Ensure that you have:

  • An existing gateway that is enabled and has a healthy connection. Learn more in Gateways. For provisioning through an LDAP Gateway, PingOne supports only Active Directory or PingDirectory user stores.
    Note:

    For LDAP Gateways, you can configure inbound or outbound provisioning. RADIUS Gateways do not support provisioning.

  • A gateway that is not configured for just-in-time (JIT) provisioning. You cannot enable, the Enable migration of new users upon first authentication option if you want to use the gateway for outbound or inbound sync. Learn more in Adding a user type.
  • For inbound provisioning, ensure that the LDAP Gateway is version 2.3.3 or later. Previous versions of the LDAP Gateway do not support inbound provisioning.
  • For inbound provisioning, ensure that the service account reads deleted entries (cn=Deleted Objects) to keep PingOne in sync when objects are deleted in Active Directory.
  • The service account can access all users in the specified Base DN.
    Note:

    If the service account doesn't have access to deleted objects, such as a user that’s been deleted, the service account can't detect that change.

  • A gateway that makes outbound websocket connections to specific websocket endpoints. Learn more in Before you begin configuring an LDAP Gateway.
  • A gateway that is able to establish an outbound connection to auth.pingone.com (or .au or .asia, or .eu, depending on region) and api.pingone.com.
  • Established secure websocket connections on those relevant endpoints.
  1. Go to Integrations > Provisioning.
  2. Click the + icon and then click New connection.
  3. For Gateway, click Select.
  4. Select an existing gateway or click + New Gateway to set up a new gateway.
    Important:

    The gateway must be active and have a valid connection to an LDAP directory. Learn more about creating a gateway in Gateways.

  5. Click Next.
  6. On the Actions page, enter the provisioning options. The following options apply only if the gateway provisioning connection is used in an outbound provisioning rule:
    • Allow users to be created: Determines whether to create a user in the LDAP user directory when the user is created in the PingOne identity store. By default, this option is not selected.
    • Allow users to be updated (default): Determines whether to update user attributes in the LDAP user directory when the user is updated in the PingOne identity store.
      • Allow users to be disabled: Determines whether to disable a user in the LDAP user directory when the user is disabled in the PingOne identity store.
    • Allow users to be deprovisioned: Determines whether to deprovision a user in the LDAP user directory when the user is deprovisioned in the PingOne identity store. By default, this option is not selected.
      • Remove action: Select Delete or Disable. Determines whether to remove or disable a user in the target identity store when the user is deleted in the PingOne identity store.
      • Deprovision on rule deletion: Determines whether to deprovision users if the associated provisioning rule is deleted.
  7. Click Finish.