--- title: Connect to ADFS description: PingOne for Enterprise uses the SAML protocol to connect to Microsoft Active Directory Federation Services (ADFS). component: pingoneforenterprise page_id: pingoneforenterprise:pingone_for_enterprise:p14e_connect_adfs canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_connect_adfs.html revdate: December 9, 2021 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: troubleshooting: Troubleshooting: result: Result --- # Connect to ADFS PingOne for Enterprise uses the SAML protocol to connect to Microsoft Active Directory Federation Services (ADFS). ## About this task To configure the identity repository side of the connection, you will need to supply the PingOne for Enterprise SAML connection settings to your ADFS administrator. To configure the PingOne for Enterprise side of the connection, the ADFS administrator will need to supply you with the ADFS SAML connection settings. We recommend using metadata files to update these settings, although you can configure the settings manually. ## Steps 1. Go to **Setup > Identity Repository**, click **Connect to an Identity Repository**, and select **Microsoft ADFS**. 2. Click **Next**. 3. From the **Choose Signing Certificate** list, select the signing certificate for PingOne to use to sign SAML assertions sent to ADFS. 4. Click **Download PingOne Metadata**. The PingOne metadata includes all of the necessary PingOne connection information, including the encryption certificate and the primary and renewal certificates. 5. Click **Next**. 6. Assign the ADFS SAML connection settings in PingOne: ### Choose from: * Click the **Import Your ADFS SAML Connection Metadata** button. Click either **Select File** or **Use URL**. The SAML parameters required for the PingOne side of the connection will be automatically assigned based on the settings in the metadata. | | | | - | ------------------------------------------------------------------------------------- | | | The SAML connection metadata must be in UTF-8 format without a byte order mark (BOM). | * Manually enter the values for these SAML connection settings used by ADFS: Entity ID Uniquely identifies the identity bridge to PingOne. This identifier is used in the Issuer element of the SAML assertion sent to us by the identity bridge. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | To ensure against possible identifier conflicts with the `idpid`, the Entity ID must be unique, unless you're assigning the Entity ID value for a private, managed application (an application that is supplied and configured by a PingOne for Enterprise administrator, rather than by an SP). | SSO Endpoint The endpoint at your identity bridge to which PingOne sends AuthnRequests (using the Redirect method you assigned to the `Request Binding` attribute for your identity bridge). Verification Certificate The public verification certificate for your identity bridge. PingOne will use this certificate on your behalf to sign SAML assertions. Ensure that your IdP imports and recognizes this verification certificate. Secondary Verification Certificate A second certificate for us to use to sign SAML assertions on your behalf if verification fails when using your primary certificate. Ensure that your IdP imports and recognizes this verification certificate. Single Logout Endpoint (Optional) The endpoint (URL) configured for the identity bridge to which PingOne sends SAML single logout (SLO) requests. The SLO process uses the binding you choose for the `Single Logout Binding Type` attribute. Single Logout Response Endpoint (IdP) (Optional) The endpoint (URL) configured for the identity bridge to which PingOne sends single logout (SLO) responses. If you do not assign a value here, `Single Logout Endpoint` is also used as the response endpoint. The SLO process uses the binding you choose for the `Single Logout Binding Type` attribute. Single Logout Binding Type The binding type determines how the SAML protocol uses another protocol (in this case, HTTP) to transport messages. The SAML single logout (SLO) process can use either the POST or Redirect methods. 7. Click **Next**. 8. For each PingOne attribute, enter or select an ADFS attribute to map it to. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | For any of the attribute mappings, you can choose to configure an advanced mapping. See [Creating advanced attribute mappings](p14e_creating_advaced_attribute_mappings.html) for instructions. | This assignment maps identity provider attributes to the default attributes used by the PingOne dock. This attribute mapping is not used by applications that you add to PingOne. Application attributes are mapped in each application. ### Troubleshooting: Mapping the PingOne `email` attribute to a custom ADFS attribute called `Email` can cause ADFS to send improperly formatted SAML assertions. When mapping the ADFS claim attribute `E-mail Addresses`, use the default ADFS claim attribute `E-mail Address` instead. 9. Click **Save**. ## Result When you return to **Setup > Identity Repository**, a summary of the settings for your ADFS identity bridge is displayed. You can click **Edit** to modify the settings. You can also copy the **PingOne Metadata URL** and use it to keep your IdP configuration updated with PingOne metadata.