You can bulk migrate users from an external directory and continue to have those PingOne users authenticate with the external directory as the password authority. In other words, password checks and password changes would still go through the external directory. See the Select Password Authority option in the following procedure.


You can pre-populate the fields with default values for the directory type you chose when you created the gateway. Click the Use default values button.

  1. Go to Integrations > Gateways.
  2. Locate the appropriate gateway and then click the gateway name to expand the gateway details.
  3. Click the Lookup tab.
  4. Next to User Types, click the + icon.
  5. To use the default values based on the type of LDAP directory that you selected when you created the gateway, click the Use default values button.
  6. Enter or edit the following:
    • User Type: Enter a name for the set of users you are trying to look up. This field is simply a label for the user type you are creating, and typically identifies the category of users you are trying to import, such as Employees.
    • Select Password Authority: Select PingOne or LDAP for authentication. If you choose PingOne, PingOne will authenticate with the external directory the first time and then authenticate with PingOne for all subsequent sign-ons. Click Help me decide for more information.
      • If you change the password authority from LDAP to PingOne for an existing user type, the user’s password is migrated from the LDAP directory to PingOne the next time the user signs on.
      • If you change the password authority from PingOne to LDAP for an existing user type, the user’s password is removed from PingOne. Going forward, PingOne sends credential validation requests to the LDAP directory through the LDAP gateway.
    • Push password changes to LDAP: If you selected PingOne as the password authority, select this option to have PingOne update the LDAP directory with the new password if a user changes their password in PingOne.
    • Enable password changes from PingOne: If you selected LDAP as the password authority, select this option to allow users to change their password in PingOne. PingOne will update the LDAP directory with the new password.

      If you are running an Active Directory server, PingOne can change a user's password if the user’s password expires or the User must change password at next logon option is selected. Enable this option to allow PingOne to change a user’s password.

    • User Search LDAP Base DN: Specify a path to the directory for the users that you want to authenticate.
    • User Link Attributes: Define the LDAP attributes that PingOne uses to link PingOne users with LDAP users when they sign on. For example, dn and sAMAccountName.

      You can define multiple attributes if all users don't have the same unique attributes populated in the LDAP directory. PingOne searches for each defined attribute individually as an “OR” query from top to bottom until the correlating user is found. If multiple users are found for one user attribute, then PingOne searches for the next defined attribute.

    • Enable migration of new users upon first authentication: Select this option to enable users without a PingOne user record to sign on based on the applicable authentication policy. When users sign on for the first time, PingOne creates user records based on the attribute mapping configuration.
    • LDAP Filter: Specify an LDAP filter to identify the users that should be migrated to the PingOne directory.
    • Population: When importing the identity to PingOne, add the identity to the specified population.
    • Update PingOne user attributes as users sign on: Select this option to update user attributes in PingOne when users sign on successfully through the LDAP gateway client and when attribute changes are detected based on the LDAP server response. If an update fails for at least one user attribute, no attributes will be updated, and authentication will fail. Successes and failures are recorded in the PingOne audit log. Learn more about audit events in Event types.

      This option is only available when Password Authority is set to LDAP.

    • Map Attributes: Map LDAP user attributes to PingOne attributes. For example, you could map the mail attribute in the LDAP directory to the Email attribute in PingOne. For more information, see Mapping attributes.
  7. Click Save.