Agentless Integration Kit

Overview of the identity provider integration

You can use the Agentless Integration Kit to extend your sign-on flow to include a custom authentication application.

Use case

Some proprietary, third-party, or complex authentication applications might not be covered by the ready-made solutions that are included with PingFederate or available in the Ping Identity Integration Directory.

The Agentless Integration Kit offers a flexible way to integrate any application into the PingFederate authentication flow. This allows you to use your existing application without needing to develop a custom adapter for PingFederate. The only requirement is that your application can make REST API calls.

High-level view of the sign-on flow

Your application gets information from PingFederate, performs any number of authentication steps, then passes the user back to PingFederate to complete the sign-on process.

A diagram showing the flow of information between the application, PingFederate, and the a service provider.

  1. The user initiates the sign-on process, either at the identity provider (IdP) or service provider (SP).

  2. PingFederate starts the authentication policy, which can include any number of adapters or authentication steps.

  3. When the Reference ID IdP Adapter is triggered in the authentication policy, PingFederate sends a set of values to the application’s authentication endpoint, including the following:

    REF

    The unique reference ID that the application uses to pick up user attributes.

    resumePath

    The PingFederate URI that the application redirects the user to after authentication. This includes a random string that is unique to the user session.

    The application stores these values.

  4. The application makes a call to the Reference ID IdP Adapter to pick up any user attributes that PingFederate has associated with the reference ID, such as the user ID, LDAP attributes, tracked HTTP parameters, and any claims.

    The application stores these attributes.

  5. The application completes any number of authentication steps, then drops off resulting attributes to the Reference ID IdP Adapter using an HTTP POST call.

  6. PingFederate continues executing the authentication policy, now with access to the user attributes provided by the application. PingFederate provides a response to the service provider.

For a detailed description of the flow, see Overview of the identity provider SSO flow.