Creating an LDAP gateway provisioning connection

Use a gateway connection to set up provisioning to or from an Active Directory (AD) or PingDirectory user store through a new or existing gateway configuration. Creating an LDAP gateway provisioning connection migrates users from an LDAP gateway and into PingOne.

Before you begin

Make sure you have:

An existing gateway that’s enabled and has a healthy connection. Learn more in Gateways. For provisioning through an LDAP gateway, PingOne supports only AD or PingDirectory user stores.

For LDAP gateways, you can configure inbound or outbound provisioning. RADIUS gateways don’t support provisioning.
A gateway that isn’t configured for just-in-time (JIT) provisioning. You can’t enable the Enable migration of new users upon first authentication option if you want to use the gateway for outbound or inbound sync. Learn more in Adding a user type.
For inbound provisioning, ensure that the LDAP gateway is version 2.3.3 or later. Previous versions of the LDAP gateway don’t support inbound provisioning.
For inbound provisioning, ensure that the service account reads deleted entries (cn=Deleted Objects) to keep PingOne in sync when objects are deleted in AD.
The service account can access all users in the specified Base DN.

If the service account doesn’t have access to deleted objects, such as a user that’s been deleted, the service account can’t detect that change.
A gateway that makes outbound websocket connections to specific websocket endpoints. Learn more in Before configuring an LDAP gateway.
A gateway that’s able to establish an outbound connection to auth.pingone.com and api.pingone.com (or the equivalent URLs for your region). Learn more in PingOne URLs by geographic region.
Established secure websocket connections on those relevant endpoints.

Steps

In the PingOne admin console, go to Integrations > Provisioning.
Click the icon and then click New Connection.
In the Create a New Connection modal, select Gateway
Select an existing gateway or click New Gateway to set up a new gateway.

The gateway must be active and have a valid connection to an LDAP directory. Learn more about creating a gateway in Gateways.
Click Next.
In the Actions section, enter the provisioning options. The following options apply only if the gateway provisioning connection is used in an outbound provisioning rule:
- Allow Users to be Created: Determines whether to create a user in the LDAP user directory when the user is created in the PingOne identity store. By default, this option isn’t selected.
- Allow Users to be Updated (default): Determines whether to update user attributes in the LDAP user directory when the user is updated in the PingOne identity store.
- Allow Users to be Disabled: Determines whether to disable a user in the LDAP user directory when the user is disabled in the PingOne identity store.
- Allow Users to be Deprovisioned: Determines whether to deprovision a user in the LDAP user directory when the user is deprovisioned in the PingOne identity store. By default, this option isn’t selected.
- Remove Action: Select Delete or Disable. Determines whether to remove or disable a user in the target identity store when the user is deleted in the PingOne identity store.
- Deprovision on Rule Deletion: Determines whether to deprovision users if the associated provisioning rule is deleted.
Click Save.

Next steps

Define which users are provisioned from PingOne to LDAP gateway and how attributes are mapped between PingOne and the LDAP directory. Learn more in Creating an outbound rule for a connection through an LDAP gateway.
Configure an LDAP gateway filter that specifies which users to provision from LDAP to PingOne. Learn more in Creating an inbound rule for a connection through an LDAP gateway.