--- title: Configuring PingFederate for MFA-only VPN description: PingFederate 9.3 component: solution-guides page_id: solution-guides:multi-factor_authentication_use_cases:htg_config_pf_for_mfa_only_vpn canonical_url: https://docs.pingidentity.com/solution-guides/multi-factor_authentication_use_cases/htg_config_pf_for_mfa_only_vpn.html revdate: April 24, 2025 page_aliases: ["multi-factor_authentication_use_cases:htg_config_pf_for_mfa_only_vpn_connect_datastore.adoc", "multi-factor_authentication_use_cases:htg_config_pf_for_mfa_only_vpn_identifier_first.adoc", "multi-factor_authentication_use_cases:htg_config_pf_for_mfa_only_vpn_pid.adoc", "multi-factor_authentication_use_cases:htg_config_pf_for_mfa_only_vpn_authn_policy.adoc"] section_ids: components: Components before-you-begin: Before you begin creating-a-datastore-connection: Creating a datastore connection about-this-task: About this task steps: Steps configuring-an-identifier-first-adapter: Configuring an Identifier First Adapter steps-2: Steps configuring-a-pingid-adapter: Configuring a PingID Adapter steps-3: Steps configuring-an-authentication-policy: Configuring an authentication policy steps-4: Steps --- # Configuring PingFederate for MFA-only VPN ## Components * PingFederate 9.3 * PingID ## Before you begin * Verify that PingFederate 9.3 is installed and running. * Register a PingID account as explained in [Register the PingID service](https://docs.pingidentity.com/pingid/pingid_integrations/registering_the_pid_service.html). ## Creating a datastore connection ### About this task If you have already configured a data store connection in PingFederate, you can skip this task. ### Steps 1. If you have not already configured a data store connection, use the following steps to configure one: 2. Sign on to PingFederate. 3. Select **System > Data Stores** to open the **Data Stores** screen. 4. On the **Data Stores** screen, click **Add New Data Store**. 5. Type a name for the data store. 6. Select the type of data store you are connecting to, and click **Next**. Depending on which data store you chose, click one of the following links for configuration instructions: * **Database (JDBC)** - [Configuring a JDBC connection](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=167) (page 167) * **Directory (LDAP)** - [Configuring an LDAP connection](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=170) (page 170) * **REST API** - [Configuring a REST API data store](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=178) (page 178) ## Configuring an Identifier First Adapter The Identifier First Adapter allows PingFederate to collect the user identifier and then determine how to challenge the user for credentials. Learn more in [Identifier First Adapter](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=710). ### Steps 1. Select **Identity Provider > Adapters**. 2. On the **Manage IdP Adapter Instances** screen, click **Create New Instance**. 3. Enter an **Instance Name** and an **Instance ID**. The Instance Name is any name you want to use to identify this adapter instance. The Instance ID is used internally, and cannot contain spaces or non-alphanumeric characters. 4. Select **Identifier First Adapter** in the **Type** list. 5. Click **Next**, and follow the instructions in [Configure an Identifier First Adapter instance](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-93.pdf#page=710) (page 710) to complete the configuration. ## Configuring a PingID Adapter ### Steps 1. Select **Identity Provider > Adapters**. 2. **On the Manage IdP Adapter Instances** screen, click **Create New Instance**. 3. Enter an **Instance Name** and an **Instance ID**. The Instance Name is any name you want to use to identify this adapter instance. The Instance ID is used internally, and cannot contain spaces or non-alphanumeric characters. 4. Select **PingID Adapter 2.5.1** in the **Type** list. 5. Click **Next**. 6. Click **Show Advanced Fields**. 7. Follow the instructions in [Use PingID for Primary Authentication](https://docs.pingidentity.com/pingid/pingid_integrations/configuring_a_pid_adapter_instance.html) to complete the configuration. ## Configuring an authentication policy ### Steps 1. Select **Identity Provider → Policies** to open the **Authentication Policies** screen. 2. Click **Add Policy**. 3. Enter a name for the policy and optionally a description. 4. In the **Policy** list, click the down-arrow and select the Identifier First Adapter that you configured in step 3. **Fail** and **Success** fields appear. 5. Under **Fail**, select **Restart**. 6. Under **Success**, click the down-arrow and select the PingID Adapter that you configured in step 4. **Fail** and **Success** fields are displayed again. 7. Under **Fail**, select **Done**. 8. Under **Success**, click the down-arrow, and select a Policy Contract. An example configuration is shown in the following figure. ![mow1564001139984](_images/mow1564001139984.png) 9. Under the PingID adapter in the **Success** field, click **Options**. ![oxs1564001140813](_images/oxs1564001140813.png) 10. In the **Incoming User ID** modal, select the Identifier First Adapter for the **Source** and **subject** for the **Attribute**. This configuration maps the user identifier to use with PingID MFA. ![xez1636744317440](_images/xez1636744317440.png) 11. Click **Done**. 12. Click **Contract Mapping** under the Policy Contract in the **Success** field. ![bxe1564001142363](_images/bxe1564001142363.png) 13. Click **Next** to view the **Contract Fulfillment** screen. 14. Select the Identifier First Adapter for the **Source** and **subject** for the **Attribute**. This configuration maps the attributes into your authentication policy contract. ![apm1564001142938](_images/apm1564001142938.png) 15. Click **Next**, and then click **Next** again to view the **Summary** screen. 16. Click **Done** to save your contract mapping, and then click **Done** again to save your authentication policy.