Complete the setup or manual update of AD Connect, verify the AD Connect installation, and configure additional settings in PingOne for Enterprise.
On the PingOne for Enterprise admin portal page for AD Connect, click Verify
Note: If you're using AD Connect in a clustered, high availability configuration, you will verify the installation in the PingOne admin portal only for the initial AD Connect installation.
Choose whether to enable Integrated
Windows Authentication (IWA).
When enabled, IWA is applied when the user is on your organization's network. When the user comes from outside your network, NTLM is used. A user is prompted for their credentials only once per browser session.
- If you enable IWA, the Intranet IP Ranges entry box is displayed. Your entries here apply IWA to all users whose IP addresses are specified or contained within a block of IP addresses. The addresses need to be IPv4 addresses in dot-decimal format (18.104.22.168), or an IPv4 address block in CIDR format (22.214.171.124/24).
In AD Connect Configuration, the following settings are
- Authentication Account Lookup Method
- Assigns the Active Directory attribute to use when looking up the account
information for the user during delegated authentication. This can be:
- Mail. The email address assigned to the user.
- sAMAccountName. The legacy Windows logon name for the user.
- Filter. An LDAP filter to use when looking up the account information for the user.
- userPrincipalName. We recommend you use userPrincipalName if you select the Enable Global Catalog option.
- Subject Attribute
- Choose the value to use for
SAML_SUBJECT. The possible values are sAMAccountName or userPrincipalName.
If your user population comes from multiple domains, choose userPrincipalName as the subject attribute to avoid the potential of different users in different domains signing in using the same username.
- Enable Delegated Windows Authentication
- Select to enable a URL automatically created by PingOne that is unique to
your account. We use this URL to verify the credentials used for sign-on
requests received when a Salesforce user attempts to sign on using either
the Salesforce UI or API.
To ensure security, PingOne also generates a random key that is associated with this URL. If the existing key is compromised, click Renew to generate a new random key for the URL.
- Enable Password Change
- Select to enable users to change their corporate passwords through AD Connect. When enabled, a Change My Password option is displayed on the AD Connect sign on screen. Users selecting this option are prompted for their existing password and the new password to use. Their password is then changed in Active Directory.
- Enable Group Hierarchy
- Select to enable support for group hierarchies in Active Directory. When enabled, Active Directory groups that are nested will inherit the SSO permissions of their parent group or groups. When disabled (the default), an Active Directory group uses only the SSO permissions that are assigned to it, with no inheritance.
- Enable Global Catalog
- Select to use the Active Directory Global Catalog for user lookup. When enabled, we recommend you use userPrincipalName as the Authentication Account Lookup Method.
Assign the Active Directory-to-PingOne attribute mapping.
This assignment maps Active Directory attributes to the default PingOne attributes. This attribute mapping is not used by applications that you add to PingOne. You will configure those attribute mappings for each application.
- For any of the attribute mappings, you can choose to configure an advanced mapping. See Creating advanced attribute mappings for instructions.
When you return to the, a summary of the settings for your identity bridge is displayed.
If you're using AD Connect in a clustered, high availability configuration, repeat these steps on each AD Connect host.