Amazon

Overview of the SSO flow

With the Amazon Login Integration Kit, PingFederate includes an Amazon authentication server in the sign-on flow to access service provider (SP) applications.

The following diagram shows a SP-initiated SSO scenario in which PingFederate authenticates users to an SP application using the Amazon IdP Adapter.

Diagram showing SP-initiated SSO with PingFederate and Amazon.

Processing Steps

  1. The user opens a web application and selects the Amazon sign-on option.

  2. The sign-on link points to the PingFederate Amazon IdP Adapter, which redirects the browser to Amazon with a list of requested permissions and the authorization callback endpoint.

  3. On Amazon, the user authenticates their identity and then authorizes the requested permissions.

  4. Amazon redirects the browser to the PingFederate Amazon IdP Adapter authorization callback endpoint.

  5. Amazon includes an authorization code while redirecting the browser.

    If the user fails to authenticate or doesn’t authorize the request, the response includes an error code instead.

  6. PingFederate sends Amazon the client ID, client secret, authorization code, and the PingFederate authorization callback URL.

  7. Amazon returns an access token.

  8. PingFederate sends Amazon a request for user attributes and presents the access token.

  9. Amazon verifies the access token and provides the user information.

  10. PingFederate redirects the user to the web application with the user attributes.