Agentless Integration Kit

Overview of the identity provider SSO flow

With the Agentless Integration Kit, PingFederate includes your custom identity provider (IdP) application in the sign-on flow.

The following figure shows how your custom application is integrated into the sign-on process using the Reference ID IdP Adapter:

A diagram of the Agentless IdP SSO flow.

Processing steps

  1. Single sign-on (SSO) is initiated by the service provider (SP) or IdP.

    • SP-initiated SSO:

      1. Through the browser, the user tries to access a protected resource.

      2. The SP application starts an SP-initated SSO request.

      3. The SP sends a redirect action to the browser.

      4. The browser redirects to PingFederate with an authentication request to start an SP-initiated SSO request.

    • IdP-initiated SSO:

      • Through the browser, the user starts an IdP-initiated SSO request.

  2. PingFederate stores user-session attributes, including values from tracked HTTP parameters, and generates a reference value (ABC). Learn more in Development considerations.

  3. PingFederate sends a redirect action to the browser.

  4. The browser redirects to the IdP application with the reference value (ABC) and a resume path.

  5. The IdP application picks up the user-session attributes.

    1. The IdP application sends the reference value (ABC) to PingFederate and requests the user-session attributes.

    2. PingFederate verifies the reference value (ABC) and returns the user-session attributes, including values from tracked HTTP parameters, to the IdP application.

      You can find a list of all possible user-session attributes in the IdpAuthenticationAdapterV2 section of the PingFederate Javadocs at <pf_install>/PingFederate/sdk/doc/index.html.

      If you select Include Null Attributes in the adapter configuration, null attributes are included in the response from the pickup endpoint. Learn more in Reference ID IdP Adapter settings reference.

  6. The IdP application authenticates the user.

  7. The IdP application uses a back-channel call to authenticate to PingFederate and drop off the user-session attributes. Learn more in Authentication methods.

  8. PingFederate stores the user-session attributes and generates a second reference value (XYZ).

  9. PingFederate returns the second reference value (XYZ) to the IdP application using the back-channel call.

  10. The IdP application sends a redirect action to the browser.

  11. The browser redirects to the resume path with the second reference value (XYZ).

  12. PingFederate retrieves the user-session attributes associated with the second reference value (XYZ) and processes the request.

  13. PingFederate sends a redirect action to the browser and provides a security token and auto-POST form.

  14. The browser redirects to the SP to complete the SSO request.

  15. The SP completes the SSO request.

  16. The SP application returns the protected resource that the user requested.