1. In the PingFederate administrator console, create a new SP connection:
    • For PingFederate 10.1 or later: go to Applications > Integration > SP Connections. Click Create Connection.
    • For PingFederate 10.0 or earlier: go to Identity Provider > SP Connections. Click Create Connection.
  2. Configure the connection protocols.
    1. On the Connection Template tab, select Do not use a template for this connection. Click Next.
    2. On the Connection Type tab select Browser SSO Profiles.
    3. In the Protocol list, select WS-Federation.
    4. In the WS-Federation Token Type list, select SAML 1.1.
    5. If you want to support active federation, select the WS-Trust STS check box.

      Passive federation is done with browser redirects and a sign-on form, whereas active federation allows an application to take responsibility for supplying credentials without further user interaction.

    6. Click Next.
    7. On the Connection Options tab, click Next.
  3. On the General Info tab, configure the basic connection information.
    1. In the Partner's Realm (Connection ID) field, enter urn:federation:MicrosoftOnline.
    2. In the Connection Name field, enter a name of your choosing.
    3. In the Virtual Server IDs field, enter the domain name to be used with Office 365, such as contoso.com, or leave this field blank to use the system default.

      This domain name must match the issuer entity ID from the PowerShell script described in Configuring a federated domain. When this field is blank, the connection uses the PingFederate system default. You must set either the Virtual Server ID or the system default.

      For help setting the system default, see Specifying federation information in the PingFederate documentation.


      To support multiple Office 365 subdomain accounts with one service provider (SP) connection, add a virtual server ID for each subdomain. Each virtual server ID value should match the issuer entity ID (IssuerUri) of the respective subdomain account in Office 365.

    4. Click Next.
  4. On the Browser SSO tab, complete the steps in Configuring browser SSO, and then click Next.
  5. If you see the WS-Trust STS tab, complete the steps in Configuring WS-Trust STS, and then click Next.
  6. On the Credentials tab, configure the connection credentials.
    1. Click Configure Credentials.
    2. On the Digital Signature Settings tab, in the Signing Certificate list, select the certificate that you want to use for the Office 365 connection.

      If you need to create a new certificate, click Manage Certificates. For help, see Managing digital signing certificate and decryption keys in the PingFederate documentation.

    3. Click Next.
    4. On the Summary tab, click Done.
    5. On the Credentials tab, click Next.
  7. On the Activation and Summary tab, above the Summary section, click the toggle to turn on the connection. Click Save.