--- title: Creating an authentication policy that uses the gateway description: You can create or edit an authentication policy that end users use to sign on. component: pingone page_id: pingone:integrations:p1_create_auth_policy_using_the_gateway canonical_url: https://docs.pingidentity.com/pingone/integrations/p1_create_auth_policy_using_the_gateway.html revdate: March 11, 2025 section_ids: before-you-begin: Before you begin steps: Steps next-steps: Next steps --- # Creating an authentication policy that uses the gateway You can create or edit an authentication policy that end users use to sign on to PingOne that uses an LDAP gateway to authenticate user identities stored in an external directory. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When using Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* gateway as part of an authentication policy, the LDAP gateway performs just-in-time (JIT) provisioning, and the link between the LDAP store and PingOne is maintained. | You can use an LDAP gateway to authenticate and authorize user identities stored in an external directory. After setting up an LDAP gateway, you then create an authentication policy that uses it to migrate new users the first time they sign on. ## Before you begin * Set up an LDAP gateway with a user type configured. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | You can provide a seamless single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* experience by enabling [Kerberos](p1_kerberos_authentication.html) in your LDAP gateway and adding that gateway to your authentication policy. If Kerberos authentication fails, PingOne falls back to a standard sign-on form. | * Enable migration of new users in your gateway's user type. Learn more in [Adding a user type](p1_add_a_user_type.html). ## Steps 1. In the PingOne admin console, go to **Authentication > Authentication** and search for an existing authentication policy or create a new one. 2. Click the **Details** icon to expand the policy, and then click the **Pencil** icon. 3. On a **Login** policy step, in the **Migrate Gateway Users Upon First Authentication** section, click **[icon: plus, set=fa]Add gateway user type**. 4. Enter the following: * **Gateway**: Select the gateway that connects to the external directory. * **User type**: Select the user type that authenticates with the external gateway through which PingOne finds the user to complete the authentication process. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can add multiple gateway and user-type configurations. PingOne validates user credentials against them sequentially.You should add an multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* step to increase security. Learn more in [Adding a multi-factor authentication or PingID step](../authentication/p1_add_mfa_step.html). | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can only add user types if you select **Enable migration of new users upon first authentication**. After saving the authentication policy, don't remove the migration option from the selected user types, as this policy configuration becomes uneditable until the migration option is re-enabled in those user types. | 5. Click **Save**. ## Next steps [Adding the authentication policy to an application](p1_add_the_auth_policy_to_an_application.html)