PingOne

Creating an LDAP gateway provisioning connection

Use a gateway connection to set up provisioning to or from an Active Directory (AD) or PingDirectory user store through a new or existing gateway configuration. Creating an LDAP gateway provisioning connection migrates users from an LDAP gateway and into PingOne.

Before you begin

Make sure you have:

  • An existing gateway that’s enabled and has a healthy connection. Learn more in Gateways. For provisioning through an LDAP gateway, PingOne supports only AD or PingDirectory user stores.

    For LDAP gateways, you can configure inbound or outbound provisioning. RADIUS gateways don’t support provisioning.

  • A gateway that isn’t configured for just-in-time (JIT) provisioning. You can’t enable the Enable migration of new users upon first authentication option if you want to use the gateway for outbound or inbound sync. Learn more in Adding a user type.

  • For inbound provisioning, ensure that the LDAP gateway is version 2.3.3 or later. Previous versions of the LDAP gateway don’t support inbound provisioning.

  • For inbound provisioning, ensure that the service account reads deleted entries (cn=Deleted Objects) to keep PingOne in sync when objects are deleted in AD.

  • The service account can access all users in the specified Base DN.

    If the service account doesn’t have access to deleted objects, such as a user that’s been deleted, the service account can’t detect that change.

  • A gateway that makes outbound websocket connections to specific websocket endpoints. Learn more in Before configuring an LDAP gateway.

  • A gateway that’s able to establish an outbound connection to auth.pingone.com and api.pingone.com (or the equivalent URLs for your region). Learn more in PingOne URLs by geographic region.

  • Established secure websocket connections on those relevant endpoints.

Steps

  1. In the PingOne admin console, go to Integrations > Provisioning.

  2. Click the icon and then click New Connection.

  3. In the Create a New Connection modal, select Gateway

  4. Select an existing gateway or click New Gateway to set up a new gateway.

    The gateway must be active and have a valid connection to an LDAP directory. Learn more about creating a gateway in Gateways.

  5. Click Next.

  6. In the Actions section, enter the provisioning options:

    The following options apply only if the gateway provisioning connection is used in an outbound provisioning rule:

    Field Description

    Allow Users to be Created

    Determines whether to create a user in the LDAP user directory when the user is created in the PingOne identity store. By default, this option is not selected.

    Allow Users to be Updated

    Determines whether to update user attributes in the LDAP user directory when the user is updated in the PingOne identity store.

    Allow Users to be Disabled

    Determines whether to disable a user in the LDAP user directory when the user is disabled in the PingOne identity store.

    Allow Users to be Deprovisioned

    Determines whether to deprovision a user in the LDAP user directory when the user is deprovisioned in the PingOne identity store. By default, this option is not selected.

    Remove Action

    Select Delete or Disable.

    Determines whether to remove or disable a user in the target identity store when the user is deleted in the PingOne identity store.

    Deprovision on Rule Deletion

    Determines whether to deprovision users if the associated provisioning rule is deleted.

  7. Click Save.

  8. To enable the connection, click the toggle at the top of the details panel to the right (blue).

    You can disable the connection by clicking the toggle to the left (gray).

Next steps

Active Directory attributes

The following table lists common Active Directory attributes that can be mapped for user provisioning.

Attribute Description

cn (Required)

The common name for the user account.

sAMAccountName (Required)

The user name for the user account.

Given Name

The first name of the user.

sn

The last name (surname) of the user.

Display Name

The name as it will appear in the PingOne identity store.

Mail

The email address for the user.

Mobile Number

The mobile telephone number for the user.

Telephone Number

The telephone number for the user.

Title

The user’s title, such as Manager or CEO.

Active

The status of the user account.

Password

The password for the user.

ResetPassword

Determines whether a user must reset their password the next time they sign on. The default value is false, but it can be mapped to an attribute.

Street Address

The physical address for the user.

Postal Code

The ZIP code or postal code for the user.

l

The user’s default location for purposes of localizing things like currency, date and time format, or numerical representations.

Country Abbreviation

The country code for the user.

st

The region for the user.

PingDirectory attributes

The following table lists common PingDirectory attributes that can be mapped for user provisioning.

Attribute Description

uid (Required)

The user name for the user account. Typically mapped to Username.

sn (Required)

The last name (surname) of the user. Typically mapped to Family Name.

cn (Required)

The common name for the user account. Typically mapped to Username.

Given Name

The first name of the user.

Mail

The email address for the user.

Mobile Phone

The mobile telephone number for the user.

Telephone Number

The telephone number for the user.

Title

The user’s title, such as Manager or CEO.

Active

The status of the user account.

Password

The password for the user.

Street Address

The physical address for the user.

Postal Code

The ZIP code or postal code for the user.

l

The user’s default location for purposes of localizing things like currency, date and time format, or numerical representations.

st

The region for the user.

Preferred Language

The primary language for the user.

Default attribute mapping for inbound provisioning through an LDAP gateway

The following table lists the default attributes for Active Directory and PingDirectorythat can be mapped to PingOne user attributes for user provisioning.

Active Directory default attributes

Attribute Description

sAMAccountName

The user’s username.

sn

The user’s last name (surname).

Given Name

The user’s first (given) name.

Mail

The user’s email address.

Active

The status of the user account in Active Directory.

PingDirectory default attributes

Attribute Description

uid

The user’s username.

Given Name

The user’s first (given) name.

sn

The user’s last name (surname).

Mail

The user’s email address.

Active

The status of the user account in PingDirectory.

Known issues for provisioning through an LDAP gateway

The following are known issues or limitations with provisioning through an LDAP gateway.

  • PingOne does not support concurrency for LDAP inbound provisioning using the same gateway connection, even with different User Base DNs.

  • For bi-directional LDAP sync, ensure that the attribute mappings on both rules are identical.

    PingOne does not maintain directory hierarchy on outbound to be the same as inbound.

  • In the expression builder, you can use only LDAP attributes that are part of the default attribute list. As a workaround, you can use the ADD feature to map the needed attribute and use it in the expression.

  • The LDAP filter currently does lexicographical comparison for numeric values.

  • In Active Directory, deleting an OU that contains users might not deprovision users in PingOne.

  • PingOne does not support moddn operations.

  • PingOne does not support updating the uid attribute value.