Creating an LDAP gateway provisioning connection (early access)

Use a gateway connection to set up provisioning to or from an Active Directory (AD) or PingDirectory user store through a new or existing gateway configuration. Creating an LDAP gateway provisioning connection migrates users from an LDAP gateway and into PingOne.

Before you begin

Make sure that:

You have an existing LDAP gateway that’s enabled and has a healthy connection. Learn more in Gateways. For provisioning through an LDAP gateway, PingOne supports only AD or PingDirectory user stores.

For LDAP gateways, you can configure inbound or outbound provisioning. RADIUS gateways don’t support provisioning.
You have an LDAP gateway that isn’t configured for just-in-time (JIT) provisioning. You can’t enable the Enable migration of new users upon first authentication option if you want to use the LDAP gateway for outbound or inbound sync. Learn more in Adding a user type.
The LDAP gateway version is 2.3.3 or later for inbound provisioning. Previous versions of the LDAP gateway don’t support inbound provisioning.
The service account reads deleted entries cn=Deleted Objects to keep PingOne in sync when objects are deleted in AD for inbound provisioning.
The service account can access all users in the specified base distinguished name (DN).

If the service account doesn’t have access to deleted objects, such as a user that’s been deleted, the service account can’t detect that change.
You have an LDAP gateway that makes outbound Websocket connections to specific Websocket endpoints. Learn more in Before configuring an LDAP gateway.
You have an LDAP gateway that’s able to establish an outbound connection to auth.pingone.com and api.pingone.com (or the equivalent URLs for your region). Learn more in PingOne URLs by geographic region.
You have established secure Websocket connections on those relevant endpoints.

Steps

In the PingOne admin console, go to Integrations > Provisioning.
Click the icon and then click New Connection.
In the Create a New Connection modal, select Gateway
Select an existing LDAP gateway or click New Gateway to set up a new LDAP gateway.

The LDAP gateway must be active and have a valid connection to an LDAP directory. Learn more about creating an LDAP gateway in Gateways.
Click Next.

In Configuring Preferences and Users Actions, configure the following:

Field

Description

Enable users creation

Determines whether to create a user in the target identity store when the user is created in the source identity store.

Enable users updation

Determines whether to update user attributes in the target identity store when the user is updated in the source identity store.

If Enable users updation is selected, you can choose to select Enable users disable, which determines whether to disable a user in the target identity store when the user is disabled in the source identity store.

Enable users deprovision

Determines whether to deprovision a user in the target identity store when the user is deprovisioned in the source identity store.

If Enable users deprovision is selected, the following configurations appear.

Remove Action: Determines whether to remove or disable a user in the target identity store when the user is deleted in the source identity store. Select Delete or Disable.

Remove Action is only available if you select Enable users disable.
Deprovision on rule deletion: Determines whether to deprovision users if the associated provisioning rule is deleted.

Click Save.

To enable the connection, click the toggle at the top of the details panel to the right (blue).

You can disable the connection by clicking the toggle to the left (gray).

Result

When configuring inbound provisioning, a PingOne Directory connection is automatically added and the following Groups Actions (LDAP only) and Memberships Actions (LDAP only) attributes are available:

Field	Description
Enable groups creation	Creates groups in PingOne when they’re created in the LDAP gateway.
Enable groups rename	Updates group names in PingOne when changes are made in the LDAP gateway.
Enable groups deletion	Removes groups from PingOne when deleted from the LDAP gateway. If you enable groups deletion is selected, you can choose to select Delete groups on rule deletion which deletes provisioned groups in PingOne when the rule is deleted.
Enable memberships sync	Controls adding and removing memberships to groups in PingOne.

Field

Description

Enable groups creation

Creates groups in PingOne when they’re created in the LDAP gateway.

Enable groups rename

Updates group names in PingOne when changes are made in the LDAP gateway.

Enable groups deletion

Removes groups from PingOne when deleted from the LDAP gateway.

If you enable groups deletion is selected, you can choose to select Delete groups on rule deletion which deletes provisioned groups in PingOne when the rule is deleted.

Enable memberships sync

Controls adding and removing memberships to groups in PingOne.

Next steps

Define which users are provisioned from PingOne to LDAP gateway and how attributes are mapped between PingOne and the LDAP directory. Learn more in Creating an outbound rule for a connection through an LDAP gateway.
Configure an LDAP gateway filter that specifies which users or groups to provision from LDAP to PingOne. Learn more in Creating an inbound rule for a connection through an LDAP gateway.