--- title: Securing your VPN with MFA through PingID description: To enable PingID for VPN, use PingFederate Bridge and the PingOne for Enterprise admin portal. This secures your VPN with multi-factor authentication (MFA). component: solution-guides page_id: solution-guides:multi-factor_authentication_use_cases:htg_secure_vpn_with_mfa_pid canonical_url: https://docs.pingidentity.com/solution-guides/multi-factor_authentication_use_cases/htg_secure_vpn_with_mfa_pid.html revdate: April 24, 2025 page_aliases: ["multi-factor_authentication_use_cases:htg_secure_vpn_with_mfa_pid_p14e.adoc", "multi-factor_authentication_use_cases:htg_secure_vpn_with_mfa_pid_vpn_pfbridge.adoc", "multi-factor_authentication_use_cases:htg_secure_vpn_with_mfa_pid_pfbridge.adoc"] section_ids: components: Components before-you-begin: Before you begin enabling-pingid-for-vpn-through-the-pingone-for-enterprise-admin-portal: Enabling PingID for VPN through the PingOne for Enterprise admin portal about-this-task: About this task steps: Steps result: Result: enable-pingid-vpn-thru-pfbridge: Enabling PingID for VPN through PingFederate Bridge about-this-task-2: About this task steps-2: Steps result-2: Result: result-3: Result: configure-pingid-vpn-with-pfbridge: Configuring PingID for VPN with PingFederate Bridge steps-3: Steps result-4: Result --- # Securing your VPN with MFA through PingID To enable PingID for VPN, use PingFederate Bridge and the PingOne for Enterprise admin portal. This secures your VPN with multi-factor authentication (MFA). ## Components * PingOne for Enterprise * PingFederate Bridge (available through PingOne for Enterprise) ## Before you begin You must have: * A PingOne for Enterprise admin portal account You can sign up for a free trial of PingOne for Enterprise. * An instance of PingFederate Bridge ## Enabling PingID for VPN through the PingOne for Enterprise admin portal ### About this task You can enable PingID for VPN through the PingOne for Enterprise admin portal or PingFederate Bridge. To enable PingID VPN through the PingOne for Enterprise admin portal: ### Steps 1. Sign on to the PingOne for Enterprise admin portal. 2. Click **Setup**. 3. Click **PingID → Client Integration**. 4. Click **Setup PingFederate for PingID**. ![Screen capture of the Client Integration tab. At the bottom, two buttons read Generate and Setup for , the latter is highlighted with a red box. The text above reads: Integrate with and Other Clients and Use these properties files to Integrate with external clients such as AD FS, SSH, VPN, Windows Login (servers) or APIs. These files will contain sensitive information such as encryption keys. Two buttons read Download and Revoke. Across the top, the tabs read Configuration, Client Integration, Branding, Device and Pairing, and Policy.](_images/skl1602610223192.png) 5. To choose your server platform, follow the on-screen instructions. 6. To download PingFederate Bridge, follow the on-screen instructions. 7. To install and configure PingFederate Bridge, follow the on-screen instructions. | | | | - | ---------------------------------------------------------------- | | | *Your Server Domain* is your fully qualified domain name (FQDN). | 8. In the PingFederate administrative console, review the license agreement. Click **Accept**. 9. In the PingOne for Enterprise admin portal, in the**Install and Configure PingFederate Bridge** section, from the **Complete Quick Start** section, copy the activation key. ![Screen capture of the Complete Quick Start section. The Activation Key field is highlighted with a red box. Below the activation key field reads: To connect to your PingOne account, copy this unique activation key into when prompted. This is a single-use activation key. A new key will be generated for each PingOne session.](../_images/ebu1602608416395.png) 10. In the PingFederate administrative console, click **Yes, Connect to PingOne for Enterprise**. 11. In the **Activation Key** field, paste the activation key you copied from the PingOne for Enterprise admin portal. Click **Next**. #### Result: The PingFederate administrative console displays the **Identities** section. 12. Proceed to [Configuring PingID for VPN with PingFederate Bridge](#configure-pingid-vpn-with-pfbridge). ## Enabling PingID for VPN through PingFederate Bridge ### About this task You can enable PingID for VPN through the PingOne for Enterprise admin portal or PingFederate Bridge. ### Steps 1. Install PingFederate from the [Ping Identity Downloads Page](https://www.pingidentity.com/en/resources/downloads/pingfederate.html). 