Configuring a username token processor instance
To allow email clients, mobile phones, and other active clients that use Office 365 to authenticate, users must provide the username and password of their AD domain account.
About this task
This configuration isn’t required for browser-only implementations, such as passive WS-Federation. |
For this credential to be verified, Office 365 relays them to PingFederate using the WS-Trust protocol. For the username and password to be validated, a username token processor is set up to bind to the domain controller. Whenever requests are sent to PingFederate, they include a UsernameToken element that PingFederate passes along for authentication.
With PingFederate 6.11 or later, you can also configure the Kerberos token processor to allow the STS to accept and validate Kerberos tokens and to enable SSO for clients that support Kerberos authentication. |
Steps
-
In the PingFederate administrative console, got to IdP Configuration > Application Integration Settings > Token Processors.
If the Token Processors menu item is not present under Application Integration, ensure that WS-Trust is enabled in the Roles and Protocols section of the Server Settings window. Learn more about Choosing roles and protocols in the PingFederate documentation.
-
Click Create New Instance.
-
On the Type tab, in the Instance Name field, enter a name for the token processor.
-
In the Instance ID field, enter an ID.
-
In the Type list, select Username Token Processor.
For PingFederate 7.2 or later, select Username Token Processor from in the Type list and follow the steps in the Configuring a Username Token Processor Instance section of the PingFederate documentation. When finished, skip to step 8.
-
Click Next.
-
On the Instance Configuration tab, select the LDAP Password Credential Validation instance that was previously configured.
-
Click Next on both the Instance Configuration and Token Attributes tabs.
-
Click Done on the Summary tab.
-
Click Save on the Manage Token Processors tab.
If you need to support multiple Office 365 subdomain accounts using one SP connection in PingFederate 7.2 or later, repeat steps 1-6 to create additional token processors against your LDAP password credential validators. Learn more in Creating a password credential validator.