PingOne

Creating an authentication policy that uses the gateway

You can create or edit an authentication policy that end users use to sign on to PingOne that uses an LDAP gateway to authenticate user identities stored in an external directory.

When using Lightweight Directory Access Protocol (LDAP) gateway as part of an authentication policy, the LDAP gateway performs just-in-time (JIT) provisioning, and the link between the LDAP store and PingOne is maintained.

You can use an LDAP gateway to authenticate and authorize user identities stored in an external directory. After setting up an LDAP gateway, you then create an authentication policy that uses it to migrate new users the first time they sign on.

Before you begin

  • Set up an LDAP gateway with a user type configured.

    You can provide a seamless single sign-on (SSO) experience by enabling Kerberos in your LDAP gateway and adding that gateway to your authentication policy. If Kerberos authentication fails, PingOne falls back to a standard sign-on form.

  • Enable migration of new users in your gateway’s user type. Learn more in Adding a user type.

Steps

  1. In the PingOne admin console, go to Authentication > Authentication and search for an existing authentication policy or create a new one.

  2. Click the Details icon to expand the policy, and then click the Pencil icon.

  3. On a Login policy step, in the Migrate Gateway Users Upon First Authentication section, click Add gateway user type.

  4. Enter the following:

    • Gateway: Select the gateway that connects to the external directory.

    • User type: Select the user type that authenticates with the external gateway through which PingOne finds the user to complete the authentication process.

      You can add multiple gateway and user-type configurations. PingOne validates user credentials against them sequentially.

      You should add an multi-factor authentication (MFA) step to increase security. Learn more in Adding a multi-factor authentication or PingID step.

      You can only add user types if you select Enable migration of new users upon first authentication. After saving the authentication policy, don’t remove the migration option from the selected user types, as this policy configuration becomes uneditable until the migration option is re-enabled in those user types.

  5. Click Save.

Next steps

Adding the authentication policy to an application