PingOne

Mapping the group attribute from an LDAP gateway

You can map the External Group Names attribute in PingOne to an inbound attribute from the external directory to create LDAP groups in PingOne.

This page describes how to create LDAP group memberships in PingOne when users are migrated as they authenticate through the LDAP gateway. Currently, LDAP group provisioning is not supported when using one-way or two-way synchronization with PingOne provisioning. Learn more in Provisioning.

Steps

  1. In the PingOne admin console, go to Integrations > Gateways and locate the appropriate gateway connection.

  2. Click the gateway entry to open the gateway details panel.

  3. On the Lookup tab, click the More Options (⋮) icon, and then click Edit.

  4. In the Map Attributes section, click Add Mapping.

  5. For PingOne User Profile Attribute, select External Group Names.

  6. For the external directory attribute, enter the inbound attribute name from the external directory. For example, memberOf for Microsoft Active Directory, and isMemberOf for PingDirectory.

  7. Click Save.

Next steps

When a user signs on for the first time, if the user doesn’t exist in PingOne, the gateway creates a user record in PingOne based on the configured mappings, including group membership. By default, PingOne populates this information only once. If you enable the [.uicontrol]Update PingOne user attributes as users sign on option, user attributes are updated each time a user signs on successfully through the LDAP gateway client. The user’s group memberships are also updated in PingOne with JIT each time the user signs on.

Learn more in Adding a user type and Just-in-time provisioning of external groups.