Configure the PingFederate server to register Azure Active Directory (AD) Windows 10 devices.
In the PingFederate cluster, perform the following steps on the admin node:
-
Add the required attribute namespaces:
- Stop the PingFederate server.
- Go to <pf-install>/pingfederate/server/default/data/config-store.
- In a text editor, open the custom-name-formats.xml file.
-
If they are not already present, add the following lines to the
sts-attribute-namespaces
section:<con:item name="http://schemas.microsoft.com/identity/claims">http://schemas.microsoft.com/identity/claims</con:item>; <con:item name="http://schemas.microsoft.com/ws/2012/01">http://schemas.microsoft.com/ws/2012/01</con:item>; <con:item name="http://schemas.microsoft.com/claims">http://schemas.microsoft.com/claims</con:item>;
- Save your changes and restart the PingFederate server.
- In the PingFederate cluster, open the administrative console and go to Cluster Management > Replicate Cluster Configuration.
- Click Replicate.
-
Configure Omit line Breaks in Digital Signatures.
For more information see Omit line breaks in digital signatures.
-
In a text editor, open
<pf_install>/pingfederate/bin/run.properties
and add the following line to the file:
org.apache.xml.security.ignoreLineBreaks=true
-
Save your changes and restart the PingFederate server.
Note:
If you are running a cluster, follow steps 1-4 for all nodes.
-
In a text editor, open
<pf_install>/pingfederate/bin/run.properties
and add the following line to the file:
-
Extend the list of the LDAP binary attributes:
- Open the PingFederate administrative console and go to Server Configuration > Data Stores.
- Click LDAP data store.
- On the LDAP Configuration page, click Advanced.
- In the Binary Attribute Name field, enter objectSid and click Add. Click Save.
-
Confirm the default token type for the WS-Trust protocol:
- Open the existing Office 365 SP connection.
- Go to SP Connection > WS-Trust STS > Protocol Settings.
- In the Default Token Type list, select SAML 1.1 for Office 365. Click Save.
-
Extend the WS-Trust attribute contract:
- Go to SP Connection > WS-Trust STS > Token Creation - Attribute Contract.
-
Add the following attributes and corresponding attribute
namespaces.
Attribute name Attribute namespace accounttype
http://schemas.microsoft.com/ws/2012/01
onpremobjectguid
http://schemas.microsoft.com/identity/claims
primarysid
http://schemas.microsoft.com/ws/2008/06/identity/claims
SAML_NAME_FORMAT
http://schemas.microsoft.com/claims
- Click Next and then click the Kerberos Token Processor instance.
-
Extend the LDAP search for the Kerberos Token Processor:
- On the Attribute Sources & User Lookup tab, click the LDAP data store instance.
-
On the LDAP Directory Search tab, add the
objectSid attribute to return from search.
Click Next.
Note:
Make sure that Base DN and Search Scope LDAP settings cover both a container with Office 365 users and a container where the AD objects of the devices intended for Azure AD registration are located.
- On the LDAP Binary Attribute Encoding Types tab, set the Attribute Encoding Type to SID for the objectSid attribute, then click Next.
-
Confirm that the LDAP Filter includes the
following:
|((sAMAccountName=${username}) (userPrincipalName=${username}))
-
Map the attribute contract to the values of the Kerberos Token Processor
instance:
- Click Done and Next until you reach the Attribute Contract Fulfillment section of the Kerberos Token Processor instance.
-
Populate the missing fields, then click
Done.
For more information, see Configuring a Kerberos Token Processor instance..
Attribute Contract Source Value Immutable ID
LDAP
objectGUID
TOKEN_SUBJECT
LDAP
objectGUID
UPN
Token
principle
accounttype
Text
DJ
onpremobjectguid
LDAP
objectGUID
primarysid
LDAP
objectSid
SAML_NAME_FORMAT
Text
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
Map the attribute contract to the values of the Username Token Processor
instance:
- Click the Username Token Processor instance, then click the Attribute Contract Fulfillment tab.
-
Populate the missing fields.
For more information, see Configuring a Username Token Processor instance..
-
Click Save.
Attribute Contract Source Value Immutable ID
LDAP
objectGUID
TOKEN_SUBJECT
LDAP
objectGUID
UPN
LDAP
userPrincipalName
accounttype
Text
N/A
onpremobjectguid
LDAP
objectGUID
primarysid
Text
N/A
SAML_NAME_FORMAT
Text
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified