---
title: Setting up SSO with Active Directory
description: Connect your Active Directory identity repository to Ping products and configure them to authenticate your users through single sign-on (SSO).
component: solution-guides
page_id: solution-guides:single_sign-on_use_cases:htg_setting_sso_active_directory
canonical_url: https://docs.pingidentity.com/solution-guides/single_sign-on_use_cases/htg_setting_sso_active_directory.html
revdate: July 6, 2022
section_ids:
  connecting-active-directory-to-pingfederate: Connecting Active Directory to PingFederate
  connecting-active-directory-to-pingone: Connecting Active Directory to PingOne
  connecting-active-directory-to-pingone-for-enterprise: Connecting Active Directory to PingOne for Enterprise
---

# Setting up SSO with Active Directory

Connect your Active Directory identity repository to Ping products and configure them to authenticate your users through single sign-on (SSO).

## Connecting Active Directory to PingFederate

You can connect an Active Directory server to PingFederate as an LDAP datastore. You can also add Kerberos or Integrated Windows Authentication (IWA) as identity providers to authenticate users.

For basic instructions about connecting Active Directory to PingFederate, see [Configuring an Active Directory datastore for PingFederate](../workforce_use_cases/htg_config_ad_datastore_pf.html). For more comprehensive information about LDAP datastore configuration, see [Configuring an LDAP connection](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_datasourcetasklet_ldapconfigstate.html).

After you configure the Active Directory datastore, you can configure PingFederate to process Kerberos tickets and other SSO transactions. For more information, refer to [Active Directory and Kerberos](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_adding_active_directory_domains_kerberos_realms.html).

## Connecting Active Directory to PingOne

You can configure a gateway in PingOne to authenticate your Active Directory users. If PingOne doesn't find a user in the PingOne directory, it will automatically check Active Directory using the gateway, giving your users a seamless authentication workflow.

If you want to use an authentication policy, there are some additional steps you must take to ensure its compatibility with the gateway.

For more information about configuring a gateway in PingOne, see [Setting up an LDAP Gateway](https://docs.pingidentity.com/pingone/integrations/p1_gateways_overview.html).

## Connecting Active Directory to PingOne for Enterprise

PingOne for Enterprise uses AD Connect as an identity bridge to transmit authentication information to and from Active Directory. You can use AD Connect either with or without IIS.

For more information about installing AD Connect, see [Installing AD Connect](https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_installing_adc.html) and [Installing AD Connect with IIS](https://docs.pingidentity.com/pingoneforenterprise/pingone_for_enterprise/p14e_installing_adc_iis.html).