Overview of the identity provider integration
You can use the Agentless Integration Kit to extend your sign-on flow to include a custom authentication application.
Use case
Some proprietary, third-party, or complex authentication applications might not be covered by the ready-made solutions that are included with PingFederate or available in the Ping Identity Integration Directory.
The Agentless Integration Kit offers a flexible way to integrate any application into the PingFederate authentication flow. This allows you to use your existing application without needing to develop a custom adapter for PingFederate. The only requirement is that your application can make REST API calls.
High-level view of the sign-on flow
Your application gets information from PingFederate, performs any number of authentication steps, then passes the user back to PingFederate to complete the sign-on process.

-
The user initiates the sign-on process, either at the identity provider (IdP) or service provider (SP).
-
PingFederate starts the authentication policy, which can include any number of adapters or authentication steps.
-
When the Reference ID IdP Adapter is triggered in the authentication policy, PingFederate sends a set of values to the application’s authentication endpoint, including the following:
REF
-
The unique reference ID that the application uses to pick up user attributes.
resumePath
-
The PingFederate URI that the application redirects the user to after authentication. This includes a random string that is unique to the user session.
The application stores these values.
-
The application makes a call to the Reference ID IdP Adapter to pick up any user attributes that PingFederate has associated with the reference ID, such as the user ID, LDAP attributes, tracked HTTP parameters, and any claims.
The application stores these attributes.
-
The application completes any number of authentication steps, then drops off resulting attributes to the Reference ID IdP Adapter using an HTTP POST call.
-
PingFederate continues executing the authentication policy, now with access to the user attributes provided by the application. PingFederate provides a response to the service provider.
For a detailed description of the flow, see Overview of the identity provider SSO flow.