If your network uses multiple domains in a single server forest, configure one domain within PingFederate if there is a trust relationship with the other domains you want to use.
This configuration requires a trust relationship among domains, which is established by default when subdomains or separate domains are created within the same forest. For more information, see https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)?redirectedfrom=MSDN.
If you are configuring only one domain, then you also need to configure only one Service Principal Name. For more information, see Configuring the Active Directory environment.
If your network topology consists of multiple forests without a trust relationship between them, you must configure multiple adapter or token processor instances. Map each instance to a separate domain and then map these adapter or token processor instances to your service provider (SP) connections that authenticate using the integrated Kerberos Adapter, the integrated Kerberos Token Processor, or the separately available IWA Adapter.
For information about configuring the PingFederate Integrated Windows Authentication (IWA) adapter for multiple-domain Active Directory trusts, see https://support.pingidentity.com/s/article/How-to-configure-IWA-with-multiple-Active-Directory-trusts.