In the PingFederate cluster, perform the following steps on the admin node:

  1. Add the required attribute namespaces:
    1. Stop the PingFederate server.
    2. Go to <pf-install>/pingfederate/server/default/data/config-store.
    3. In a text editor, open the custom-name-formats.xml file.
    4. If they are not already present, add the following lines to the sts-attribute-namespaces section:
      <con:item name="http://schemas.microsoft.com/identity/claims">http://schemas.microsoft.com/identity/claims</con:item>; 
      
      <con:item name="http://schemas.microsoft.com/ws/2012/01">http://schemas.microsoft.com/ws/2012/01</con:item>;
      
      <con:item name="http://schemas.microsoft.com/claims">http://schemas.microsoft.com/claims</con:item>;
    5. Save your changes and restart the PingFederate server.
  2. In the PingFederate cluster, open the administrative console and go to Cluster Management > Replicate Cluster Configuration.
  3. Click Replicate.
  4. Configure Omit line Breaks in Digital Signatures.

    For more information see Omit line breaks in digital signatures.

    1. In a text editor, open <pf_install>/pingfederate/bin/run.properties and add the following line to the file:
      org.apache.xml.security.ignoreLineBreaks=true
    2. Save your changes and restart the PingFederate server.
      Note:

      If you are running a cluster, follow steps 1-4 for all nodes.

  5. Extend the list of the LDAP binary attributes:
    1. Open the PingFederate administrative console and go to Server Configuration > Data Stores.
    2. Click LDAP data store.
    3. On the LDAP Configuration page, click Advanced.
    4. In the Binary Attribute Name field, enter objectSid and click Add. Click Save.
  6. Confirm the default token type for the WS-Trust protocol:
    1. Open the existing Office 365 SP connection.
    2. Go to SP Connection > WS-Trust STS > Protocol Settings.
    3. In the Default Token Type list, select SAML 1.1 for Office 365. Click Save.
  7. Extend the WS-Trust attribute contract:
    1. Go to SP Connection > WS-Trust STS > Token Creation - Attribute Contract.
    2. Add the following attributes and corresponding attribute namespaces.
      Attribute name Attribute namespace

      accounttype

      http://schemas.microsoft.com/ws/2012/01

      onpremobjectguid

      http://schemas.microsoft.com/identity/claims

      primarysid

      http://schemas.microsoft.com/ws/2008/06/identity/claims

      SAML_NAME_FORMAT

      http://schemas.microsoft.com/claims

    3. Click Next and then click the Kerberos Token Processor instance.
  8. Extend the LDAP search for the Kerberos Token Processor:
    1. On the Attribute Sources & User Lookup tab, click the LDAP data store instance.
    2. On the LDAP Directory Search tab, add the objectSid attribute to return from search. Click Next.
      Note:

      Make sure that Base DN and Search Scope LDAP settings cover both a container with Office 365 users and a container where the AD objects of the devices intended for Azure AD registration are located.

    3. On the LDAP Binary Attribute Encoding Types tab, set the Attribute Encoding Type to SID for the objectSid attribute, then click Next.
    4. Confirm that the LDAP Filter includes the following:
      |((sAMAccountName=${username}) (userPrincipalName=${username}))
  9. Map the attribute contract to the values of the Kerberos Token Processor instance:
    1. Click Done and Next until you reach the Attribute Contract Fulfillment section of the Kerberos Token Processor instance.
    2. Populate the missing fields, then click Done.
    Attribute Contract Source Value

    Immutable ID

    LDAP

    objectGUID

    TOKEN_SUBJECT

    LDAP

    objectGUID

    UPN

    Token

    principle

    accounttype

    Text

    DJ

    onpremobjectguid

    LDAP

    objectGUID

    primarysid

    LDAP

    objectSid

    SAML_NAME_FORMAT

    Text

    urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  10. Map the attribute contract to the values of the Username Token Processor instance:
    1. Click the Username Token Processor instance, then click the Attribute Contract Fulfillment tab.
    2. Populate the missing fields.
    3. Click Save.
      Attribute Contract Source Value

      Immutable ID

      LDAP

      objectGUID

      TOKEN_SUBJECT

      LDAP

      objectGUID

      UPN

      LDAP

      userPrincipalName

      accounttype

      Text

      N/A

      onpremobjectguid

      LDAP

      objectGUID

      primarysid

      Text

      N/A

      SAML_NAME_FORMAT

      Text

      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified