1. On the PingOne for Enterprise admin portal page for AD Connect, click Verify Installation.
    Note: If you're using AD Connect in a clustered, high availability configuration, you will verify the installation in the PingOne admin portal only for the initial AD Connect installation.
  2. Optional: Choose whether to enable Integrated Windows Authentication (IWA).
    When enabled, IWA is applied when the user is on your organization's network. When the user comes from outside your network, NTLM is used. A user is prompted for their credentials only once per browser session.
    1. If you enable IWA, the Intranet IP Ranges entry box is displayed. Your entries here apply IWA to all users whose IP addresses are specified or contained within a block of IP addresses. The addresses need to be IPv4 addresses in dot-decimal format (, or an IPv4 address block in CIDR format (
  3. In AD Connect Configuration, the following settings are available:
    Authentication Account Lookup Method
    Assigns the Active Directory attribute to use when looking up the account information for the user during delegated authentication. This can be:
    • Mail. The email address assigned to the user.
    • sAMAccountName. The legacy Windows logon name for the user.
    • Filter. An LDAP filter to use when looking up the account information for the user.
    • userPrincipalName. We recommend you use userPrincipalName if you select the Enable Global Catalog option.
    Subject Attribute
    Choose the value to use for SAML_SUBJECT. The possible values are sAMAccountName or userPrincipalName.

    If your user population comes from multiple domains, choose userPrincipalName as the subject attribute to avoid the potential of different users in different domains signing in using the same username.

    Enable Delegated Windows Authentication
    Select to enable a URL automatically created by PingOne that is unique to your account. We use this URL to verify the credentials used for sign-on requests received when a Salesforce user attempts to sign on using either the Salesforce UI or API.

    To ensure security, PingOne also generates a random key that is associated with this URL. If the existing key is compromised, click Renew to generate a new random key for the URL.

    Enable Password Change
    Select to enable users to change their corporate passwords through AD Connect. When enabled, a Change My Password option is displayed on the AD Connect sign on screen. Users selecting this option are prompted for their existing password and the new password to use. Their password is then changed in Active Directory.
    Enable Group Hierarchy
    Select to enable support for group hierarchies in Active Directory. When enabled, Active Directory groups that are nested will inherit the SSO permissions of their parent group or groups. When disabled (the default), an Active Directory group uses only the SSO permissions that are assigned to it, with no inheritance.
    Enable Global Catalog
    Select to use the Active Directory Global Catalog for user lookup. When enabled, we recommend you use userPrincipalName as the Authentication Account Lookup Method.
  4. Assign the Active Directory-to-PingOne attribute mapping.
    This assignment maps Active Directory attributes to the default PingOne attributes. This attribute mapping is not used by applications that you add to PingOne. You will configure those attribute mappings for each application.
    1. For any of the attribute mappings, you can choose to configure an advanced mapping. See Creating advanced attribute mappings for instructions.
  5. Click Finish.
    When you return to the Setup > Identity Repository, a summary of the settings for your identity bridge is displayed.

If you're using AD Connect in a clustered, high availability configuration, repeat these steps on each AD Connect host.