Creating an LDAP gateway provisioning connection

Use a gateway connection to set up provisioning to or from an Active Directory (AD) or PingDirectory user store through a new or existing gateway configuration. Creating an LDAP gateway provisioning connection migrates users from an LDAP gateway and into PingOne.

Before you begin

Make sure:

You have an existing LDAP gateway that’s enabled and has a healthy connection. Learn more in Gateways. For provisioning through an LDAP gateway, PingOne supports only AD or PingDirectory user stores.

For LDAP gateways, you can configure inbound or outbound provisioning. RADIUS gateways don’t support provisioning.
You have an LDAP gateway that isn’t configured for just-in-time (JIT) provisioning. You can’t enable the Enable migration of new users upon first authentication option if you want to use the gateway for outbound or inbound sync. Learn more in Adding a user type.
You have an LDAP gateway version 2.3.3 or later for inbound provisioning. Previous versions of the LDAP gateway don’t support inbound provisioning.
The LDAP gateway version is 4.0 or later to use group membership provisioning.
The service account reads deleted entries, cn=Deleted Objects, to keep PingOne in sync when objects are deleted in AD for inbound provisioning.
The service account can access all users in the specified base distinguished name (DN).

If the service account doesn’t have access to deleted objects, such as a user that’s been deleted, the service account can’t detect that change.
You have an LDAP gateway that makes outbound WebSocket connections to specific WebSocket endpoints. Learn more in Before configuring an LDAP gateway.
You have an LDAP gateway that’s able to establish an outbound connection to auth.pingone.com and api.pingone.com or the equivalent URLs for your region. Learn more in PingOne URLs by geographic region.
You’ve established secure WebSocket connections on those relevant endpoints.

Steps

In the PingOne admin console, go to Integrations > Provisioning.
Click the icon and then click New Connection.
In the Create a New Connection modal, select Gateway.
Select an existing gateway or click New Gateway to set up a new gateway.

The gateway must be active and have a valid connection to an LDAP directory. Learn more about creating a gateway in Gateways.
Click Next.

In the Configure Preferences and Users Actions sections, configure the following:

Field

Description

Enable users creation

Determines whether to create a user in the target identity store when the user is created in the source identity store.

Enable users updation

Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.

If Enable users updation is selected, you can choose to select Enable users disable which determines whether to disable a user in the target identity store when the user is disabled in the source identity store.

Enable users deprovision

Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.

If Enable users deprovision is selected, the following configurations appear.

Remove Action: Determines whether to remove or disable a user in the target identity store when the user is deleted in the source identity store. Select Delete or Disable.

Remove Action is only available if you select Enable users disable.
Deprovision on rule deletion: Determines whether to deprovision users if the associated provisioning rule is deleted.

Click Save.

To enable the connection, click the toggle at the top of the details panel to the right (blue).

You can disable the connection by clicking the toggle to the left (gray).

Result

When configuring inbound provisioning, a PingOne Directory connection is automatically added and the following Groups Actions (LDAP only) and Memberships Actions (LDAP only) attributes are available:

Group membership updates aren’t immediately synced to PingOne. To sync group membership, you must either modify an additional user attribute or initiate a manual synchronization through the PingOne admin console. Learn more in Creating an inbound rule for a connection through an LDAP gateway.

Field	Description
Enable groups creation	Creates groups in PingOne when they’re created in the LDAP gateway.
Enable groups rename	Updates group names in PingOne when changes are made in the LDAP gateway.
Enable groups deletion	Removes groups from PingOne when deleted from the LDAP gateway. If you enable groups deletion, you can choose to select Delete groups on rule deletion, which deletes provisioned groups in PingOne when the rule is deleted.
Enable memberships sync	Controls adding and removing memberships to groups in PingOne.

Field

Description

Enable groups creation

Creates groups in PingOne when they’re created in the LDAP gateway.

Enable groups rename

Updates group names in PingOne when changes are made in the LDAP gateway.

Enable groups deletion

Removes groups from PingOne when deleted from the LDAP gateway.

If you enable groups deletion, you can choose to select Delete groups on rule deletion, which deletes provisioned groups in PingOne when the rule is deleted.

Enable memberships sync

Controls adding and removing memberships to groups in PingOne.

Next steps

Define which users are provisioned from PingOne to LDAP gateway and how attributes are mapped between PingOne and the LDAP directory. Learn more in Creating an outbound rule for a connection through an LDAP gateway.
Configure an LDAP gateway filter that specifies which users or groups to provision from LDAP to PingOne. Learn more in Creating an inbound rule for a connection through an LDAP gateway.

Active Directory attributes

The following table lists common Active Directory attributes that can be mapped for user provisioning.

