PingOne for Enterprise

AD Connect for IIS final setup

About this task

You’re completing the setup or manual update of AD Connect for IIS and are ready to verify the AD Connect for IIS installation and configure additional settings in PingOne for Enterprise.

Steps

  1. On the PingOne for Enterprise admin portal page for AD Connect, click Verify Installation. PingOne for Enterprise checks the connection to the AD Connect identity bridge.

    If you’re using AD Connect in a clustered, high availability configuration, you will verify the installation in the PingOne admin portal only for the initial AD Connect installation.

  2. For Authentication, the setting for Account Lookup Method is displayed.

    This setting assigns the Active Directory user attribute to use when looking up the account information for the user during authentication. This can be:

    • Mail. The email address assigned to the user.

    • sAMAccountName. The legacy Windows logon name for the user.

    • Filter. An LDAP filter to use when looking up the account information for the user.

  3. For Delegated Authentication, the setting for Account Lookup Method is displayed.

    This setting assigns the Active Directory user attribute to use when looking up the account information for the user during delegated authentication. This can be:

    • Mail. The email address assigned to the user.

    • sAMAccountName. The legacy Windows logon name for the user.

    • Filter. An LDAP filter to use when looking up the account information for the user.

  4. In the Identity Provider SSO URL section, check that a valid URL to your IIS host is displayed, and that the connection string for the SSO URL is correct. If needed, change either of these URLs.

  5. The settings for Entity ID, Assertion Lifetime and Authentication Type are displayed.

    The Entity ID setting for your deployment is also displayed. This uniquely identifies the identity bridge to PingOne. This identifier is used in the Issuer element of the SAML assertion sent to us by the identity bridge. Do not change this setting unless we advise you to do so.

    1. Check that the Assertion Lifetime setting is acceptable. Generally, you needn’t change the default setting.

      This setting indicates how long the SAML assertion remains valid (in minutes).

    2. For Authentication, check that the Authentication Type setting is acceptable.

      This setting assigns the type of authentication the AD Connect identity bridge is to use. This can be:

      • Integrated. Integrated Windows Authentication (IWA) is used when the user is on your organization’s network. A user is prompted for their credentials only once during the same browser session.

      • Forms. A Web-based authentication form is used. A user is prompted for their credentials at every authentication point during the same browser session.

      • Hybrid. A combination of Integrated Windows Authentication (IWA) and Form-based authentication is used. IWA is limited to intranet users who fall within a certain IP block range (specified in the Intranet IP Block attribute. Form-based authentication is used in all other cases (intended for those users authenticating from outside your organization’s intranet).

    If you’re using Integrated or Hybrid types, see Configure IWA for AD Connect with IIS.

  6. Click Finish.

    When you return to the Setup → Identity Repository page, a summary of the settings for your identity bridge is displayed. You can click the Edit icon to modify the settings.

Next steps

When you’ve completed your configuration:

  • If you’ve upgraded:

    • You need to set the proper verification certificate. While logged in as an Administrator, browse to https://localhost/adconnect/config.aspx.

      In the bottom left of this page you will find the digital signature portion. Select the certificate that you’d assigned for the previous AD Connect installation, or want to assign for this installation. You can also choose to use the self-signed certificate.

      If an error displays after you’ve selected the verification certificate stating that the certificate does not have the proper permissions, see the PingOne Knowledge Base article Manually updating the AD Connect signing certificate.

    • If you upgraded from version 1.x, in the PingOne admin portal, you will see that the group short names have been converted to their full DN. If you have multiple domains or child domains, check your application group mappings to ensure all of the correct groups have been selected for your application.

  • If you’re using AD Connect with IIS in a clustered, high availability configuration, repeat these steps on each AD Connect host.