Provisioning Radiant Logic with PingOne

Radiant Logic is a commercial federated identity service, often called a virtual directory server (VDS), that sits on top of existing databases and directories and makes them work together. You can use an LDAPv3-compliant directory connection in PingOne to provision users to your Radiant Logic account.

Provisioning capabilities

Resource Capability Description Inbound Outbound

Resource	Capability	Description	Inbound	Outbound
User	Create	Generates a new user record in the destination.	Yes	Yes
Read	Retrieves or polls user attributes for synchronization.	Yes	Yes
Update	Modifies existing attributes such as `department`.	Yes	Yes
Delete	Deletes a user, or temporarily suspends an account.	Yes	Yes
Group	Create	Provisions a new group in the target application.	Yes	No
Rename	Updates the display name or identifier of an existing group.	Yes	No
Delete	Removes a group from the target application.	Yes	No
Membership	Add and remove	Handles additions and removals of users within groups.	Yes	No

User

Create

Generates a new user record in the destination.

Yes

Read

Retrieves or polls user attributes for synchronization.

Yes

Update

Modifies existing attributes such as department.

Yes

Delete

Deletes a user, or temporarily suspends an account.

Yes

Group

Create

Provisions a new group in the target application.

Yes

Rename

Updates the display name or identifier of an existing group.

Yes

Delete

Removes a group from the target application.

Yes

Membership

Add and remove

Handles additions and removals of users within groups.

Yes

Best practices

Add Linked Attributes to allows relationships between objects such as a member and memberof.
Add Referential Integrity to help automatically maintain relationships among entities, such as between users and groups.

Provisioning Radiant Logic

Configure Radiant Logic provisioning to synchronize users and groups between your LDAP directory and PingOne.

Before you begin

Make sure that you have:

A Radiant Logic administrator account. Learn more in the RadiantOne Identity Data Platform.
Users created and assigned to a group specifically for Radiant Logic provisioning in PingOne. Learn more in Adding a user and Managing groups.

Steps

In the PingOne admin console, add an LDAP gateway and enter the following configurations that apply to your Radiant Logic account:
- LDAP Directory Type: Select LDAPv3-compliant Directory Server.
- LDAP Host Name: Enter the IP address or host name for the external directory server.
- Port: Enter 2389.
- Connection Security: Select StartTLS and click Allow TLS connections with untrusted certificates.
- Default Bind DN: Select cn=directory manager.
- Bind Password: Enter the password for the selected Bind DN.
Create an LDAP provisioning connection for Radiant Logic and select the Radiant Logic gateway you created.

Create an inbound rule for a connection through an LDAP gateway or an outbound rule for a connection through an LDAP gateway and select the existing Radiant Logic connection as the target or source. This is also when you can add a user filter and attribute mapping.

For an outbound rule, Active Directory attributes aren’t supported.

The relative distinguished name (RDN) uid or cn used for synchronization must be unique across the entire distinguished name (DN). Users or groups with duplicate RDNs won’t be provisioned.

Confirm users and groups are successfully provisioned to Radiant Logic. View the sync status to review synchronization results and any errors. You can find examples in Outbound provisioning sync summary examples.

LDAPv3 directory attributes

The following table lists common LDAPv3 attributes that can be mapped for user provisioning.

Attribute Description

Attribute	Description
`uid` (required)	The user name for the user account. Typically mapped to `Username`.
`sn`	The last name (surname) of the user. Typically mapped to `Family Name`.
`cn`	The common name for the user account. Typically mapped to `Username`.
`Given Name`	The first name of the user.
`Mail`	The email address for the user.
`Mobile Phone`	The mobile telephone number for the user.
`Telephone Number`	The telephone number for the user.
`Title`	The user’s title, such as Manager or CEO.
`Active`	The status of the user account.
`Password`	The password for the user.
`Street Address`	The physical address for the user.
`Postal Code`	The ZIP code or postal code for the user.
`l`	The user’s default location for purposes of localizing things such as currency, date and time format, or numerical representations.
`st`	The region for the user.
`Preferred Language`	The primary language for the user.

uid (required)

The user name for the user account. Typically mapped to Username.

sn

The last name (surname) of the user. Typically mapped to Family Name.

cn

The common name for the user account. Typically mapped to Username.

Given Name

The first name of the user.

Mail

The email address for the user.

Mobile Phone

The mobile telephone number for the user.

Telephone Number

The telephone number for the user.

Title

The user’s title, such as Manager or CEO.

Active

The status of the user account.

Password

The password for the user.

Street Address

The physical address for the user.

Postal Code

The ZIP code or postal code for the user.

l

The user’s default location for purposes of localizing things such as currency, date and time format, or numerical representations.

st

The region for the user.

Preferred Language

The primary language for the user.

Default attribute mapping for LDAP inbound provisioning

LDAPv3 default user attributes

The following table lists the default attributes for LDAPv3 that can be mapped to PingOne user attributes for user provisioning.

Attribute Description

Attribute	Description
`uid`	The user’s username.
`Given Name`	The user’s first (given) name.
`sn`	The user’s last name (surname).
`Mail`	The user’s email address.
`Active`	The status of the user account in PingDirectory.

uid

The user’s username.

Given Name

The user’s first (given) name.

sn

The user’s last name (surname).

Mail

The user’s email address.

Active

The status of the user account in PingDirectory.

LDAPv3 default group attributes

The following table lists the default attributes for LDAPv3 that can be mapped to PingOne user attributes for user provisioning.

Attribute Description

Attribute	Description
`entryUUID`	The group ID.
`cn`	Group name.
`dn`	Group display name.

entryUUID

The group ID.

cn

Group name.

dn

Group display name.

Radiant Logic LDAPv3-compliant directory type limitations

The following limitations and requirements apply to Radiant Logic.

The memberOf attribute is system-generated and doesn’t update during real-time sync. It’s only updated during a full sync.
You should avoid manually creating system generated or operational attributes, as this can cause data inconsistencies.
Just-in-Time (JIT) provisioning isn’t currently supported.