This configuration is not required for browser-only implementations (passive WS-Federation).

For this credential to be verified, Office 365 relays them to PingFederate using the WS-Trust protocol. For the username and password to be validated, a username token processor is set up to bind to the domain controller. Whenever requests are sent to PingFederate, they include a UsernameToken element that PingFederate passes along for authentication.


With PingFederate 6.11 or later, you can also configure the Kerberos token processor to allow the STS to accept and validate Kerberos tokens and to enable SSO for clients that support Kerberos authentication.

  1. In the PingFederate administrative console, got to IdP Configuration > Application Integration Settings > Toekn Processors.

    If the Token Processors menu item is not present under Application Integration, make sure that WS-Trust is enabled in the Roles and Protocols section of the Server Settings window. For more information, see Choosing roles and protocols in the PingFederate documentation.

  2. Click Create New Instance.
  3. On the Type tab, in the Instance Name field, enter a name for the token processor.
  4. In the Instance ID field, enter an ID.
  5. In the Type list, select Username Token Processor.

    For PingFederate 7.2 or later, select Username Token Processor from in the Type list and follow the steps in the Configuring a Username Token Processor Instance section of the PingFederate documentation. When finished, skip to step 8.

    Screen capture of the Type tab showing the required Instance Name, Instance Id and Type fields.
  6. Click Next.
  7. On the Instance Configuration tab, select the LDAP Password Credential Validation instance that was previously configured.
  8. Click Next on both the Instance Configuration and Token Attributes tabs.
  9. Click Done on the Summary tab.
  10. Click Save on the Manage Token Processors tab.

    If you need to support multiple Office 365 subdomain accounts using one SP connection in PingFederate 7.2 or later, repeat steps 1-6 to create additional token processors against your LDAP password credential validators. For more information, see Creating a password credential validator.