Adding multi-factor authentication (MFA) is a procedure that carries the risk of being locked out of the machine. See Prerequisites for installing PingID integration for Windows login before proceeding.
To install the PingID integration for Windows login using the UI wizard:
-
On the PingID Downloads page, go to
Integrations, and download and extract PingID for Windows
login.
Note:
If your version of Windows login is more than two versions behind the current version listed on the downloads page, you must uninstall your current version of PingID for Windows login before you install the new version.
-
Double-click the PingIDWindowsLogin<version>.exe file to
launch the setup wizard, and then click Next.
-
Review the Software License Agreement, click I accept the
agreement, and then click Next.
-
In the Organization Information window, select either:
- PingID: Integrate PingID directly with Windows login.
- PingID through PingFederate: Integrate PingID with Windows login through PingFederate.
-
In the Organization Information window, click
Browse, and then select the
pingid.properties file that you want to use.
Note:
When integrating with PingFederate, for security reasons it is recommended that you use the
Windows and Mac login PingID properties file
in both the PingID Adapter, and in the Windows Login installation. -
If your connection is behind a proxy: click
Configure Proxy and then configure the options relevant for
your proxy. If you prefer to have the communication with PingFederate not go through the proxy,
click the Bypass proxy for PingFederate communications check box.
-
For PingID through PingFederate integration only: In the
base URL field, enter the PingFederate base URL, and then click
Next.
-
In the Authentication Type window:
- Select when you want to apply PingID authentication. Choose from:
- Remote and local login: Users are required to authenticate with PingID when connecting to Windows login locally or remotely.
- Remote logins: Users connecting to the Windows login machine remotely are required to authenticate with PingID. Users bypass PingID authentication when logging in locally.
- Local logins: Users connecting to the Windows login machine locally are required to authenticate with PingID. Users bypass PingID authentication when signing on remotely.
- (Optional) Select the relevant check box to apply PingID to Local
accounts, Microsoft accounts, or both.
- Local accounts: User accounts that are stored on the local machine.
- Microsoft accounts: Microsoft account used to
access Microsoft devices and services associated with a specific user.
For example,
johndoe@outlook.com
. The PingID integration for Windows recognizes all types of Microsoft accounts.
- Click Next. The Manual Authentication Methods window is displayed.
- Select when you want to apply PingID authentication. Choose from:
-
If PingID server is unavailable or the user is offline, for example, the connection
with the PingID server can't be verified at the time of sign on, either enable or
disable manual authentication:
- Enable manual authentication:
- In the Manual Authentication Methods window, select at least one manual authentication method and then click Next. The Authentication Type window displays offline authentication options.
- In the Authentication Type window, select whether to use
PingID offline MFA or
allow the user to bypass PingID MFA if the user is offline, such as no internet
connection. Select one of the following and then click
Next:
- Yes: The user is prompted to authenticate through the manual (offline) authentication flow. At least one offline authentication method must be paired for the user to authenticate, otherwise the user is blocked.
- No: If the user does not have at least one offline authentication method paired with their account, PingID bypasses MFA during sign on.
- Disable manual authentication and define behavior when the PingID server is offline:
- In the Manual Authentication Methods window, leave all check boxes cleared and click Next. The Offline Authentication page displays a list of options when the user is offline.
- In the Authentication Type window, select one of the
following, and then click Next:
- Block: The user cannot sign on while offline.
- Bypass: Bypass MFA with PingID, allowing user to complete sign on.
Note:- The PingID offline MFA feature is available from PingID integration for Windows login 2.0 or later, with a paired mobile device using PingID mobile app 1.8+.
- Pairing and use of a security key for offline authentication requires PingID integration for Windows login 2.3 or later. If using PingID integration for Windows login 2.2 or earlier, security key for offline authentication is not permitted, and the flow is different.
- Enable manual authentication:
-
In the PingID Username Mapping
window:
- In the Legacy username parsing convention field:
- Specify your organization's default domain. Domain format should be:
@domainname
, such as@somewhere.com
.- Maximum of 50 characters.
- The string entered in this field is appended to the username during sign on.
If specified, users can enter their username, such asjsmith
, rather than entering full user and domain name, as injsmith@pingidentity.com
.Note:- If you select this option without providing a default domain, the SAMAccountName is used.
- This option is not recommended in environments with multiple domains, or environments where PingID is also used to sign on locally.
- (Optional) Select Allow Multiple Domains to allow
the user to sign on from any domain in addition to the default domain. If
the user specifies a domain, that domain is used, otherwise the default
domain is used. This option is available with PingID for Windows login
2.2 and higher.Note:
- Do not use this option if you did not specify a default domain in the Legacy username parsing convention field.
- If you selected Allow Multiple Domains, users should use only the UserPrincipalName format (and not the samAccountName).
- If you applied PingID authentication to local or Microsoft accounts, the recommended username mapping is objectSID.
- Specify your organization's default domain. Domain format should be:
- In the Specific username mapping field, select the
attribute that you want to use to verify the user account. Attention:
For security reasons, when using Windows login in a multiple domain environment, it is recommended to use this configuration, rather than the legacy username parsing convention.
- Click Next.
- In the Legacy username parsing convention field:
-
In version 2.8 of the Windows login integration, an improved implementation was
introduced for the use of security keys while offline. If the installation program
detects security keys that were paired prior to this change, you are presented with
the following options:
- Allow: Allow users to continue using these keys (this option is not recommended)
- Inform: Allow users to continue using these keys, but inform them that these keys should be manually deleted
- Delete: Automatically delete the keys that were paired before the change was introduced
- To select the folder in which to install PingID, click Browse, select the destination folder or accept the default, and click Next.
- Click Install.
-
When the installation is complete, click Yes to restart the
computer and apply the changes.