PingOne Advanced Identity Cloud

Active Directory

The Active Directory application template allows you to provision users and groups to an Active Directory instance.

Register the application

  1. In the Advanced Identity Cloud admin console, go to Applications, and click grid_view Browse App Catalog.

  2. In the Browse App Catalog modal, select an application, and click Next.

    Select the latest application version.

  3. Review the Application Integration information, and click Next.

  4. In the Application Details window, specify the name, description, application owners, and logo for the application.

  5. To make the application an Authoritative source of identity data, select the Authoritative check box. This option is not available for every application.

  6. Click Create Application.

Configure provisioning

After you register the application, you can configure provisioning.

  1. In the Advanced Identity Cloud admin console, on the Provisioning tab, click Set up Provisioning:

    • If setting up provisioning for the first time:

      1. If you haven’t configured a remote server, click New Connector Server and follow the steps to create a server.

      2. If you configured one remote server, it’s automatically selected.

      3. If you configured multiple remote servers, choose a server.

    • When editing existing settings in the Connection area, click Settings.

  2. Configure the following fields:

    Field Description

    Host Name or IP

    The hostname or IP address for the Active Directory domain controller.

    Port

    The port for connecting to the Active Directory domain controller.

    Use SSL

    Enable to use SSL to connect to the Active Directory domain controller. The default value is true.

    Login Account DN

    The distinguished name for the login account.

    Password

    The password for the login account.

    Base DNs

    The base context for Active Directory users and groups.

    Base DNs to Synchronize (optional)

    The base context for Active Directory users and groups to synchronize.

    Although this field is optional, an authoritative app requires this context for liveSync to function. You should also verify the bind account can query uSNChanged.

  3. Click Show advanced settings.

  4. To filter users and groups:

    • To only connect a subset of users by applying a query filter based on user attributes, enable Filter users.

      • To apply a filter to users manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

        3. In the User Object Classes field, enter the names of object classes a user must have for inclusion.

          If you installed Microsoft Exchange, you can add properties to extensionAttribute1 through extensionAttribute15 only if you add msExchCustomAttributes to the application’s User Object Classes list and set Read Schema to true.

      • To use a query to apply a filter to users:

        1. Click Advanced Editor.

        2. Edit the query code.

    • To only connect a subset of groups by applying a query filter based on user attributes, enable Filter groups.

      • To apply a filter to groups manually:

        1. Choose to assign to if All or Any conditions are met.

        2. Set the conditions for assigning filters.

      • To filter users and groups:

        1. Click Advanced Editor.

        2. Edit the query code.

  5. To use block-based LDAP controls, enable Use Block-based controls.

  6. To use paged results control, enable Use Paged Results control. If Use Block-based controls is enabled, specifies the LDAP Paged Results control is preferred over the VLV control when retrieving entries. The default value is true.

  7. To set the change log attribute in the change log entry, set the Change Number Attribute field. The default value is changeNumber.

  8. To set the object classes that Advanced Identity Cloud uses as filters when synchronizing, add classes to the Object Classes to synchronize field. The default value is user.

  9. To set the sort attribute to use VLV indexes on the resource, set the Virtual List View (VLV) Sort Attribute field. The default value is sAMAccountName.

  10. To set the name of the attribute that holds the password, set the Password Attribute field. The default value is unicodePwd.

  11. To have the LDAP provisioner read the schema from the server, enable Read Schema. The default value is false.

  12. To have Advanced Identity Cloud modify group membership when entries are renamed or deleted, enable Maintain LDAP Group Membership. The default value is true.

  13. To specify the group attribute to update with the DN of newly added users, set the Group Member Attribute field. The default value is member.

  14. To specify the name of the attribute that maps to the OpenICF UID attribute, set the UID Attribute field. The default value is objectGUID.

  15. To specify the password hash algorithm, set the Password Hash Algorithm field.

  16. Enter the Account Username Attributes that hold the account’s username.

  17. To synchronize only the modified properties on a target resource, select Exclude Unmodified.

  18. To use timestamps for liveSync operations instead of the changelog, select Timestamp for Sync Token.

  19. Click Connect.

  20. Verify the information in the Details tab.

Provision side tabs

The object type determines the side tabs that display on the Provisioning tab. Use the object type list to select an object type, such as Group. Afterward, you can configure properties in the different sub-tabs under the Provisioning tab.

Sub-tabs under the Provisioning tab
Provisioning tab Description Related sections

Details

View and manage an application, including name, ID, and native type.

Select the specific application from Provision settings for an application.

Properties

View and manage properties for the selected object type.

Manage application attributes

Data

View data about the selected object type.

View user access data

Mapping

View and manage mappings from the Advanced Identity Cloud admin console properties to external system properties and from external system properties to the Advanced Identity Cloud admin console properties.

Manage mappings

Reconciliation

Preview mappings on target applications between external systems and the Advanced Identity Cloud admin console, and reconcile the data between the two systems.

View and manage rules for the users and groups that use your application.

View and manage schedules for Full and Incremental reconciliation.

Reconcile and synchronize end-user accounts

Privacy & Consent

Manage end-user data sharing and synchronization.

Configure end-user data sharing

Rules

View and manage provisioning rules for mappings between Advanced Identity Cloud and a target application.

Manage provisioning rules

Advanced Sync

Create and manage mappings between an identity profile and an application or between applications.

Manage advanced sync

Next steps