• Ensure you have an AD domain configured as a datastore in PingFederate that can be used to validate Kerberos tickets.
  • Create a user in Active Directory (AD) that can read from the directory.
  1. In the PingFederate administrative console, go to Authentication > IdP Adapters.
    Screen capture of the Authentication window showing the IdP Adapters option as the second option in the first row.
  2. Click Create New Instance.
  3. On the Type tab, in the Instance Name and Instance ID fields, enter a name and ID.
  4. From the Type list, select Kerberos Adapter, and then click Next.
    Screen capture of the Type tab showing the Instance Name, Instance ID, type and Parent Instance fields.
  5. On the IdP Adapter tab, select the Domain/Realm Name you used when adding AD as a datastore.
  6. Click Manage Active Directory Domains/Kerberos Realms
    Screen capture of the IdP Adapter tab showing the Domain/Realm Name and Error URL redirect fields.
  7. In the Manage Domain/Realm window, in the Domain/Realm Name, Domain/Realm Username, and Domain/Realm Password fields, enter the information from your AD environment.
    Screen capture of the Manage Domain/Realm window showing the domain/Realm Name, Domain/Realm Username, Domain/Realm Password fields. Below those are the options for Domain Controller/Key Distributions Center Host Names.
  8. Click Test Domain/Realm Connectivity to test your connection, then click Done.
  9. On the IdP Adapter tab, click Next.
  10. On the Extended Contract tab, click Next.
  11. On the Adapter Attributes tab, select the Username Pseudonym check box . Click Next.
    Screen capture of the Adapter Attributes tab showing check boxes for the option to use Pseudonyms or Mask Log Values for each attribute.
  12. On the Adapter Contact Mapping tab, click Next.
  13. On the Summary tab, review your entries. Click Save.