A single PingFederate server connection can support multiple Azure AD / Office 365 domains. This functionality relies on using Virtual Server ID (VSID) feature.

The VSID value overrides the WS-Federation Realm value configured in the server settings. It should be created for each domain you are going to federate with and added to the connection configuration.

The same VSID value should be used for the IssuerURI parameter while configuring federation settings on the Azure AD side. The encoded VSID value should be added to all endpoint URIs, so the incoming requests can be processed correctly by the PingFederate server.


If you use the Azure AD Connect wizard to federate with PingFederate server, it generates the VSID value for each specified domain. This parameter is listed in the configuration file, which should be exported from the wizard to obtain required PingFederate server settings. The Azure AD Connect wizard adds the encoded VSID value to all corresponding URIs while completing the Azure AD side configuration.

In a situation where you decide to use manual configuration, if both the engineering and marketing departments of contoso.com have their own departmental subdomains, engineering.contoso.com and marketing.contoso.com, they are both registered in Azure AD or Office 365 under the parent domain, contoso.com. As an example, their IssuerUri values are Engineering and Marketing, respectively.


When you run the Set-MsolDomainAuthentication PowerShell command, you must include the base64-encoded value of the VSID presenting that subdomain in the paths for the ActiveLogOnUri, LogoffUri, PassiveLogOnUri, and MetadataExchangeUri parameters.

  1. Construct a JSON object containing a key-value pair of the virtual server ID in the format of {"vsid":"<VirtualServerIdValue>"}.
  2. Base64url-encode the JSON object.
  3. Insert the base64url-encoded value between /idp or /pf and the rest of the respective endpoint for ActiveLogOnUri, LogoffUri, PassiveLogOnUri, and MetadataExchangeUri.
    $activeLogOn = “$pingfederate/idp/eyJ2c2lkIjoiRW5naW5lZXJpbmcifQ/sts.wst”
    $logOff = “$pingfederate/idp/eyJ2c2lkIjoiRW5naW5lZXJpbmcifQ/prp.wsf”
    $metaData = "$pingfederate/pf/eyJ2c2lkIjoiRW5naW5lZXJpbmcifQ/sts_mex.ping?PartnerSpId=$spId"
    $passiveLogOnPF = “$pingfederate/idp/eyJ2c2lkIjoiRW5naW5lZXJpbmcifQ/prp.wsf”
  4. Repeat step 1-3 for each subdomain.

    For more information about base64url, see RFC 4648 on the Internet Engineering Task Force (IETF) website.