PingFederate supports a wide selection of integration kits that plug into the PingFederate server enabling it to interface with various identity management systems. After authentication, PingFederate can look up more attributes in various data stores to collect additional information that is placed in the SAML token passed to Office 365.
Regardless of which integration kit is used or the source of the attributes, two things need to be provided to Office 365:
- User Principal Name (UPN)
- Format as an email address and the domain name must match the domain name
registered with Office 365. For example, if the domain contoso.com is created
using the New-MsolDomain PowerShell command, then the UPN
attribute value in the SAML assertion for all users must be their username
followed by @contoso.com.Note:
The UPN of the user in AD can be different from what is placed in the SAML assertion created by PingFederate.
- The Azure AD Connect (described below) copies this Id to the cloud when it
creates Azure AD accounts. The ImmutableID, which uniquely represents the user in
AD, is an immutable identifier used to associate local and remote identities. The
AD attribute is a binary value, so must be base-64 encoded in order to be
transmitted in a SAML token.Note:
The expected value can be determined by examining the ImmutableID attribute output by the Get-MsolUser PowerShell command after synchronization is set up.
PingFederate packages an HTML Form adapter that renders a simple HTML form in which users can enter their username and password. This credential can be checked against AD using the previously configured password credential validator. Follow these steps to set up this adapter in PingFederate.
These installation steps are provided for a configuration where
objectGUID attribute is selected for
ImmutableID. If you are using different attribute for this
purpose (such as
msDS-ConsistencyGuid), be sure to align it
- In the PingFederate administrative console got to .
- On the Manage IdP Adapter Instances tab, click Create New Instance.
- On the Type tab, enter an Instance Name and Instance ID and select HTML Form IdP Adapter as the Type.
- On the IdP Adapter tab, click the Add a new row to 'Credential Validators’.
- In the Password Credential Validator Instance list, select the validator ID you previously configured, and click Update.
- Click Next.
- On the Adapter Attributes tab, select the username checkbox under Pseudonym and click Next.
- On the Summary tab, click Done.
- Click Save to complete the HTML Form IdP Adapter configuration.