--- title: Enabling PingID as an MFA provider in AD FS description: The process of enabling PingID as a multi-factor authentication (MFA) provider in Microsoft Active Directory Federation Services (AD FS) varies slightly between AD FS 4.0 and 3.0. The process for each is described in the following sections. component: pingid page_id: pingid:pingid_integrations:pid_enabling_pid_as_mfa_provider_ad_fs canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_enabling_pid_as_mfa_provider_ad_fs.html revdate: January 28, 2024 section_ids: enabling-pingid-as-an-mfa-provider-in-ad-fs-4-0: Enabling PingID as an MFA provider in AD FS 4.0 steps: Steps result: Result: result-2: Result enabling-pingid-as-an-mfa-provider-in-ad-fs-3-0: Enabling PingID as an MFA provider in AD FS 3.0 about-this-task: About this task steps-2: Steps result-3: Result configuring-advanced-settings: Configuring advanced settings about-this-task-2: About this task steps-3: Steps result-4: Result next-steps: Next steps --- # Enabling PingID as an MFA provider in AD FS The process of enabling PingID as a multi-factor authentication (MFA) provider in Microsoft Active Directory Federation Services (AD FS) varies slightly between AD FS 4.0 and 3.0. The process for each is described in the following sections. ## Enabling PingID as an MFA provider in AD FS 4.0 After installing the PingID MFA Adapter, enable it as the MFA provider for AD FS 4.0. ### Steps 1. In Windows, open **Server Manager** and go to **Tools → AD FS Management → AD FS → Service → Authentication Methods**. 2. From the **Actions** menu, select **Authentication Methods**, and then click **Edit Multi-factor Authentication Methods**. ![Screen capture of the Windows AD FS 4.0 Management window. The Authentication Methods Overview is currently displayed](_images/epj1564021066513.png) #### Result: The **Edit Authentication Policy** window opens. 3. In the **Multi-factor**tab, select **PingID MFA Adapter for AD FS**, then click **OK**. ### Result PingID MFA is applied to the AD FS login process, according to the policy and general configurations of AD FS. ## Enabling PingID as an MFA provider in AD FS 3.0 After installing the PingID MFA Adapter, enable it as the MFA provider for AD FS 3.0. ### About this task ### Steps 1. In Windows, open **Server Manager** and go to **Tools → AD FS Management → AD FS → Authentication Policies**. 2. From the **Actions** menu, select **Authentication Policies**, and then click **Edit Global Multi-factor Authentication Methods**. ![Screen capture of the AD FS window in AD FS 3.0. The Authenticatio Polices Overview page is displayed. In the right-hand navigation menu is the Edit Global Primary Authentication and Edit Global Multi-factor Authentication options.](_images/rqo1564021067635.png) 3. On the **Multi-factor** tab, select **PingID MFA Adapter for AD FS**, and then click **Apply**. ### Result PingID MFA is applied to the AD FS login process, according to the policy and general configurations of AD FS. ## Configuring advanced settings Configure optional advanced settings for PingID MFA Adapter for AD FS. ### About this task ### Steps 1. In the Microsoft Management Console, go to **File → Add/Remove Snap-in**. 2. If the PingID MFA Adapter for AD FS folder is not shown under the **Console Root** folder, in the **Available snap-ins** section, select **PingID MFA Adapter for AD FS** and click **Add** and then click **OK**. 3. To display a list of advanced parameters, in the **Console Root** folder, click **PingID MFA Adapter for AD FS**. ![Screen capture showing the advanced parameter options for PingID MFA Adapter for AD FS](_images/hyv1564020588832.png) 4. Double-click the attributes you want to change and enter the relevant value. | Attribute | Description | | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `PingID Properties` | Go to the `pingid.properties` file, and click **Open**. If you have not yet configured the PingID service, see [Configure the PingID service](../pingid_service_management/pid_configure_service.html) for instructions. | | `User Name Attribute` | The name of the user name attribute that will be mapped to the PingID user name value , such as `sAMAccountName`. The value of this attribute must be unique for each user identity. | | `Fname Attribute` | The LDAP attribute containing the user first name. | | `Lname Attribute` | The LDAP attribute containing the user last name. | | `Email Attribute` | The LDAP attribute containing the user email address. This email address is used during registration if users need to receive a link on their mobile device to download the PingID application. | | `Phone Attribute` | The LDAP attribute of the phone number used for SMS messages, as well as voice calls if the **Voice Number attribute** is left empty. This attribute must use the Google Library format, which dictates that all phone numbers must include '+', as well as the international country code. | | `Voice Number Attribute` | The LDAP attribute of the phone number used for voice calls. If left empty, the Phone Attribute is used for voice calls. This attribute must use the Google Library format, which dictates that all phone numbers must include '+', as well as the international country code. | | `Secondary Email Attribute` | A second email address that can be used to verify a user if they don't have a device paired with PingID. | | `Map User Groups Attribute` | Determine whether to map user groups to enable the PingID server to evaluate group-based policy during authentication. Select either:- **Enable**: User group information is sent to the PingID server. PingID group-based polices are evaluated during authentication. - **Disable**: User group information is not to the PingID server. PingID group-based polices are not evaluated during authentication. For information on configuring a group-based policy, see PingID policy settings.The LDAP attribute for group membership (e.g. `memberOf`). | | `PingID Heartbeat Timeout` | Time to wait for a response when verifying the PingID and PingOne services. If a value is not specified, the default is 30 seconds. | | `Authentication During Errors` | Determines how to handle user authentication requests when PingID services are unavailable. Allowed values are:- **Bypass User**: Accept the user's first factor authentication, and bypass the PingID MFA flow when the PingID MFA service is unavailable. - **Block User**: Reject and block the user's login attempt when the PingID MFA service is unavailable. | | `Require PingID Registration` | If enabled, requires that users are registered with PingID and verify their registration prior to authentication. | | `Proxy URL` | If you want PingID to use a specific proxy, provide the URL here. The proxy URL format must be `http://`\:\. Https is not supported. | | `Alternate Domain` | If the users belong to a domain that is not reflected in the login information provided, you can use this field to specify the relevant domain. | 5. After you have configured all relevant attributes, click **Save and Restart AD FS**. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------- | | | Modifying advanced settings requires you to restart the AD FS service. This might affect users that are using this instance of AD FS. | ### Result Windows applies the configuration changes after restarting the AD FS service. ### Next steps To apply a PingID authentication policy to your AD FS integration, see [Configuring an app or group-specific authentication policy](../pingid_service_management/pid_configuring_app_group_authentication_policy.html)). The AD FS app should appear in the PingID Policy app list.