Intune Integration Kit

Overview of the SSO flow

With the Intune Integration Kit, PingFederate parses the user’s deviceId or userPrincipalName attribute from an X.509 certificate and uses it to get the device’s security posture from Microsoft Intune.

Diagram showing the SSO flow.

Description

  1. A user requests access to a resource by using a device that is enrolled with Intune.

  2. The service provider (SP) redirects the request to PingFederate. The browser requests the user’s X.509 certificate.

  3. The PingFederate X.509 Certificate Adapter validates the certificate against a specified list of issuers or the the server’s list of trusted certificate authorities. Depending on your configuration, the X.509 Certificate Adapter passes the deviceId or userPrincipalName (UPN) attribute to the Intune IdP Adapter.

  4. The Intune IdP Adapter contacts the Microsoft Graph API to look up the user’s security posture information. Intune provides one of the following results depending on the Intune IdP Adapter instance configuration:

    • The security posture for the current device based on the deviceId.

    • An aggregate security posture for all of the current user’s devices based on the userPrincipalName.

  5. The PingFederate authentication policy uses the result from Intune to determine whether the user is redirected to the resource they requested.