PingOne

Creating an inbound provisioning rule for a connection through an LDAP gateway (early access)

For inbound gateway connections, you can configure an LDAP rule that specifies which users to provision.

Before you begin

Make sure that you have:

  • Created an LDAP gateway connection.

    The connection must be enabled before you can use it in a rule. Learn more in Connections.

    Not all provisioning connection types support inbound provisioning. Learn more in Provisioning.

  • The directory path (LDAP base DN) that specifies the LDAP directory location from where users and groups are synced into PingOne.

Steps

  1. In the PingOne admin console, go to Integrations > Provisioning.

  2. Click and then click New Rule.

  3. For Sync Direction, select PingOne as Target.

  4. For Available Connections, click next to the appropriate LDAP gateway connection to set it as the source and then click Continue.

  5. In the Rule Details panel, enter a name and description for the rule and then click Next.

  6. In the Directory Configuration panel, set directory settings for users and groups:

    • In the Directory Path (LDAP Base DN) field, enter the LDAP base DN that specifies the LDAP directory location from where users and groups are synced into PingOne.

    • For Users, enter the User Organizational Units (OUs) that specifies OUs from which to sync users. Click Add Condition to enter an LDAP filter to define the users to provision to PingOne. Learn more about LDAP filters in the LDAP.com documentation.

  7. Click Next.

  8. In the Attribute Mapping panel, map attributes between the source and PingOne to ensure users are provisioned correctly.

    • To add an attribute mapping, click Add and enter the source and target attributes.

    • To add a new source attribute, enter the attribute name. In the list, select the ADD: ADD:<attribute-name> attribute. Map the added attribute to a target attribute.

    • To use the expression builder, click the Gear icon. Learn more in Using the expression builder.

    • To delete a mapping, click the Delete icon.

      Custom attributes created and mapped with the same name as an existing user sub attribute override the existing user sub attribute.

      For example, if you create a custom attribute called country and the user sub attribute country already exists, the custom attribute overrides it even if you configure the attribute with a different letter case.

  9. In the Onboarding Settings panel, define how users are matched, linked, and managed when onboarding into PingOne:

    • In the Populations list, select the population into which you want to sync users.

    • In Authoritative Identity Provider, PingOne is automatically set as the authoritative identity provider (IdP).

    • Select the Set default password for new users checkbox to specify the default password in PingOne for users synced in from an external identity store as a source.

    • Click Define Password Logic, to create a complex password using the functions in the expression builder. Learn more in Using the expression builder.

    • Select the Force password reset on first sign on checkbox to force users to reset their password the first time they authenticate through PingOne.

    • In the MFA Device Management list, select one of the following to control how the provisioner can impact MFA devices that are managed by a PingOne service (for example, PingOne MFA and PingID):

      • Merge with devices in PingOne (default): Select this option to add a device from the identity store into a user’s existing device in PingOne.

      • Overwrite devices in PingOne: Select this option to replace configured user devices in PingOne from the identity store. Only new devices mapped under attribute mappings are added.

      • Do not manage devices: Select this option to disable device management. This option is recommended for users using PingID in the same environment and to avoid unexpected device unpairing from nickname conflicts. Inbound provisioning and PingID use the same device nicknames and cause device unpairing.

  10. Click Save.

  11. To enable the rule, click the toggle at the top of the details panel to the right (blue).

    You can disable the rule by clicking the toggle to the left (gray).

Result

The Sync Status appears and the rule is listed under Rules. Learn more about Sync status.