Attribute	Description
cn (Required)	The common name for the user account.
sAMAccountName (Required)	The user name for the user account.
Given Name	The first name of the user.
sn	The last name (surname) of the user.
Display Name	The name as it will appear in the PingOne identity store.
Mail	The email address for the user.
Mobile Number	The mobile telephone number for the user.
Telephone Number	The telephone number for the user.
Title	The user’s title, such as Manager or CEO.
Active	The status of the user account.
Password	The password for the user.
ResetPassword	Determines whether a user must reset their password the next time they sign on. The default value is false, but it can be mapped to an attribute.
Street Address	The physical address for the user.
Postal Code	The ZIP code or postal code for the user.
l	The user’s default location for purposes of localizing things like currency, date and time format, or numerical representations.
Country Abbreviation	The country code for the user.
st	The region for the user.

Attribute

Description

cn (Required)

The common name for the user account.

sAMAccountName (Required)

The user name for the user account.

Given Name

The first name of the user.

The last name (surname) of the user.

Display Name

The name as it will appear in the PingOne identity store.

Mail

The email address for the user.

Mobile Number

The mobile telephone number for the user.

Telephone Number

The telephone number for the user.

Title

The user’s title, such as Manager or CEO.

Active

The status of the user account.

Password

The password for the user.

ResetPassword

Determines whether a user must reset their password the next time they sign on. The default value is false, but it can be mapped to an attribute.

Street Address

The physical address for the user.

Postal Code

The ZIP code or postal code for the user.

The user’s default location for purposes of localizing things like currency, date and time format, or numerical representations.

Country Abbreviation

The country code for the user.

The region for the user.

PingDirectory attributes

The following table lists common PingDirectory attributes that can be mapped for user provisioning.

Attribute Description

Attribute	Description
uid (Required)	The user name for the user account. Typically mapped to `Username`.
sn (Required)	The last name (surname) of the user. Typically mapped to `Family Name`.
cn (Required)	The common name for the user account. Typically mapped to `Username`.
Given Name	The first name of the user.
Mail	The email address for the user.
Mobile Phone	The mobile telephone number for the user.
Telephone Number	The telephone number for the user.
Title	The user’s title, such as Manager or CEO.
Active	The status of the user account.
Password	The password for the user.
Street Address	The physical address for the user.
Postal Code	The ZIP code or postal code for the user.
l	The user’s default location for purposes of localizing things like currency, date and time format, or numerical representations.
st	The region for the user.
Preferred Language	The primary language for the user.

uid (Required)

The user name for the user account. Typically mapped to Username.

sn (Required)

The last name (surname) of the user. Typically mapped to Family Name.

cn (Required)

The common name for the user account. Typically mapped to Username.

Given Name

The first name of the user.

Mail

The email address for the user.

Mobile Phone

The mobile telephone number for the user.

Telephone Number

The telephone number for the user.

Title

The user’s title, such as Manager or CEO.

Active

The status of the user account.

Password

The password for the user.

Street Address

The physical address for the user.

Postal Code

The ZIP code or postal code for the user.

The user’s default location for purposes of localizing things like currency, date and time format, or numerical representations.

The region for the user.

Preferred Language

The primary language for the user.

Default attribute mapping for inbound provisioning through an LDAP gateway

The following table lists the default attributes for Active Directory and PingDirectorythat can be mapped to PingOne user attributes for user provisioning.

Active Directory default attributes

Attribute	Description
sAMAccountName	The user’s username.
sn	The user’s last name (surname).
Given Name	The user’s first (given) name.
Mail	The user’s email address.
Active	The status of the user account in Active Directory.

Attribute

Description

sAMAccountName

The user’s username.

The user’s last name (surname).

Given Name

The user’s first (given) name.

Mail

The user’s email address.

Active

The status of the user account in Active Directory.

PingDirectory default attributes

Attribute	Description
uid	The user’s username.
Given Name	The user’s first (given) name.
sn	The user’s last name (surname).
Mail	The user’s email address.
Active	The status of the user account in PingDirectory.

Attribute

Description

uid

The user’s username.

Given Name

The user’s first (given) name.

The user’s last name (surname).

Mail

The user’s email address.

Active

The status of the user account in PingDirectory.

Known issues for provisioning through an LDAP gateway

The following are known issues or limitations with provisioning through an LDAP gateway.

PingOne does not support concurrency for LDAP inbound provisioning using the same gateway connection, even with different User Base DNs.
For bi-directional LDAP sync, ensure that the attribute mappings on both rules are identical.

PingOne does not maintain directory hierarchy on outbound to be the same as inbound.
In the expression builder, you can use only LDAP attributes that are part of the default attribute list. As a workaround, you can use the ADD feature to map the needed attribute and use it in the expression.
The LDAP filter currently does lexicographical comparison for numeric values.
In Active Directory, deleting an OU that contains users might not deprovision users in PingOne.
PingOne does not support moddn operations.
PingOne does not support updating the uid attribute value.