PingFederate Server

Accept Azure Primary Refresh Tokens

Primary Refresh Tokens (PRTs) are issued by Microsoft Entra to enable single sign-on (SSO) when Entra is your identity provider (IdP). PRTs are issued and verified only by Entra, and don’t allow for offline verification. Learn more about PRTs in Understanding Primary Refresh Token in the Microsoft documentation.

You can configure PingFederate to accept PRTs for workforce users by creating an OpenID Connect (OIDC) IdP connection, with Entra as an external IdP.

This configuration has three main components:

  1. Register an application in Microsoft Entra.

  2. Create an IdP connection in PingFederate.

  3. Configure user browsers to accept PRTs.

Before you begin

For testing purposes, you should have a device connected to Entra as a joined device. Learn more in Microsoft Entra joined devices in the Microsoft documentation.

You can test whether your device is joined by running dsregcmd /status in the command line. If your device is joined, it returns:

isDeviceJoined: YES
AzureAdPrt: YES

Register an application in Microsoft Entra

Follow the steps in Register an application with the Microsoft identity platform in the Microsoft documentation.

While registering an application, do the following so you can connect to PingFederate:

  • Create a client secret and have it ready to copy into PingFederate.

  • Add a redirect URI from PingFederate. You can find the Redirect URI in PingFederate on the Summary & Activation tab after you finish configuring the IdP connection.

Create an OIDC IdP Connection in PingFederate

  1. Follow the steps in Creating an OpenID Connect IdP connection.

    While creating the connection, do the following to connect with your Entra application:

    • On the General Info tab, paste the Client ID and Client Secret values from your application.

    • On the OpenID Provider Info tab, add the following request parameter:

      Name Type Value

      prompt

      text

      none

      This prevents Entra from displaying the Microsoft sign-on page when PRT authorization fails.

  2. If necessary, create an authentication policy for the new IdP connection. Learn more in Defining authentication policies.

Configure browsers to accept PRTs

The following table describes how to enable PRT authentication in various browsers:

Browser Compatibility How to Enable

Chrome 111+

Device-based Conditional Access

Enable the CloudAPAuthEnabled registry

Firefox 91+

Device-based Conditional Access

  1. In the address bar, enter about:preferences#privacy.

  2. Under the Passwords section, select Allow Windows single sign-on for Microsoft, work, and school accounts.

Microsoft Edge 85+

User must be signed on to the browser to pass device identity. This sign-on might not happen automatically if the device is a hybrid join.

Safari

Device-based Conditional Access. Can’t satisfy the Require approved client app or Require app protection conditions.

No action needed

Learn more about Conditional Access in the Microsoft documentation.

After configuring your browser, you can test the connection by triggering an authentication flow on the joined device. Check the audit.log file to verify that authentication at the IdP connection succeeds.