings are added.

      • Do not manage devices: Select this option to disable device management. This option is recommended for users using PingID in the same environment. Inbound provisioning and PingID use the same device nicknames and cause device unpairing, which this option helps avoid.

  3. To enable the rule, click the toggle at the top of the details panel to the right (blue).

    You can disable the rule by clicking the toggle to the left (gray).

Result

The Sync Status appears and the rule is listed under Rules. Learn more in Sync status.