Installing AD Connect
To designate AD Connect as your identity repository, install AD Connect to your server and configure PingOne for Enterprise to connect to it.
Before you begin AD Connect requirements:
-
One of the following platforms:
-
Microsoft Windows Server 2019 Desktop (not Core)
-
Microsoft Windows Server 2016
-
Microsoft Windows Server 2012 R2
-
Microsoft Windows Server 2012
-
-
TLS 1.2
-
Microsoft .NET Framework 4.7.2 installed. The framework installation file is packaged with the AD Connect distribution.
-
Port requirements:
-
TCP 443 inbound/outbound (Websocket connections to PingOne for Enterprise)
-
(If IWA is enabled) TCP 80 internal, inbound/outbound (IWA connections)
-
-
Ensure that the AD Connect account lockout option is enabled for all PingOne for Enterprise users. This is necessary to protect user information in PingOne for Enterprise.
-
AD Connect does not support authentication using IWA with Microsoft 365 or mobile devices. IWA does not work with iOS.
About this task
You must install AD Connect on a Windows Server host that resides in an Active Directory domain.
If you’re installing AD Connect on a host in a DMZ, you must ensure some ports are open. For more information, see AD Connect in a DMZ.
Steps
-
Go to Setup → Identity Repository, and then click Connect to an Identity Repository.
If you are changing to AD Connect from another identity repository, click Change Identity Repository.
-
Select Active Directory. Click Next.
-
Download AD Connect:
-
Click Download AD Connect and save the
adconnect-installer.zip
file to your directory. -
Extract the
.zip
file and open theADConnectSetup.msi
file to start the installer. -
When the installer starts, click Next.
-
On the Installation Type window, select AD Connect. Click Next.
-
Optional: To enable users and groups to be automatically provisioned into PingOne for Enterprise, select Enable user provisioning.
-
-
Set up the product key:
-
In PingOne for Enterprise, on the Set Up Product Key tab, in the Product Key text field, enter a key.
-
In the AD Connect Installer, on the Enter Product Key field, enter the same key you entered in the previous step.
-
-
Install AD Connect:
-
From the Install AD Connect tab in PingOne for Enterprise, copy the Organization ID value.
-
In the AD Connect installer, paste the value in the Enter Organization ID field and click Activate.
Result:
If the product key and organization ID match in both PingOne for Enterprise and the AD Connect installer, the AD Connect installer displays a confirmation message.
-
Click Next.
-
In the Destination Folder window, enter the destination folder where you will install AD Connect. Click Next.
-
Click Install.
-
When the installation finishes, click Finish.
-
In PingOne for Enterprise, click Verify Installation.
Result:
PingOne for Enterprise displays a message confirming the installation.
-
Click Next.
-
-
In PingOne for Enterprise, from the Authentication - Account Lookup Method list, select the Active Directory attribute to verify the user account:
Choose from:
-
Mail: the email address assigned to the user.
-
sAMAccountName: The legacy Windows login name for the user
-
Filter: An LDAP filter to use when looking up the account information for the user
-
userPrincipalName: Typically the user’s email address without the divider or the domain
-
-
From the Subject Attribute list, choose a value to return to your applications as the SAML subject.
Possible values are sAMAccountName or userPrincipalName. userPrincipalName is appropriate for most organizations.
-
Optional: To pass Windows credentials through your web browsers for automated authentication, click Enable Integrated Windows Authentication.
This requires further configuration for your web browsers. For more information, see Using IWA with browser clients.
-
Optional: To allow users to reset their Active Directory password from the PingOne for Enterprise sign-on page, click Enable Password Change.
-
Optional: To return all of the nested group memberships for your users, click Enable Group Hierarchy.
Enabling this option can cause sign-ons to take longer.
-
Click Next.
-
On the Map Attributes tab, map attributes from Active Directory to the SAML assertions for your applications.
-
For the SAML_SUBJECT list, select the same value that you chose for the Subject Attribute list in the previous tab.
-
For the memberOf attribute, select memberOf.
-
For the fname attribute, select givenName.
-
For the lname attribute, select sn.
-
For the email attribute, select mail.
-
For the phoneNumber attribute, select telephoneNumber.
-
-
Click Save.
Next steps
To assign branding for your AD Connect connection, see Assign AD Connect branding and designs.