You can bulk migrate users from an external directory and continue to have those PingOne users authenticate with the external directory as the password authority. In other words, password checks and password changes would still go through the external directory. See the Select password authority option in the following procedure.


You can pre-populate the fields with default values for the directory type you chose when you created the gateway. Click Use default values.

  1. Go to Connections > Gateways.
  2. Locate the appropriate gateway and then click the gateway name to expand the gateway details.
  3. Click the Lookup tab.
  4. Next to User types, click the + icon.
  5. To use the default values based on the type of LDAP directory that you selected when you created the gateway, click Use default values.
  6. Enter or edit the following:
    • User type: Enter a name for the set of users you are trying to look up. This field is simply a label for the user type you are creating, and typically identifies the category of users you are trying to import, such as Employees.
    • Select password authority: Select PingOne or LDAP for authentication. If you choose PingOne, PingOne will authenticate with the external directory the first time and then authenticate with PingOne for all subsequent sign-ons. Click Help me decide for more information.
      • If you change the password authority from LDAP to PingOne for an existing user type, the user’s password is migrated from the LDAP directory to PingOne the next time the user signs on.
      • If you change the password authority from PingOne to LDAP for an existing user type, the user’s password is removed from PingOne. Going forward, PingOne sends credential validation requests to the LDAP directory through the LDAP Gateway.
    • Push password changes to LDAP: If you selected PingOne as the password authority, select this option to have PingOne update the LDAP directory with the new password if a user changes their password in PingOne.
    • Enable password changes from PingOne: If you selected LDAP as the password authority, select this option to allow users to change their password in PingOne. PingOne will update the LDAP directory with the new password.
    • User search LDAP base DN: Specify a path to the directory for the users that you want to authenticate.
    • User link attributes: Define the LDAP attributes that PingOne uses to associate PingOne users with LDAP users. If all users don't have the same unique attributes populated in the LDAP directory, you can define multiple attributes. For example, sAMAccountName.
    • Enable migration of new users upon first authentication: Select this option to enable users without a PingOne user record to sign on based on the applicable authentication policy. When users sign on for the first time, PingOne creates user records based on the attribute mapping configuration.
    • LDAP filter: Specify an LDAP filter to identify the users that should be migrated to the PingOne directory.
    • Population: When importing the identity to PingOne, add the identity to the specified population.
    • Map attributes: Map LDAP user attributes to PingOne attributes. For example, you could map the mail attribute in the LDAP directory to the Email attribute in PingOne. For more information, see Mapping attributes.
  7. Click Save.