Creating an LDAP gateway provisioning connection
Use a gateway connection to set up provisioning to or from an Active Directory (AD) or PingDirectory user store through a new or existing gateway configuration. Creating an LDAP gateway provisioning connection migrates users from an LDAP gateway and into PingOne.
Before you begin
Make sure you have:
-
An existing gateway that’s enabled and has a healthy connection. Learn more in Gateways. For provisioning through an LDAP gateway, PingOne supports only AD or PingDirectory user stores.
For LDAP gateways, you can configure inbound or outbound provisioning. RADIUS gateways don’t support provisioning.
-
A gateway that isn’t configured for just-in-time (JIT) provisioning. You can’t enable the Enable migration of new users upon first authentication option if you want to use the gateway for outbound or inbound sync. Learn more in Adding a user type.
-
For inbound provisioning, ensure that the LDAP gateway is version 2.3.3 or later. Previous versions of the LDAP gateway don’t support inbound provisioning.
-
For inbound provisioning, ensure that the service account reads deleted entries (cn=Deleted Objects) to keep PingOne in sync when objects are deleted in AD.
-
The service account can access all users in the specified Base DN.
If the service account doesn’t have access to deleted objects, such as a user that’s been deleted, the service account can’t detect that change.
-
A gateway that makes outbound websocket connections to specific websocket endpoints. Learn more in Before configuring an LDAP gateway.
-
A gateway that’s able to establish an outbound connection to auth.pingone.com and api.pingone.com (or the equivalent URLs for your region). Learn more in PingOne URLs by geographic region.
-
Established secure websocket connections on those relevant endpoints.
Steps
-
In the PingOne admin console, go to Integrations > Provisioning.
-
Click the icon and then click New Connection.
-
In the Create a New Connection modal, select Gateway
-
Select an existing gateway or click New Gateway to set up a new gateway.
The gateway must be active and have a valid connection to an LDAP directory. Learn more about creating a gateway in Gateways.
-
Click Next.
-
In the Actions section, enter the provisioning options:
The following options apply only if the gateway provisioning connection is used in an outbound provisioning rule:
Field Description Allow Users to be Created
Determines whether to create a user in the LDAP user directory when the user is created in the PingOne identity store. By default, this option is not selected.
Allow Users to be Updated
Determines whether to update user attributes in the LDAP user directory when the user is updated in the PingOne identity store.
Allow Users to be Disabled
Determines whether to disable a user in the LDAP user directory when the user is disabled in the PingOne identity store.
Allow Users to be Deprovisioned
Determines whether to deprovision a user in the LDAP user directory when the user is deprovisioned in the PingOne identity store. By default, this option is not selected.
Remove Action
Select Delete or Disable.
Determines whether to remove or disable a user in the target identity store when the user is deleted in the PingOne identity store.
Deprovision on Rule Deletion
Determines whether to deprovision users if the associated provisioning rule is deleted.
-
Click Save.
-
To enable the connection, click the toggle at the top of the details panel to the right (blue).
You can disable the connection by clicking the toggle to the left (gray).
Next steps
-
Define which users are provisioned from PingOne to LDAP gateway and how attributes are mapped between PingOne and the LDAP directory. Learn more in Creating an outbound rule for a connection through an LDAP gateway.
-
Configure an LDAP gateway filter that specifies which users to provision from LDAP to PingOne. Learn more in Creating an inbound rule for a connection through an LDAP gateway.
Active Directory attributes
The following table lists common Active Directory attributes that can be mapped for user provisioning.
Attribute | Description |
---|---|
cn (Required) |
The common name for the user account. |
sAMAccountName (Required) |
The user name for the user account. |
Given Name |
The first name of the user. |
sn |
The last name (surname) of the user. |
Display Name |
The name as it will appear in the PingOne identity store. |
The email address for the user. |
|
Mobile Number |
The mobile telephone number for the user. |
Telephone Number |
The telephone number for the user. |
Title |
The user’s title, such as Manager or CEO. |
Active |
The status of the user account. |
Password |
The password for the user. |
ResetPassword |
Determines whether a user must reset their password the next time they sign on. The default value is false, but it can be mapped to an attribute. |
Street Address |
The physical address for the user. |
Postal Code |
The ZIP code or postal code for the user. |
l |
The user’s default location for purposes of localizing things like currency, date and time format, or numerical representations. |
Country Abbreviation |
The country code for the user. |
st |
The region for the user. |
PingDirectory attributes
The following table lists common PingDirectory attributes that can be mapped for user provisioning.
Attribute | Description |
---|---|
uid (Required) |
The user name for the user account. Typically mapped to |
sn (Required) |
The last name (surname) of the user. Typically mapped to |
cn (Required) |
The common name for the user account. Typically mapped to |
Given Name |
The first name of the user. |
The email address for the user. |
|
Mobile Phone |
The mobile telephone number for the user. |
Telephone Number |
The telephone number for the user. |
Title |
The user’s title, such as Manager or CEO. |
Active |
The status of the user account. |
Password |
The password for the user. |
Street Address |
The physical address for the user. |
Postal Code |
The ZIP code or postal code for the user. |
l |
The user’s default location for purposes of localizing things like currency, date and time format, or numerical representations. |
st |
The region for the user. |
Preferred Language |
The primary language for the user. |
Default attribute mapping for inbound provisioning through an LDAP gateway
The following table lists the default attributes for Active Directory and PingDirectorythat can be mapped to PingOne user attributes for user provisioning.
Known issues for provisioning through an LDAP gateway
The following are known issues or limitations with provisioning through an LDAP gateway.
-
PingOne does not support concurrency for LDAP inbound provisioning using the same gateway connection, even with different User Base DNs.
-
For bi-directional LDAP sync, ensure that the attribute mappings on both rules are identical.
PingOne does not maintain directory hierarchy on outbound to be the same as inbound.
-
In the expression builder, you can use only LDAP attributes that are part of the default attribute list. As a workaround, you can use the ADD feature to map the needed attribute and use it in the expression.
-
The LDAP filter currently does lexicographical comparison for numeric values.
-
In Active Directory, deleting an OU that contains users might not deprovision users in PingOne.
-
PingOne does not support
moddn
operations. -
PingOne does not support updating the
uid
attribute value.