---
title: Overview of the SSO flow
description: The following figure illustrates an example SSO process flow.
component: google
page_id: google:google_chrome_enterprise_integration_kit:pf_google_chrome_enterprise_ik_sso_flow
canonical_url: https://docs.pingidentity.com/integrations/google/google_chrome_enterprise_integration_kit/pf_google_chrome_enterprise_ik_sso_flow.html
revdate: August 21, 2025
---

# Overview of the SSO flow

The following figure illustrates an example SSO process flow.

![A diagram illustrating a typical sign-on process leveraging the Google Chrome Enterprise Integration Kit.](_images/enterprise-sso-flow-diagram.png)

1. A user initiates the sign-on process by requesting access to a protected resource.

2. The Google Chrome Enterprise Device Trust IdP Adapter determines if the incoming request is from the Google Chrome Enterprise browser.

   You can find more information about what happens with requests originating from any source in [Using Chrome device signals](pf_google_chrome_enterprise_ik_using_chrome_device_signals.html).

3. If the user's browser is Google Chrome Enterprise (Managed), the adapter makes a backend call to the Chrome Verified Access API endpoint to generate a challenge.

4. The adapter sends a `302` redirect to the PingFederate resume path with the challenge set in the response header.

5. The Google Chrome Enterprise browser processes the challenge and sets the response in the resume path request header.

6. The adapter finds the challenge response set by the browser and makes a backend call to the Chrome Verified Access API endpoint to verify the response.

7. The Chrome Verified Access API verifies the response.

8. After successful verification, the adapter has access to the device signals from the browser.

9. The adapter uses the decoded device signals to fulfill the core contract for the authentication policy for subsequent decision-making.