PingOne

Creating an authentication policy that uses the gateway

You can create or edit an authentication policy that end users use to sign on to PingOne. Learn more about authentication policies in Adding an authentication policy.

About this task

You can use an Lightweight Directory Access Protocol (LDAP) gateway to authenticate and authorize user identities stored in an external directory. You can then create an authentication policy that uses the gateway to migrate new users the first time they sign on.

An authentication policy with an added gateway with Kerberos configuration enables seamless single sign-on (SSO). If PingOne can’t authenticate users through the Kerberos protocol, it presents users with a sign-on form. Learn more in Kerberos authentication.

Before you begin

  • Set up an LDAP gateway with a user type configured. To enable seamless SSO authentication experience using the Kerberos protocol, enable Kerberos authentication in your LDAP gateway. Learn more in Setting up an LDAP gateway.

  • Enable migration of new users in your gateway’s user type. Learn more in Adding a user type.

Steps

  1. In the PingOne admin console, go to Authentication > Authentication and search for an existing authentication policy or create a new one.

  2. Click the Details icon to expand the policy, and then click the Pencil icon.

  3. On a Login policy step, in the Migrate Gateway Users Upon First Authentication section, click Add gateway user type.

  4. Enter the following:

    • Gateway: Select the gateway that connects to the external directory.

    • User type: Select the user type that authenticates with the external gateway through which PingOne finds the user to complete the authentication process.

      You can add multiple gateway and user-type configurations. PingOne validates user credentials against them sequentially.

      You should add an multi-factor authentication (MFA) step to increase security. Learn more in Adding a multi-factor authentication or PingID step.

      You can only add user types where the Migrate Gateway Users Upon First Authentication option is enabled. After saving the authentication policy, don’t remove the migration option from the selected user types as this policy configuration becomes uneditable until the migration option is re-enabled in those user types.

  5. Click Save.

Next steps

Adding the authentication policy to an application