You can use PingID for PingFederate:

  • As a primary, secondary, or passwordless authentication solution for federated single sign-on (SSO).
  • As a primary, secondary or passwordless authentication solution when PingFederate is your PingOne identity bridge.

The process involves:

  1. Registering the PingID service
  2. Installing the PingID Integration Kit for PingFederate
  3. PingFederate
  4. Configuring an IdP adapter instance in PingFederate
  5. Configuring a PingID Adapter instance
  6. Creating a PingFederate policy contract, and creating a PingFederate policy for the relevant solution:

The following diagrams provide pictorial representation of each authentication solution.

Primary authentication


Diagram of PingID as a the primary authentication solution for PingFederate.
  1. The user initiates the sign-on process in the browser at the service provider (SP).
  2. The SP sends the authentication request to PingFederate.
  3. PingFederate starts the authentication policy using either:
    • an identity provider (IdP) adapter for primary authentication
    • an IdP adapter for primary authentication and a PingID adapter for secondary authentication
  4. PingFederate routes the authentication request to the PingID service as the primary authentication or secondary authentication solution.
  5. The PingID service sends the authentication request to the PingID mobile app on the user’s device, and the user scans their fingerprint to authenticate.
  6. The PingID mobile app sends the authentication response to the PingID service.
  7. The PingID service sends the authentication response to PingFederate.
  8. PingFederate approves the authentication request and returns an access token to the SP.
  9. The SP authorizes sign on to the app in the user browser.
  10. The app signs the user on.

Secondary authentication


Diagram of PingID as the secondary authentication solution for PingFederate.
  1. The user initiates the sign-on process at the user browser.
  2. The user browser sends the SSO request to the SP.
  3. The SP sends the authentication request to PingFederate.
  4. PingFederate starts the authentication policy using an IdP adapter for primary authentication and PingID for secondary authentication with a PingID adapter.
  5. PingFederate routes the authentication request to the PingID service.
  6. The PingID service sends the authentication request to the PingID mobile app, and for example, the user scans their fingerprint to authenticate.
  7. The PingID mobile app sends the authentication response to the PingID service.
  8. The PingID service sends the authentication response to PingFederate.
  9. PingFederate approves the authentication response and returns an access token to the SP.
  10. The SP authorizes the app.
  11. The app signs the user on.

Passwordless authentication


Diagram of PingID as a passwordless authentication solution for PingFederate.
  1. The user initiates the sign-on process in the browser at the SP.
  2. The SP sends the authentication request to PingFederate.
  3. PingFederate starts the authentication policy, which uses an IdP adapter for primary authentication. For more information, see Configuring a PingID Adapter instance.
  4. PingFederate sends the authentication request to the PingID service (PingOne).
  5. The PingID service (PingOne) sends the Web Authentication request to the user browser.
  6. The user browser sends the authentication request to the FIDO platform on the user’s FIDO-compatible device (for example Windows Hello, iOS and Android devices, and so on), and the user uses biometrics to authenticate.
  7. The FIDO platform sends the authentication approval to the user browser.
  8. The user browser sends the authentication approval response using Web Authentication protocol to the PingID service (PingOne).
  9. The PingID service (PingOne) sends the authentication response to PingFederate.
  10. PingFederate returns an access token to the SP.
  11. The SP authorizes sign on to the app in the user browser.
  12. The app signs the user on.

Managing users

Once you have PingID integrated with PingFederate, you will use the PingOne admin portal to manage users. For more information, see PingID User Life Cycle Management.