Add MS ActiveDirectory Authentication to PingFederate

A common scenario for many companies that are deploying PingFederate is the desire to authenticate user's against an existing LDAP-based user store (most commonly Active Directory). While this is something that PingFederate can easily handle, it does have several steps that might not be obvious to a novice PingFederate Administrator. In this post I'll walk everyone through a quick and *very* basic configuration. Specifically, there are three different pieces that need to be created/configured in PingFederate (preferably in this order):

  1. A new Data Store
  2. A new Password Credential Validator
  3. A new IDP Adapter

Step 1 - Create a new Data Store object

  1. Navigate to "Server Configuration | System Settings | Data Stores"
  2. Click on "Add New Data Store"
  3. Select Type "LDAP" and click "Next"
  4. Enter the hostname or IP of your existing LDAP server
  5. Choose "Active Directory" as the LDAP Type
  6. Enter the Bind Credentials (you can get these from your AD Administrator) and click "Next"
  7. PingFederate will test the connection with the information you have provided. If PF reports any errors, correct them and try again.
  8. If there are no errors, on the Summary screen chose, "Done" then "Save".

Step 2 - Create a new PCV object

  1. Navigate to "Server Configuration | Authentication | Password Credential Validators"
  2. Click on "Create New Instance"
  3. Assign your PCV an Instance Name and Instance Id
  4. Choose "LDAP Username Password Credential Validator" as the Type and click "Next"
  5. From the LDAP Datastore dropdown, select your Data Store created in the previous section
  6. Enter the Search Base (ie, "ou=users,dc=company,dc=com") for where PingFederate should start search for your user's
  7. Enter the Search Filter for how PF should identity unique users. For AD, this is typically "sAMAccountName=${username}" Note: For Sun/Oracle Directory Server the value is typically "uid=${username}" (where ${username} is the value the end user provides.
  8. Click "Next"
  9. On the Summary screen chose, "Done" then "Save".

Step 3- Create a new IDP Adapter

  1. Navigate to "IdP Configuration | Adapters"
  2. Click on "Create New Instance"
  3. Assign your PCV an Instance Name and Instance Id
  4. In the "Type" dropdown, for simplicity, choose "HTML Form IdP Adapter" and click "Next"
  5. On the following screen, you'll need to select "Add a new row to 'Credential Validators'". You can choose the PCV you created in the previous step and click "Update".
  6. Ping has already populated most of the options on this screen. For this example, you can use the defaults. If needed, you can come back and change these options at anytime.
  7. Click "Next"
  8. On the "Extended Contract" screen, choose "Next"
  9. On the "Adapter Attributes" screen, place a checkmark in the "Pseudonym" column for "username" and click "Next"
  10. On the Summary Screen click "Done" and then "Save"

That's it. Now you have an IdP Adapter that can perform a simple authentication against Active Directory. In order to use this Adapter, you'll need to add it to one of the Web SSO use cases that PingFederate supports (OpenID Connect, SAML 2.0, WS-Federation, SAML 1.1 or Adapter-2-Adapter Mapping) or use it for authentication to PingAccess resources.

Good luck! Ian Barnett Ping Identity Practice Director