Regardless of which integration kit is used or the source of the attributes, two things need to be provided to Office 365:

User Principal Name (UPN)
Format as an email address and the domain name must match the domain name registered with Office 365. For example, if the domain is created using the New-MsolDomain PowerShell command, then the UPN attribute value in the SAML assertion for all users must be their username followed by

The UPN of the user in AD can be different from what is placed in the SAML assertion created by PingFederate.

The Azure AD Connect (described below) copies this Id to the cloud when it creates Azure AD accounts. The ImmutableID, which uniquely represents the user in AD, is an immutable identifier used to associate local and remote identities. The AD attribute is a binary value, so must be base-64 encoded in order to be transmitted in a SAML token.

The expected value can be determined by examining the ImmutableID attribute output by the Get-MsolUser PowerShell command after synchronization is set up.

PingFederate packages an HTML Form adapter that renders a simple HTML form in which users can enter their username and password. This credential can be checked against AD using the previously configured password credential validator. Follow these steps to set up this adapter in PingFederate.


These installation steps are provided for a configuration where objectGUID attribute is selected for ImmutableID. If you are using different attribute for this purpose (such as msDS-ConsistencyGuid), be sure to align it accordingly.

  1. In the PingFederate administrative console got to My IdP Configuration > Adapters.
  2. On the Manage IdP Adapter Instances tab, click Create New Instance.
  3. On the Type tab, enter an Instance Name and Instance ID and select HTML Form IdP Adapter as the Type.
  4. On the IdP Adapter tab, click the Add a new row to 'Credential Validators’.
  5. In the Password Credential Validator Instance list, select the validator ID you previously configured, and click Update.
  6. Click Next.
  7. On the Adapter Attributes tab, select the username checkbox under Pseudonym and click Next.
  8. On the Summary tab, click Done.
  9. Click Save to complete the HTML Form IdP Adapter configuration.