Before configuring an LDAP gateway

Before you set up an Lightweight Directory Access Protocol (LDAP) gateway, ensure that you have the following information.

Details about the directory

You’ll need the following information about the LDAP directory:

The host name and port for all server instances.
A service account from the directory server that the PingOne gateway will use to access the directory (bind DN and bind password).

Learn more about configuring the service account and granting the required permissions in Best practices for configuring Active Directory for LDAP gateways.

The service account must be able to search for users in the directory by username.
Whether the directory instances support TLS and StartTLS. If the TLS certificates for the servers were signed by a non-default certificate authority (CA), you must have the CA’s signing certificates available to upload to PingOne. Learn more in Importing an LDAP certificate to PingOne.
A method for correlating a directory user with a PingOne user, including the base DN for issuing searches against the directory and the attribute that corresponds to the PingOne username attribute.

Docker

You can run the gateway in a Docker container or as a standalone Java or Windows application. If you plan to run the gateway in a Docker container, you must have Docker installed on the computer that will run the gateway.

System requirements

The computer, virtual machine, or Docker environment that will run the gateway should have the following resources dedicated to the gateway:

Resource	Requirement
Processor	Two CPUs or virtual CPUs
RAM	1 GB
Storage	1 GB

Resource

Requirement

Processor

Two CPUs or virtual CPUs

RAM

1 GB

Storage

1 GB

Java

Verify the Java version on the computer that will run the gateway. Ensure that you have one of the following versions:

17.0.8 or later
21 LTS or later

Gateway access

The gateway requires access to the LDAP directory server over the network as well as the ability to initiate outbound requests over the internet to establish a WebSocket Secure connection to PingOne.

The WebSocket Secure address varies depending on your region. Ensure that the gateway can access the WebSocket Secure address for your region, as listed in the following table.

If provisioning will be used, the gateway must be able to establish an outbound connection to the API endpoints for your region, as listed in the following table. Learn more in Creating an LDAP gateway provisioning connection.

Region	Address	API Endpoints
North America (US)	wss://gateways.pingone.com/ wss://gateways-us-east-2.pingone.com/ wss://gateways-us-west-2.pingone.com/	auth.pingone.com api.pingone.com
North America (Canada)	wss://gateways.pingone.ca/ wss://gateways-ca-central-1a.pingone.ca/ wss://gateways-ca-central-1b.pingone.ca/	auth.pingone.ca api.pingone.ca
Europe	wss://gateways.pingone.eu/ wss://gateways-eu-central-1.pingone.eu/ wss://gateways-eu-west-1.pingone.eu/	auth.pingone.eu api.pingone.eu
Australia	wss://gateways.pingone.com.au/ wss://gateways-ap-southeast-2.pingone.com.au/	auth.pingone.com.au api.pingone.com.au
Asia Pacific	wss://gateways.pingone.asia/ wss://gateways-ap-southeast-2.pingone.asia/	auth.pingone.asia auth.pingone.asia

Region

Address

API Endpoints

North America (US)

wss://gateways.pingone.com/

wss://gateways-us-east-2.pingone.com/

wss://gateways-us-west-2.pingone.com/

auth.pingone.com

api.pingone.com

North America (Canada)

wss://gateways.pingone.ca/

wss://gateways-ca-central-1a.pingone.ca/

wss://gateways-ca-central-1b.pingone.ca/

auth.pingone.ca

api.pingone.ca

Europe

wss://gateways.pingone.eu/

wss://gateways-eu-central-1.pingone.eu/

wss://gateways-eu-west-1.pingone.eu/

auth.pingone.eu

api.pingone.eu

Australia

wss://gateways.pingone.com.au/

wss://gateways-ap-southeast-2.pingone.com.au/

auth.pingone.com.au

api.pingone.com.au

Asia Pacific

wss://gateways.pingone.asia/

wss://gateways-ap-southeast-2.pingone.asia/

auth.pingone.asia

PingOne user privileges

The administrator setting up the gateway must have the Environment admin role. To confirm, open the PingOne console, locate the administrator identity, and confirm its roles.

Forward web proxy server

You can configure the client application to use a forward web proxy server to handle WebSocket traffic between the gateway client and PingOne. You’ll need to provide:

The IP address and the port of the web proxy
Access credentials if the web proxy requires authentication. An LDAP gateway client version of 3.3.0 or higher is required.

The web proxy server must support the WebSocket protocol.
Digest authentication does not support international characters.
Basic authentication requires configuration in the proxy server to support international characters.

Learn more about configuring a web proxy in Starting a gateway instance.

Kerberos

If you are using Kerberos for authentication with Active Directory, you’ll need:

Service Account User Principal Name
Service Account Password
Service Principal Name

Learn more about configuring service principal names in Creating SPNs.

The Service Account must be configured with AES 128 bit or 256 bit encryption. To configure encryption in Kerberos:

Start Active Directory Users and Computers.
View the properties of the Service Account that you created for the gateway.
Click the Account tab.
In the Account Options section, select one or both of the following:
- Kerberos AES 128 bit encryption
- Kerberos AES 256 bit encryption

Learn more in Kerberos authentication.