Overview of the SSO flow
With the Intune Integration Kit, PingFederate parses the user’s deviceId or userPrincipalName attribute from an X.509 certificate and uses it to get the device’s security posture from Microsoft Intune.
Description
-
A user requests access to a resource by using a device that is enrolled with Intune.
-
The service provider (SP) redirects the request to PingFederate. The browser requests the user’s X.509 certificate.
-
The PingFederate X.509 Certificate Adapter validates the certificate against a specified list of issuers or the the server’s list of trusted certificate authorities. Depending on your configuration, the X.509 Certificate Adapter passes the
deviceIdoruserPrincipalName(UPN) attribute to the Intune IdP Adapter. -
The Intune IdP Adapter contacts the Microsoft Graph API to look up the user’s security posture information. Intune provides one of the following results depending on the Intune IdP Adapter instance configuration:
-
The security posture for the current device based on the
deviceId. -
An aggregate security posture for all of the current user’s devices based on the
userPrincipalName.
-
-
The PingFederate authentication policy uses the result from Intune to determine whether the user is redirected to the resource they requested.