PingID Administration Guide

Installing PingID MFA Adapter for AD FS using the CLI

Use the command-line interface (CLI) to install and register the PingID multi-factor authentication (MFA) Adapter for Microsoft Active Directory Federation Services (AD FS).

Before you begin

Make sure:

  • You have installed AD FS 4.0 on Windows Server 2016 or AS FS 3.0 on Windows Server 2012 R2.

  • You have installed .NET 4.6 or later.

  • Port 443 is open to allow outbound communication with the PingID service. For further details about required web access, see PingID required domains, URLs, and ports.

  • PingID integration for AD FS employs redirects and cross-site requests. Changes to cookie behavior implemented by browsers, such as Google Chrome 80, can cause disruptions to authentication flows. To ensure changes to cookie behavior do not cause disruptions to your authentication flows, make sure your AD FS servers have the latest SameSite cookie support updates from Microsoft. For information about the SameSite cookie changes introduced in Chrome 80 and details on how to upgrade your server, see this Microsoft support article.

This operation involves restarting the AD FS service. After the installation is complete, you will need to select the PingID MFA Adapter as an MFA method in AD FS.

If you have another MFA provider installed on your AD FS instance, but it is not configured correctly, you may not be able to install PingID MFA Adapter for AD FS and may receive an error when running the PingID MFA installer. To avoid potential software conflicts, we recommend that you disable any unused MFA authentication methods before you install PingID Adapter for AD FS.

Steps

  1. In the PingOne admin portal, go to Setup → PingID → Client Integration.

  2. To download the pingid.properties file, in the Integrate with PingFederate and Other Clients section, click Download.

  3. On the PingID Downloads page, go to Integrations, and download and extract the file for AD FS.

  4. Open a command prompt and run the following:

    PingIdAdfsAdapter<version>.exe /p=[full-path-to-properties-file]
/ct=[claim-type-uri] [/SILENT | VERYSILENT] [/SUPPRESSMSGBOXES] [/AcceptTerms]

    Where:

    Switch Description

    /p=[full-path-to-properties-file]

    The path to the pingid.properties file that you downloaded from the admin portal.

    /ct=[claim-type-uri]

    The claim type URI. For more information, see the following Claim Type table.

    /SILENT

    Hide the install wizard window and show the installation progress window.

    /VERYSILENT

    Hide the install wizard window and the installation progress window.

    /SUPPRESSMSGBOXES

    Suppress message boxes during installation. This switch only has an effect when combined with /SILENT or /VERYSILENT.

    /AcceptTerms

    Suppress message boxes and silently accept the terms of PingID installation.

    PingID MFA Adapter for AD FS supports the following claim types.

    Claim Type Description URI

    UPN

    The user principal name (UPN) of the user, in the format user@domain.com

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

    Windows account name

    The Windows Account Name of the user in the in the format DOMAIN\USER

    http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname

    After the installation is complete, the claim type cannot be modified.

    Assess your environment and decide which claim type fits your specific environment. You must consider the effect the claim type will have on your environment setup.

    For example, if you have a split DNS implementation, where the UPN carries the external domain name, and the WindowsAccountName carries the internal domain name, you must use the WindowsAccountName claim type for the MFA Adapter. If you use the UPN claim type instead, the MFA Adapter attempts to locate the external domain name as an AD domain that does not exist, and fails to retrieve the user from the AD.

    For more information about claim types, see Microsoft’s documentation on The role of claims.