For user import operations in which the imported user’s password remains on the external directory (and is not imported into PingOne), the import action uses the password.external.gateway configuration to designate that the user’s authoritative password is managed by an external service.

The POST /environments/{{envID}}/users operation imports a new user resource to the specified environment. This operation uses the application/vnd.pingidentity.user.import+json custom content type in the request header.

New users must be assigned to a population resource identified by its ID, and the request must set a value for the username attribute. The username attribute must be unique to an environment (spanning populations). Access to populations is determined by roles. It’s possible that username conflicts may arise, if you or your worker application attempt to create a user that exists in a population to which you have no access.

The password property sets the attributes needed to specify an external directory as the password manager. For this use case, the password property configures the following sub-properties:

Property Type Required?
password.external Object Required
password.external.gateway Object Required
password.external.gateway.id UUID Required
password.external.gateway.type String Optional
password.external.gateway.userType Reference Required
password.external.gateway.userType.id UUID Required
password.external.gateway.correlationAttributes Object Required

For more information about gateways LDAP data model and gateway user types, see Gateway Management.