---
title: Integrate PingID with AD FS
description: PingID MFA Adapter for AD FS enables multi-factor authentication (MFA) capabilities for users that are signing on using Microsoft Active Directory Federation Services (AD FS).
component: pingid
page_id: pingid:pingid_integrations:pid_integrate_with_ad_fs
canonical_url: http://docs.pingidentity.com/pingid/pingid_integrations/pid_integrate_with_ad_fs.html
revdate: January 30, 2024
section_ids:
  processing-steps: Processing steps
---

# Integrate PingID with AD FS

PingID MFA Adapter for AD FS enables multi-factor authentication (MFA) capabilities for users that are signing on using Microsoft Active Directory Federation Services (AD FS).

You can install the PingID MFA Adapter on a single AD FS instance. If you have an AD FS farm deployment, you must install PingID MFA Adapter on each AD FS instance in the farm to enable MFA.

PingID MFA Adapter for AD FS can query user data originating from multiple Active Directory domains, based on the user claim presented during authentication.

An AD FS app is available in the **Policy Apps** list. Use it to apply PingID authentication policies specific to AD FS MFA. For more information, see [Configuring an app or group-specific authentication policy](../pingid_service_management/pid_configuring_app_group_authentication_policy.html)

The following figure demonstrates a typical user flow.![Diagram illustrating user authentication through PingID MFA Adapter for AD FS](_images/iqq1564020585473.png)

## Processing steps

1. The user attempts to login to an application using their credentials. AD FS validates the user credentials against Active Directory.

2. The PingID adapter for AD FS initiates an MFA request to the PingID service in the cloud.

3. The PingID cloud service sends an MFA request to the user, as configured by their PingID policy.

4. The user authenticates using the configured authentication method, such as Swipe, Mobile App Biometrics, or YubiKey. The PingID cloud service redirects the user back to AD FS.

5. Using the SAML or OpenID Connect (OIDC) protocol, AD FS authorizes the Service Provider to grant access to the user.

For more information on getting started with PingID for AD FS, see [Installing PingID MFA Adapter for AD FS](pid_installing_pid_mfa_adapter_for_ad_fs.html) and [Enabling PingID as an MFA provider in AD FS](pid_enabling_pid_as_mfa_provider_ad_fs.html).