A single PingFederate server connection can support multiple Azure AD / Office 365 domains. This functionality relies on using Virtual Server ID (VSID) feature.
The VSID value overrides the WS-Federation Realm value configured in the server settings. It should be created for each domain you are going to federate with and added to the connection configuration.
The same VSID value should be used for the IssuerURI parameter while configuring federation settings on the Azure AD side. The encoded VSID value should be added to all endpoint URIs, so the incoming requests can be processed correctly by the PingFederate server.
If you use the Azure AD Connect wizard to federate with PingFederate server, it generates the VSID value for each specified domain. This parameter is listed in the configuration file, which should be exported from the wizard to obtain required PingFederate server settings. The Azure AD Connect wizard adds the encoded VSID value to all corresponding URIs while completing the Azure AD side configuration.
In a situation where you decide to use manual configuration, if both the engineering
and marketing departments of contoso.com have their own departmental subdomains,
engineering.contoso.com and marketing.contoso.com, they are both registered in Azure
AD or Office 365 under the parent domain, contoso.com. As an example, their
IssuerUri values are Engineering and
Marketing, respectively.
When you run the Set-MsolDomainAuthentication PowerShell command, you must include the base64-encoded value of the VSID presenting that subdomain in the paths for the ActiveLogOnUri, LogoffUri, PassiveLogOnUri, and MetadataExchangeUri parameters.