Overview of the SSO flow
With the ID DataWeb Integration Kit, PingFederate includes the ID DataWeb API in the sign-on flow.
The following figure shows how the ID DataWeb API is integrated into the sign-on process:
Description
-
A user initiates the sign-on process by requesting access to a protected resource.
-
Depending on the device profiling method, the ID DataWeb IdP Adapter or a previous authentication adapter retrieves the latest JavaScript from ThreatMetrix, which collects the device profile and sends it back to ThreatMetrix. The adapter can also collect user attributes. For the "previous adapter" method, this takes place at the same time as step 1.
-
The ID DataWeb IdP Adapter sends the device profile identifier and any user attributes to the ID DataWeb API and requests the policy decision ("approve", "obligation", or "deny").
-
The ID DataWeb API returns a JSON payload with the policy decision and other attributes to the ID DataWeb IdP Adapter.
-
The ID DataWeb IdP Adapter makes the policy decision and contract attributes available in the PingFederate authentication policy.
-
PingFederate executes the authentication policy, which branches based on the policy decision provided by the ID DataWeb IdP Adapter.
-
PingFederate returns the resource that the user requested.
-
If Update Device Trust is enabled in the adapter instance configuration, the ID DataWeb IdP Adapter notifies ID DataWeb that the device is trustworthy. This gives the device a better trust score for subsequent sign on attempts.
If Update Device Trust Using User Consent is enabled in the adapter configuration and the user checks This is my device in the HTML form adapter when authenticating, the ID DataWeb IdP Adapter notifies ID DataWeb that the device is trustworthy.