1. On the WS-Trust STS tab, click Configure WS-Trust STS.
  2. On the Protocol Settings tab,
    1. In the Partner Service Identifier field, enter urn:federation:MicrosoftOnline. Click Add.
    2. In the same field, enter the active logon URI.
      To get this value, take the URL that was passed as the ActiveLogOnUri parameter to the Set-MsolDomainFederationSettings PowerShell cmdlet, then remove the URI scheme.
      pf01.contoso.com:9031/idp/sts.wst
    3. From the Default Token Type list, select SAML 1.1 for Office 365.
    4. Click Next.
  3. On the Token Lifetime tab, click Next.
  4. On the Token Creation tab, configure the token.
    1. Click Configure Token Creation.
    2. On the Attribute Contract tab, map the following attributes, and then click Next.
      Attribute Attribute Name Format

      ImmutableID

      http://schemas.microsoft.com/LiveID/Federation/2008/05

      UPN

      http://schemas.xmlsoap.org/claims

      SAML_NAME_FORMAT

      http://schemas.xmlsoap.org/claims
    3. On the Request Contract tab, click Next.
    4. On the IdP Token Processor Mapping tab, click Map New Token Processor Instance.
    5. On the Token Processor Instance tab, from the Token Processor Instance list, select UsernameTokenProcessor. Click Next.
    6. If you have virtual server IDs for multiple subdomains: on Virtual Server IDs tab, select the Restrict Virtual Server IDs check box.
    7. Select the check box for the virtual server ID that represents the subdomain associated with this token processor. Click Next.
      For more information, see Restricting a token processor to certain virtual server IDs in the PingFederate documentation.
      Tip:

      If you have a single token processor for users across multiple subdomains, create an OGNL expression verify the virtual server ID and other conditions, such as group membership.

      For help with OGNL expressions, see Defining issuance criteria for IdP Browser SSO, Enabling and disabling expressions and Constructing OGNL expressions in the PingFederate documentation.

    8. On the Attribute Retrieval tab, select Retrieve additional attributes from data stores to fulfill the attribute contract. Click Next.
    9. On the Attribute Sources & User Lookup tab, complete the steps in Configuring attribute source and user lookup for token processors, and then click Next.
    10. On the Attribute Contract Fulfillment tab, create the following mappings, and then click Next.
      Attribute Contract Source Value

      ImmutableID

      LDAP (<Your datastore>)

      objectGUID

      SAML_NAME_FORMAT

      Text

      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

      TOKEN_SUBJECT

      LDAP (<Your datastore>)

      objectGUID

      UPN

      LDAP (<Your datastore>)

      userPrincipalName
    11. If you use a single token translator instances for users in multiple subdomain, on the Issuance Criteria tab, create an OGNL expression verify the virtual server ID and other conditions, such as group membership.
      Note:

      For help with OGNL expressions, see Defining issuance criteria for IdP Browser SSO, Enabling and disabling expressions and Constructing OGNL expressions in the PingFederate documentation.

    12. Click Next.
    13. On the Summary tab, click Done.
    14. If you have more token processor instances (Username or Kerberos token processors), repeat steps d–l for each one.
      Note:

      When completing step f, each username token processor must have a different virtual server ID.

    15. On the Token Creation > IdP Token Processor Mapping tab, click Next.
    16. On the Summary tab, click Done.
  5. On the WS-Trust STS > Token Creation tab, click Next.
  6. On the Summary tab, click Done.
  7. On the SP Connection > WS-Trust STS tab, click Next.