Before you begin configuring an LDAP gateway - PingOne Cloud Platform

Before you begin configuring an LDAP gateway - PingOne Cloud Platform - PingOne

PingOne Cloud Platform

bundle

pingone

ft:publication_title

PingOne Cloud Platform

Product_Version_ce

PingOne Cloud Platform

PingOne

Details about the directory

You’ll need the following information about the LDAP directory:

Host name and port for all server instances.
A service account from the directory server that the PingOne gateway will use to access the directory (bind DN and bind password). The service account must be able to search for users in the directory by username.
TLS-related security options, specifically, whether the directory instances support TLS and StartTLS. If the TLS certificates for the servers were signed by a non-default certificate authority, then you must have the CA's signing certificates available to upload to PingOne. For more information, see Importing an LDAP certificate to PingOne.
A method for correlating a directory user with a PingOne user, including the base DN for issuing searches against the directory and the attribute that corresponds to the PingOne username attribute.

Docker

You can run the gateway in a Docker container or as a standalone Java or Windows application. If you plan to run the gateway in a Docker container, ensure that you have Docker installed on the computer that will run the gateway.

System requirements

The computer, virtual machine, or Docker environment that will run the gateway should have the following resources dedicated to the gateway.

Resource	Requirement
Processor	2 CPUs or virtual CPUs
RAM	1 GB
Storage	1 GB

Java

Verify the Java version on the computer that will run the gateway. Ensure that you have one of the following versions:

17.0.8 or later
21 LTS or later

Gateway access

The gateway requires access to the LDAP directory server over the network as well as the ability to initiate outbound requests over the internet to establish a WebSocket Secure connection to PingOne.

The WebSocket Secure address varies depending on your region. Ensure that the gateway can access the WebSocket Secure address for your region.

Region	Address
North America - US	wss://gateways.pingone.com/ wss://gateways-us-east-2.pingone.com/ wss://gateways-us-west-2.pingone.com/
North America - Canada	wss://gateways.pingone.ca/ wss://gateways-ca-central-1a.pingone.ca/ wss://gateways-ca-central-1b.pingone.ca/
Europe	wss://gateways.pingone.eu/ wss://gateways-eu-central-1.pingone.eu/ wss://gateways-eu-west-1.pingone.eu/
Asia Pacific	wss://gateways.pingone.asia/ wss://gateways-ap-southeast-2.pingone.asia/

PingOne user privileges

The administrator setting up the gateway should have the Environment admin role. To confirm, open the PingOne console, locate the administrator identity, and confirm its roles.

Kerberos

If you are using Kerberos for authentication with Active Directory, you’ll need:

Service Account User Principal Name
Service Account Password
Service Principal Name
For more information, see Creating SPNs.

The Service Account must be configured with AES 128 bit or 256 bit encryption. To configure encryption in Kerberos, do the following:

Start Active Directory Users and Computers.
View the properties of the Service Account you created for the gateway.
Click the Account tab.
Under the Account Options section, select one or both of the following:
- Kerberos AES 128 bit encryption
- Kerberos AES 256 bit encryption

For more information, see Kerberos authentication.