Enabling federated authentication

The default authentication type in the Azure AD or Office 365 domain is managed, which means that access is provided only for Azure AD cloud user identities. To allow usage of the on-prem user accounts, change the authentication type to federated.

Tip:

Running the Azure AD Connect tool and following its prompts makes these required configuration changes automatically. The steps outlined here can be run manually if required.

You can complete the configuration manually using the Set-MsolDomainAuthentication PowerShell cmdlet. When you execute it, you must provide the URLs for PingFederate, the public portion of its signing certificate, and some other inputs.

Note:

The IssuerURI parameter should be unique so that Office 365 can identify your identity provider (IdP).

Export the signing certificate from PingFederate:
1. Go to Server Configuration > Signing & Decryption Keys & Certificates.
2. Export the applicable signing certificate to the local file system, such as C:\temp\pf-signing.crt.
3. When prompted, select Certificate Only.

Use PowerShell to remove unnecessary lines from the certificate file and configure federation for your Azure AD domain.

$certFile = "C:\temp\pf-signing.crt"
$cert = [IO.File]::ReadAllText($certFile)
$cert = $cert.replace("-----BEGIN CERTIFICATE-----","")
$cert = $cert.replace("-----END CERTIFICATE-----","")
$cert = $cert.replace("`r","")
$cert = $cert.replace("`n","")
$domainName = "<Federated Domain Name>"
$hostName = "<Hostname>.$domainName"
$port = 9031
$pingfederate = "https://${hostName}:$port"
$brandName = "<Federated Domain Alias>"
$issuer = "<WS-Federation Realm or Virtual Server ID>"
$spId = "urn:federation:MicrosoftOnline"
$activeLogOn = "$pingfederate/idp/sts.wst"
$logOff = "$pingfederate/idp/prp.wsf"
$metaData = "$pingfederate/pf/sts_mex.ping?PartnerSpId=$spId"
$passiveLogOnPF="$pingfederate/idp/prp.wsf"
Set-MsolDomainAuthentication -Authentication Federated -DomainName 
"$domainName" -ActiveLogOnUri  "$activeLogOn" -FederationBrandName 
"$brandName" -IssuerUri "$issuer"  -LogOffUri "$logOff" -MetadataExchangeUri 
"$metaData" -PassiveLogOnUri  "$passiveLogOnPF" -SigningCertificate "$cert"

For more information about the Set-MsolDomainAuthentication command, see Set-MsolDomainAuthentication in the Microsoft documentation.

To verify that the domain settings are up-to-date and in effect, run the Get-MsolDomainFederationSettings -DomainName <name> command.

Tip:
If you have multiple subdomain accounts in Office 365, you can connect to them in one service provider (SP) connection using multiple virtual server IDs in PingFederate 7.2 or later.

Enabling federated authentication - PingFederate

Azure AD and Office 365 Integration Guide