Make sure:

  • You have installed AD FS 4.0 on Windows Server 2016 or AS FS 3.0 on Windows Server 2012 R2.
  • You have installed .NET 4.6 or later.
  • Port 443 is open to allow outbound communication with the PingID service. For further details about required URLs, see PingID required domains, URLs, and ports.
  • PingID integration for AD FS employs redirects and cross-site requests. Changes to cookie behavior implemented by browsers, such as Google Chrome v80, can cause disruptions to authentication flows. To ensure changes to cookie behavior do not cause disruptions to your authentication flows, make sure your AD FS servers have the latest SameSite cookie support updates from Microsoft. For information about the SameSite cookie changes introduced in Chrome v80, and details on how to upgrade your server, see this Microsoft support article.
Important:

This operation involves restarting the AD FS service. After the installation is complete, you must select the PingID MFA Adapter as an MFA method in AD FS.

Note:

If you have another MFA provider installed on your AD FS instance, but it is not configured correctly, you might not be able to install PingID MFA Adapter for AD FS and might receive an error when running the PingID MFA installer. We recommend that you disable any existing MFA authentication methods that you are not using before you install the PingID Adapter for AD FS.

  1. In the PingOne admin portal, go to Setup > PingID > Client Integration.
  2. In the Integrate with PingFederate and Other Clients section, click Download to download the pingid.properties file.
  3. On the PingID Downloads page, go to Integrations, and download and extract the PingID MFA Adapter for AD FS file.
  4. To launch the setup wizard, run PingIdAdfsAdapter<version>.exe.
  5. When the wizard launches, click Next.
  6. Review the Software License Agreement, click I accept the agreement, and then click Next.
  7. Click Browse, and then navigate to the pingid.properties file that you downloaded from the admin portal.
  8. Select the claim type that should be passed to the MFA adapter, and then click Next.

    PingID MFA adapter for AD FS supports the following claim types.

    Claim Type Description URI

    UPN

    The user principal name (UPN) of the user, in the format user@domain.com

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

    Windows account name

    The Windows Account Name of the user in the in the format DOMAIN\USER

    http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname
    Note:

    After the installation is complete, the claim type cannot be modified. For more information about claim types, see Microsoft's documentation on The role of claims.

    Note:

    Assess your environment and decide which claim type fits your specific environment. You must consider the effect the claim type will have on your environment setup.

    For example, if you have a split DNS implementation, where the UPN carries the external domain name, and the WindowsAccountName carries the internal domain name, you must use the WindowsAccountName claim type for the MFA Adapter. If you use the UPN claim type instead, the MFA Adapter attempts to locate the external domain name as an AD domain that does not exist and fails to retrieve the user from the AD.

  9. If you want to change the destination folder, click Browse and navigate to the relevant location, otherwise click Next.
  10. Click Install.

    After the installation finishes, the path to the installation log is displayed. The installation log provides additional information about the installation.

  11. Click Next, and then click Finish.

After the adapter is installed, enable PingID as an MFA provider. For more information, see Enabling PingID as an MFA provider in AD FS.