This section describes the security controls that Connect to AD enforces to protect customer data.

Connect to AD communicates with only 2 services to perform its functions: 

1. UKG Pro using the secure UKG Pro API (over port 443).

2. Active Directory using a secured LDAP connection (port may change based on your configuration).

No employee data is ever stored and the only services that are required are the UKG Pro API (externally) and Active Directory (internally).


  • All communications to the UKG Pro API are encrypted and authenticated using an UKG Pro service account. The transmission channel that is used to transmit data is secured via Transport Layer Security (TLS).
  • Connect to AD does require a valid UKG Pro service account in order to establish a connection with the UKG Pro API. The UKG Pro service account information (host, user-name, password, client-access-key and the user-access-key) are all encrypted using RFC 2898 and securely stored.
  • For more information on RFC 2898, you can reference:
  • For more information on setting up a valid connection to the UKG API, click here. 

Active Directory

  • All communications to Active Directory are authenticated using a valid Windows account that can read, insert and update user records in Active Directory.
  • The security level of the transmission channel that is used to transmit data to Active Directory is determined by your Active Directory configuration (with or without SSL/TLS). Connect to AD supports both LDAP and LDAPS.
  • For more information on using LDAPS with Active Directory, you can reference:
  • For more information on setting up a valid connection to Active Directory, click here

IP Whitelisting

  • If you choose to implement IP Whitelisting, please include your UKG API host (https://service? in the allowed list of IP addresses as that is the only external service required by Connect to AD.
  • For more information on setting up a valid connection to the UKG API, click here.