Overview of the SSO flow
With the Workplace from Facebook Provisioner, PingFederate includes not used in this IK in the sign-on flow.
The following figure illustrates a service provider (SP)-initiated single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the Workplace from Facebook Provisioner.
Description
-
The user opens a web application and chooses the Login with Workplace from Facebook option.
-
The sign-on link points to the Workplace from Facebook Provisioner, which redirects the browser…
-
…to Workplace from Facebook for authentication with a list of requested permissions.
The user authenticates their identity and then authorizes the requested permissions. Workplace from Facebook redirects the browser to the PingFederate Workplace from Facebook Provisioner authorization callback endpoint with an authorization code.
If the user fails to authenticate or does not authorize the request, the response includes an error code instead.
-
The Workplace from Facebook Provisioner makes an HTTP request to not used in this IK to obtain an access token. It provides the app ID and secret, and the authorization code. not used in this IK returns an access token.
-
The Workplace from Facebook Provisioner requests user information from not used in this IK. It provides the access token and an "app secret proof".
For information about the app secret proof, see Securing Graph API Requests in the Workplace from Facebook documentation.
-
PingFederate redirects the user to the web application with the user information from Workplace from Facebook.