PingOne

LDAP gateways

PingOne can use an LDAP gateway to authenticate and authorize user identities that are stored in an external directory.

Use an LDAP gateway to:

  • Authenticate users in PingOne when their credentials are stored in an external directory.

  • Migrate identities to the PingOne directory when users initially sign on through the LDAP gateway client.

  • Make authorization decisions using identity data stored in an external directory. For more information, see Connecting an LDAP Gateway service.

When a user signs on to PingOne, if PingOne finds the user in the PingOne directory, then the sign-on flow continues.

If PingOne doesn’t find the user in the PingOne directory, and a gateway is configured, then PingOne checks the external user directory. If PingOne finds an identity matching the username and password, then it authenticates the user and can create the identity in the PingOne directory. Each user that is authenticated using a gateway can have their identities added to the PingOne directory.

The following diagram shows a high-level overview of how LDAP gateways work in PingOne. Beginning with the LDAP Gateway client application 3.2.0, you can optionally configure a forward web proxy server to handle WebSocket traffic between the gateway client and PingOne.

A diagram of how LDAP gateways work in PingOne with the customer infrastructure, including the LDAP gateway client, the LDAP directory, and an optional forward web proxy server, communicating with PingOne through WebSocket secure addresses.

Supported directories

PingOne LDAP gateways support the following directories.

  • PingDirectory

  • Microsoft Active Directory, with or without Kerberos authentication

    Learn more in Kerberos authentication.

  • Oracle Directory Server Enterprise Edition

  • Oracle Unified Directory

  • CA Directory

  • IBM (Tivoli) Security Directory Server

  • Any LDAP v3-compliant directory server