For gateway provisioning, PingOne supports only Active Directory or PingDirectory user stores. For more information, see Provisioning.

  1. Go to Integrations > Gateways.
  2. Click the + icon.
  3. Enter the following:
    • Name: A name for the gateway. The name must be unique within the environment.
    • Description: (Optional). A brief characterization of the gateway.
    • Gateway Type: Select LDAP.
  4. Click Next.
  5. Enter connection information:
    • LDAP Directory Type: Specify the type of directory that the gateway will connect to. PingOne supports any LDAP v3-compliant directory server.

    If you select Microsoft Active Directory, you’ll have the option to use Kerberos for authentication. See Kerberos authentication.

    • LDAP Host Name: Specify the IP address or hostname for the external directory server. Click + Add LDAP Host to configure multiple servers for failover. PingOne will try to connect to the servers in the order they are listed. If the first server is unavailable, then PingOne will try to connect to the next server in the list.
    • Port: Specify the port that the external directory is located on. For standard LDAP connections, the default port is 389. For connections with TLS security, the default port is 636.
    • Follow LDAP Referrals: Determines whether the LDAP Gateway client follows referrals it receives from LDAP servers.
    • Connection Security: Select TLS, StartTLS, or None to configure the security options for the connection. TLS is the default selection and is recommended for better security.
    • Allow TLS connections with untrusted certificates: Allow certificates that are signed by a certificate authority (CA) that is not well-known or trusted. A certificate could be untrusted if the certificate is expired, the hostname doesn't match what is specified in the certificate, or a certificate is self-signed.
    • Bind DN: Specify the credential to be used to access the external directory. You can query the directory to get this value.
    • Bind Password: Specify the password for the selected Bind DN.

    The following options appear only if you selected Microsoft Active Directory for Directory type.

    • Enable Kerberos Authentication: Determines whether to use Kerberos for authentication.
    • Service Account User Principal Name: The UPN of a properly configured service account. The value must be in UPN format and is case-sensitive. For more information, see UPN format in the Active Directory documentation.

      The Service Account UPN (User Principal Name) requires a proper SPN (Service Principal Name) and is case-sensitive. For more information, see Creating SPNs. For additional protection, we recommend adding MFA to the associated authentication policy. For more information, see Creating an authentication policy that uses the gateway and Adding a multi-factor authentication step.

    • Service Account Password: The password for the service account.
    • Retain Previous Credentials: Determines whether PingOne will remember credentials that were previously used to authenticate. If you change the service account credentials, PingOne will save the previous five service account credentials. This allows Kerberos requests issued with previous service account credentials to be validated for the specified amount of time. For more information, see Retaining credentials.
    • Retention Duration (Minutes): Specifies how long to keep the previous credentials, in minutes. The default value is 610.
  6. Click Save.

    PingOne generates a gateway credential, which the gateway uses to authenticate with PingOne.


    A gateway credential is like a password, so keep it protected. For security reasons, PingOne does not store the generated gateway credentials, but you can always create a new one in the PingOne console. Multiple gateway instances can use the same gateway credential.

  7. Copy the credential and paste it to a secure location.

    You’ll use the credential later when creating a gateway instance.

  8. Optional: Click Show me the Docker command and copy it to a secure location.
  9. Click Done.

Starting a gateway instance