To allow email clients, mobile phones, and other active clients that use Office 365 to authenticate, users must provide the username and password of their AD domain account.
This configuration is not required for browser-only implementations (passive WS-Federation).
For this credential to be verified, Office 365 relays them to PingFederate using the WS-Trust protocol. For the username and password to be validated, a username token processor is set up to bind to the domain controller. Whenever requests are sent to PingFederate, they include a UsernameToken element that PingFederate passes along for authentication.
With PingFederate 6.11 or later, you can also configure the Kerberos token processor to allow the STS to accept and validate Kerberos tokens and to enable SSO for clients that support Kerberos authentication.
In the PingFederate
administrative console, got to .
If the Token Processors menu item is not present under Application Integration, make sure that WS-Trust is enabled in the Roles and Protocols section of the Server Settings window. For more information, see Choosing roles and protocols in the PingFederate documentation.
- Click Create New Instance.
- On the Type tab, in the Instance Name field, enter a name for the token processor.
- In the Instance ID field, enter an ID.
In the Type list, select Username Token
For PingFederate 7.2 or later, select Username Token Processor from in the Type list and follow the steps in the Configuring a Username Token Processor Instance section of the PingFederate documentation. When finished, skip to step 8.
- Click Next.
- On the Instance Configuration tab, select the LDAP Password Credential Validation instance that was previously configured.
- Click Next on both the Instance Configuration and Token Attributes tabs.
- Click Done on the Summary tab.
Click Save on the Manage Token
If you need to support multiple Office 365 subdomain accounts using one SP connection in PingFederate 7.2 or later, repeat steps 1-6 to create additional token processors against your LDAP password credential validators. For more information, see Creating a password credential validator.