Use the following steps to configure Dynamics CRM to consume the federation metadata provided by the PingFederate SP connection.
  1. Access the Dynamics CRM server.
  2. If Dynamics CRM is configured for token signature validation, run mmc.exe and attach the Certificates (Local Computer) Snap-in.
    Import the signature verification certificate used in PingFederate or the certificate’s CA certificate into the appropriate certificate store. See Enabling ADFS 2.0 Token Signing for more information on token signature validation.
  3. If WS-Trust STS was configured for the CRM connection in PingFederate, import the encryption certificate used in PingFederate (see Select WS-Trust encryption algorithm) along with the certificate’s private key into the Dynamics CRM server’s personal certificate store. The Dynamics CRM server searches this store when configuring claims-based authentication.
  4. On the Dynamics CRM server, run the Microsoft Dynamics CRM Deployment Manager.
  5. Select Configure Claims-based Authentication and click Next.
  6. Enter the following URL for the Federation metadata URL and click Next: 
    https://<pf_host>:<pf_port>/pf/federation_metadata.ping?PartnerSpId=<SPConnectionID>&forceIssuedTokenPolicy

    where:

    • <pf_host> is the host name or IP address where PingFederate is running.
    • <pf_port> is the port number for PingFederate.
    • <SPConnectionID> is the ID for the PingFederate SP Connection you configured above – for example, 
      https://ping.crm.com/default.aspx
    Note: If an error appears stating that the Federation URL is unavailable, add PingFederate’s server certificate (signed by the domain controller) to the Dynamics CRM server to establish trust with PingFederate’s SSL server certificate.
  7. When prompted for the encryption certificate, use the same certificate shared with PingFederate (see Select WS-Trust encryption algorithm).
  8. Save the configuration and run iisreset from the command line so the Dynamics CRM server recognizes the changes.