2. Start the PingFederate server by running this script: `/pingfederate/bin/run.sh`. 3. Open the PingFederate administrative console. 1. Open a browser and enter `https://Your Server Domain:9999/pingfederate/app`. | | | | - | ---------------------------------------------------------------- | | | *Your Server Domain* is your fully qualified domain name (FQDN). | 2. To proceed, review the license agreement. Click **Accept**. 4. Click **Yes, Connect to PingOne for Enterprise**. 5. Click **Sign on to PingOne for Enterprise** and enter your credentials to sign on. #### Result: The admin portal displays the activation key. 6. Copy the activation key from the PingOne for Enterprise admin portal to your clipboard. 7. In the PingFederate administrative console, in the **Activation Key** field, paste the key value. 8. Click **Next**. #### Result: The PingFederate administrative console displays the **Identities** section. 9. [Configuring PingID for VPN with PingFederate Bridge](#configure-pingid-vpn-with-pfbridge). ## Configuring PingID for VPN with PingFederate Bridge ### Steps 1. From the PingFederate administrative console **Identities** section, select **Yes, Connect a Directory Server**. 2. Enter information in the fields that is appropriate for your directory server. | Field | Description | | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Directory Type** | Select the type of directory server from the list. | | **Data Store Name** | Enter the name of the datastore. | | **Hostname** | Enter the fully qualified domain name (FQDN) for your directory server. | | **Service Account DN** | Enter the distinguished name (DN) of the service account that PingFederate can use to communicate with the directory server. | | **Password** | Enter the password associated with the service account. | | **Search Base** | Enter the DN of the location in the directory where PingFederate begins its datastore queries. | | **Search Filter** | Specify how the username provided by a user at login is mapped to an attribute in your directory.The default value is either `sAMAccountName=${username}` or `uid=${username}`, depending on the selected directory type.If you require a more advanced search filter, enter the value in the following format: `=${username}`. For more information, consult your directory administrators. | 3. Click **Next**. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If your directory server is SSL-enabled and presents an untrusted certificate, PingFederate prompts you to upload the server's certificate. Click **Choose Certificate**, select the appropriate certificate, and click **Next**. | 4. In the **Use Cases** section, select the **PingID VPN (RADIUS)** checkbox. Click **Begin**. 5. In the **Basic Settings** section, configure the basic settings: 1. In the **Client IP** field, enter the IP address of the VPN server. 2. In the **Client Shared Secret** field, enter the secret shared between the VPN server and PingFederate Bridge. 3. Verify that the **Validate with LDAP** checkbox is selected. 4. In the **PingID Username Attribute** field, enter the value you entered in the **Search Filter** field in step 2. | | | | - | ------------------------------------------------------------- | | | The integrated RADIUS server listens on port 1812 by default. | 6. Click **Next**. 7. In the **Provisioning** section, the **Configure Provisioning** checkbox should be unselected. Click **Next**. 8. In the **Summary** section, review your configuration. Click **Done**. 9. Click **Next**. 10. In the **Basic Information** section, in the **Base URL** field, enter `https://Your Server Domain:9031`. | | | | - | ---------------------------------------------------------------- | | | *Your Server Domain* is your fully qualified domain name (FQDN). | 11. Click **Next**. 12. To apply the configuration to PingFederate Bridge, click **Next**. 13. Click **Done**. ### Result PingID for VPN is enabled in PingFederate Bridge for use. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You can find more information on configuring your VPN client/server settings in [Integrating PingID with your VPN/Remote access system](https://docs.pingidentity.com/pingid/pingid_integrations/pid_integration_with_vpn_intro.html). |