Agentless Integration Kit

Overview of the service provider SSO flow

With the Agentless Integration Kit, PingFederate includes your custom service provider (SP) application in the sign-on flow.

The following figure shows how your custom application is integrated into the sign-on process using the Reference ID SP Adapter:

jrn1579905286339

Description

  1. The identity provider (IdP) sends a SAML assertion to PingFederate.

  2. PingFederate validates the assertion and temporarily captures the user-session attributes. The Reference ID SP Adapter generates a reference value (ABC). See Development considerations.

  3. PingFederate redirects the browser…​

  4. …​to the SP application with the reference value (ABC).

    The reference is included in the URL query string: https://target.example.com?REF=<referenceValue>

  5. The SP application sends the reference value (ABC) to PingFederate and requests the user-session attributes.

    The application makes the request through an authenticated direct HTTP call to the pickup endpoint: https://pingfederate.example.com:9031/ext/ref/pickup?REF=<referenceValue>

    The applications must authenticate to PingFederate using one of the three methods described in Authentication methods. If the authentication fails, the HTTP request results in an HTTP response 401 – Unauthorized status code message.

  6. PingFederate verifies the reference value (ABC) and returns the user-session attributes to the SP application in the HTTP response.

  7. The target application uses the attributes associated with the reference value to create a user session, which allows the user to access to the resource.