PingID MFA Adapter for AD FS enables multi-factor authentication (MFA) capabilities for users that are signing on using Microsoft Active Directory Federation Services (AD FS).
You can install the PingID MFA Adapter on a single AD FS instance. If you have an AD FS farm deployment, you must install PingID MFA Adapter on each AD FS instance in the farm to enable MFA.
PingID MFA Adapter for AD FS can query user data originating from multiple Active Directory domains, based on the user claim presented during authentication.
An AD FS app is available in the Policy Apps list. Use it to apply PingID authentication policies specific to AD FS MFA. For more information, see Configuring an app or group-specific authentication policy
The following figure demonstrates a typical user flow.
- The user attempts to login to an application using their credentials. AD FS validates the user credentials against Active Directory.
- The PingID adapter for AD FS initiates an MFA request to the PingID service in the cloud.
- The PingID cloud service sends an MFA request to the user, as configured by their PingID policy.
- The user authenticates using the configured authentication method, such as Swipe, Mobile App Biometrics, or YubiKey. The PingID cloud service redirects the user back to AD FS.
- Using the SAML or OpenID Connect (OIDC) protocol, AD FS authorizes the Service Provider to grant access to the user.