PingOne

LDAP gateways

PingOne can use an LDAP gateway to authenticate and authorize user identities that are stored in an external directory.

Use an LDAP gateway to:

In the example of migrating identities as users authenticate through the LDAP gateway:

  • When a user signs on to PingOne, if PingOne finds the user in the PingOne directory, then the sign-on flow continues.

  • If PingOne doesn’t find the user in the PingOne directory, and a gateway is configured, then PingOne checks the external user directory. If PingOne finds an identity matching the username and password, it authenticates the user and can create the identity in the PingOne directory. Each user that’s authenticated using a gateway can have their identities added to the PingOne directory.

The following diagram shows a high-level overview of how LDAP gateways work in PingOne. Beginning with the LDAP gateway client application 3.2.0, you can optionally configure a forward web proxy server to handle WebSocket traffic between the gateway client and PingOne.

A diagram of how LDAP gateways work in PingOne with the customer infrastructure, including the LDAP gateway client, the LDAP directory, and an optional forward web proxy server, communicating with PingOne through WebSocket secure addresses.

Supported directories

PingOne LDAP gateways support the following directories:

  • PingDirectory

  • Microsoft AD with or without Kerberos authentication

    Learn more in Kerberos authentication.

  • Oracle Directory Server Enterprise Edition

  • Oracle Unified Directory

  • CA Directory

  • IBM (Tivoli) Security Directory Server

  • Any LDAP v3-compliant directory server