Azure AD Password Credential Validator
Password credential validators (PCVs) enable PingFederate administrators to define a centralized location for username or password validation, allowing various PingFederate configurations to reference PCV instances. The Azure AD Password Credential Validator uses the Microsoft Graph API for credential validation.
Features
-
Allows sign on with full usernames, such as
john.smith@mydomain.com
.Short usernames aren’t supported.
-
Returns an error message for failed sign-on attempts, such as one of the following:
-
invalid credentials
-
account is disabled
-
forced password change
-
-
Supports non-federated single and multi-tenant Azure AD user accounts.
-
Provides support for Azure AD Custom Properties (Directory Schema Extensions).
-
Responses include all user group memberships.
Review the Azure AD Password Credential Validator’s known issues and limitations before implementing these features. |
Intended audience
This document is intended for PingFederate admins and application developers.
Learn more about the PCV setup process in the following PingFederate resources:
Learn more about the IdP adapter setup process in the following PingFederate resources:
Learn more about using PingFederate as an SP provider in the following PingFederate resources:
Learn more about Azure in the following Microsoft resources:
System requirements
-
PingFederate 11.3 or later.
Make sure you’ve configured either an HTTP Basic or HTML Form IdP Adapter instance. Learn more in Associating the PCV with an IdP adapter instance.
-
A Microsoft Azure account with Active Directory or Active Directory B2C configured.
Learn more about supported user account types in Known issues and limitations.
-
An Azure AD application with the following permissions:
-
Microsoft Graph > Delegated Permission
-
Sign in and read user profile
-
Read directory data
-
-
-
To allow PingFederate to make outbound connections to the Microsoft API, you might need to allow the following endpoints in your firewall:
- Token endpoint
-
https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
- User attributes endpoint
-
https://graph.microsoft.com/v1.0/me/
- Group membership endpoint
-
https://graph.microsoft.com/v1.0/me/memberOf