You can install the PingID MFA Adapter on a single AD FS instance. If you have an AD FS farm deployment, you must install PingID MFA Adapter on each AD FS instance in the farm to enable MFA.

PingID MFA Adapter for AD FS can query user data originating from multiple Active Directory domains, based on the user claim presented during authentication.

An AD FS app is available in the Policy Apps list. Use it to apply PingID authentication policies specific to AD FS MFA. For more information, see Configuring an app or group-specific authentication policy

The following figure demonstrates a typical user flow.

Diagram illustrating user authentication through PingID MFA Adapter for AD FS

Processing steps

  1. The user attempts to login to an application using their credentials. AD FS validates the user credentials against Active Directory.
  2. The PingID adapter for AD FS initiates an MFA request to the PingID service in the cloud.
  3. The PingID cloud service sends an MFA request to the user, as configured by their PingID policy.
  4. The user authenticates using the configured authentication method, such as Swipe, Mobile App Biometrics, or YubiKey. The PingID cloud service redirects the user back to AD FS.
  5. Using the SAML or OpenID Connect (OIDC) protocol, AD FS authorizes the Service Provider to grant access to the user.

For more information on getting started with PingID for AD FS, see Installing PingID MFA Adapter for AD FS and Enabling PingID as an MFA provider in AD FS.