--- title: Configuring an Active Directory datastore for PingFederate description: In PingFederate, establish an Active Directory datastore connection for retrieving user attributes for outbound connections. component: solution-guides page_id: solution-guides:workforce_use_cases:htg_config_ad_datastore_pf canonical_url: https://docs.pingidentity.com/solution-guides/workforce_use_cases/htg_config_ad_datastore_pf.html revdate: April 13, 2025 page_aliases: ["workforce_use_cases:htg_config_ad_datastore_pf_config_ad_datastore.adoc"] section_ids: component: Component processing-steps: Processing steps configuring-an-active-directory-datastore: Configuring an Active Directory datastore before-you-begin: Before you begin about-this-task: About this task steps: Steps result: Result: result-2: Result: --- # Configuring an Active Directory datastore for PingFederate In PingFederate, establish an Active Directory datastore connection for retrieving user attributes for outbound connections. ## Component PingFederate 10.1 ## Processing steps Almost every customer using PingFederate as an identity provider (IdP) has at least one connection to a datastore. A datastore connection allows PingFederate to retrieve user attributes for outbound connections. Active Directory is the most common data source used to connect to PingFederate. ![An illustration of a 3-step user-initiated single sign-on (SSO) when is the identity provider and has a datastore connection.](_images/lfl1606863776896.jpg) 1. The user initiates single sign-on (SSO) and activates PingFederate. 2. The user enters credentials in the htmlForm page. PingFederate query's the connected datastore for authentication. 3. A SAML assertion is sent to the service provider containing the select attributes for SSO. ## Configuring an Active Directory datastore In PingFederate, configure a datastore connection to allow PingFederate, the identity provider (IdP), to retrieve user attributes for outbound connections. ### Before you begin Your administrator account associated with Active Directory must be configured in the directory and have read permissions to the organizational unit where user attribute searches are done. ### About this task This topic details specific tasks for configuring an Active Directory datastore connection. Learn more in [Datastores](https://cdn-docs.pingidentity.com/archive/pdf/pingfederate/pingfederate-100.pdf#page=125) (page 125) in the PingFederate Server documentation. ### Steps 1. From the PingFederate admin console, go to **System > Data Stores**. Click **Add a New Data Store**. #### Result: The **Data Store** window configuration opens. 2. On the **Data Store Type** tab: 1. In the **Name** field, enter a name. 2. From the **Type** list, select **Directory (LDAP)**. 3. Click **Next**. 3. On the **LDAP Configuration** tab: 1. In the **Hostname(s)** field, enter the hostname for the configuration. Click **Add**. This is the hostname of the domain controller. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The **Hostname(s)** field entry can rely on network naming to route to the closest domain controller. For example, `pingdemo.com` resolves to `dc1.pingdemo.com`.Alternatively, you can define domain controllers explicitly, separated by a space. For example, `dc1.pingdemo.com dc2.pingdemo.com`. This creates a failover to each domain controller. If it does not find the user in the first directory, it then queries the second and so on. | 2. In the **User DN** field, enter the distinguished name (DN). This is used as the domain name of the service account used to query the directory. 3. In the **Password** field, enter a password. This is the password of the service account. 4. Select the **Use DNS SRV Record** checkbox. SRV records are not required for this configuration, but you can use them. 5. Choose whether to enable the **Use LDAPS** checkbox. * Select the **Use LDAPS** checkbox. The configuration assumes port 636 if the LDAPS option is selected. * Clear the **Use LDAPS** checkbox. The configuration assumes port 389 if the LDAPS option is cleared. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you are running your directory on another port, you must state this in the **Hostname(s)** field as shown in the image below, and have the Active Directory public certificate uploaded in your trusted keystore. In following image, notice port 1389 is specified in the **Hostname(s)** field.![A screen capture of the Data Store window and LDAP Configuration tab in . The LDAP Configuration tab contains multiple configuration fields for the user to edit. The following fields and their entries are displayed: Hostname(s) with cjmuir-r:1389 and selected as the default, another row of Hostname(s) with Email address, a cleared Use LDAPS checkbox, a cleared Use DNS SRV Record checkbox, the Load Type list with the option selected, a cleared Bind Anonymously checkbox, the User DN field with cn=Directory Manager entered, the Password field with a hidden entry, and cjmuir-r:1389 selected from the connection list, and the Test Connection button displayed.](_images/phy1606865459207.png) | 6. Click **Next**. 7. On the **Summary** tab, click **Save**. #### Result: The **Data Store** configuration window closes. You are directed back to the **Data Stores** window where you can manage all your datastore connections.