--- title: Installing PingID MFA Adapter for AD FS description: The PingID multi-factor authentication (MFA) Adapter for Microsoft Active Directory Federation Services (AD FS) is required to enable PingID for AD FS. component: pingid page_id: pingid:pingid_integrations:pid_installing_pid_mfa_adapter_for_ad_fs canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_installing_pid_mfa_adapter_for_ad_fs.html revdate: March 27, 2023 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps result: Result: next-steps: Next steps --- # Installing PingID MFA Adapter for AD FS The PingID multi-factor authentication (MFA) *(tooltip: \
\

An electronic authentication method where a user is granted access only after presenting two or more verification factors for authentication.\

\
)* Adapter for Microsoft Active Directory Federation Services (AD FS) is required to enable PingID for AD FS. ## Before you begin Make sure: * You have installed AD FS 4.0 on Windows Server 2016 or AS FS 3.0 on Windows Server 2012 R2. * You have installed .NET 4.6 or later. * Port 443 is open to allow outbound communication with the PingID service. For further details about required URLs, see [PingID required domains, URLs, and ports](../pingid_service_management/pid_domains_urls_ports.html). * PingID integration for AD FS employs redirects and cross-site requests. Changes to cookie behavior implemented by browsers, such as Google Chrome v80, can cause disruptions to authentication flows. To ensure changes to cookie behavior do not cause disruptions to your authentication flows, make sure your AD FS servers have the latest SameSite cookie support updates from Microsoft. For information about the SameSite cookie changes introduced in Chrome v80, and details on how to upgrade your server, see this [Microsoft support article](https://docs.microsoft.com/en-us/office365/troubleshoot/miscellaneous/chrome-behavior-affects-applications). ## About this task | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This operation involves restarting the AD FS service. After the installation is complete, you must select the PingID MFA Adapter as an MFA method in AD FS. | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | If you have another MFA provider installed on your AD FS instance, but it is not configured correctly, you might not be able to install PingID MFA Adapter for AD FS and might receive an error when running the PingID MFA installer. We recommend that you disable any existing MFA authentication methods that you are not using before you install the PingID Adapter for AD FS. | ## Steps 1. In the PingOne admin portal, go to **Setup → PingID → Client Integration**. 2. In the **Integrate with PingFederate and Other Clients** section, click **Download** to download the `pingid.properties` file. 3. On the [PingID Downloads](https://www.pingidentity.com/en/resources/downloads/pingid.html) page, go to **Integrations**, and download and extract the **PingID MFA Adapter for AD FS** file. 4. To launch the setup wizard, run `PingIdAdfsAdapter.exe`. 5. When the wizard launches, click **Next**. 6. Review the Software License Agreement, click **I accept the agreement**, and then click **Next**. 7. Click **Browse**, and then navigate to the `pingid.properties` file that you downloaded from the admin portal. 8. Select the claim type that should be passed to the MFA adapter, and then click **Next**. PingID MFA adapter for AD FS supports the following claim types. | Claim Type | Description | URI | | ------------------------ | -------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | | **UPN** | The user principal name (UPN) of the user, in the format `user@domain.com` | `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn` | | **Windows account name** | The Windows Account Name of the user in the in the format `DOMAIN\USER` | `http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname` | | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | After the installation is complete, the claim type cannot be modified. For more information about claim types, see Microsoft's documentation on [The role of claims](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/technical-reference/the-role-of-claims). | | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Assess your environment and decide which claim type fits your specific environment. You must consider the effect the claim type will have on your environment setup.For example, if you have a split DNS implementation, where the UPN carries the external domain name, and the `WindowsAccountName` carries the internal domain name, you must use the `WindowsAccountName` claim type for the MFA Adapter. If you use the UPN claim type instead, the MFA Adapter attempts to locate the external domain name as an AD domain that does not exist and fails to retrieve the user from the AD. | 9. If you want to change the destination folder, click **Browse** and navigate to the relevant location, otherwise click **Next**. 10. Click **Install**. ### Result: After the installation finishes, the path to the installation log is displayed. The installation log provides additional information about the installation. 11. Click **Next**, and then click **Finish**. ## Next steps After the adapter is installed, enable PingID as an MFA provider. For more information, see [Enabling PingID as an MFA provider in AD FS](pid_enabling_pid_as_mfa_provider_ad_fs.html).