Ensure that you have:

  • An existing gateway that is enabled and has a healthy connection. For more information, see Gateways. For provisioning through an LDAP gateway, PingOne supports only Active Directory or PingDirectory user stores. For LDAP gateways, you can configure inbound or outbound provisioning. RADIUS gateways do not support provisioning.
  • A gateway that is not configured for JIT (just-in-time) provisioning. That is, the Enable migration of new users upon first authentication option should not be enabled if you want to use the gateway for outbound sync. For more information, see Adding a user type.
  • For inbound provisioning, ensure that the LDAP Gateway is version 2.3.3 or later. Previous versions of the LDAP Gateway do not support inbound provisioning.
  1. Go to Integrations > Provisioning.
  2. Click the + icon and then click New connection.
  3. For Gateway, click the Select button.
  4. Select an existing gateway, or click + New Gateway to set up a new gateway. The gateway must be active and have a valid connection to an LDAP directory. For more information about creating a gateway, see Gateways.
  5. Click Next.
  6. On the Actions screen, enter the provisioning options. The following options apply only if the gateway provisioning connection is used in an outbound provisioning rule.
    • Allow users to be created. Determines whether to create a user in the LDAP user directory when the user is created in the PingOne identity store. By default, this option is not selected.
    • Allow users to be updated (default). Determines whether to update user attributes in the LDAP user directory when the user is updated in the PingOne identity store.
      • Allow users to be disabled. Determines whether to disable a user in the LDAP user directory when the user is disabled in the PingOne identity store.
    • Allow users to be deprovisioned. Determines whether to deprovision a user in the LDAP user directory when the user is deprovisioned in the PingOne identity store. By default, this option is not selected.
      • Remove action. Select Delete or Disable. Determines whether to remove or disable a user in the target identity store when the user is deleted in the PingOne identity store.
      • Deprovision on rule deletion. Determines whether to deprovision users if the associated provisioning rule is deleted.
  7. Click Finish.

Creating an outbound rule for a connection through an LDAP gateway

Creating an inbound rule for a connection through an LDAP gateway

Adding attribute mapping for outbound provisioning

Adding attribute mapping for inbound provisioning