Use an LDAP gateway to:

  • Authenticate users in PingOne when their credentials are stored in an external directory.
  • Migrate identities to the PingOne directory when users initially sign on through the LDAP gateway client.
  • Make authorization decisions using identity data stored in an external directory. For more information, see Connecting an LDAP Gateway service.

When a user signs on to PingOne, if PingOne finds the user in the PingOne directory, then the sign-on flow continues.

If PingOne doesn't find the user in the PingOne directory, and a gateway is configured, then PingOne checks the external user directory. If PingOne finds an identity matching the username and password, then it authenticates the user and can create the identity in the PingOne directory. Each user that is authenticated using a gateway can have their identities added to the PingOne directory.

The following diagram demonstrates at a high level how LDAP gateways work in PingOne.

A diagram of how LDAP gateways work in PingOne.

Supported directories

PingOne LDAP gateways support the following directories.
  • PingDirectory
  • Microsoft Active Directory, with or without Kerberos authentication

    For more information, see Kerberos authentication.

  • Oracle Directory Server Enterprise Edition
  • Oracle Unified Directory
  • CA Directory
  • IBM (Tivoli) Security Directory Server
  • Any LDAP v3-compliant directory server