SP single sign-on (using account linking)
If an SP’s SSO implementation employs account linking, the flow of events is slightly different since a user must authenticate to the SP application the first time SSO is initiated. (For more information, see Key Concepts in the PingFederate documentation). In this case, PingFederate and the OpenToken Adapter support an integration mechanism to redirect the user to an Account Link Service to which a user can initially authenticate. Upon successful authentication, the account link service must redirect the user back to PingFederate with an OpenToken, which PingFederate uses to create an account link for the user. For subsequent SSO requests, PingFederate uses the account link established in the first SSO request to identify the user. It then creates an OpenToken and sends it to the Authentication Service associated with the application.
The following diagram shows the flow of SP SSO using account linking:
Sequence
-
PingFederate receives an assertion under either the SAML 2.0 or WS-Federation protocol.
-
If this is the first time the user has initiated SSO to this SP, PingFederate redirects the browser to the Application Server’s Account Link Service, where the user must authenticate. Upon successful authentication, an
OpenToken
is returned to PingFederate, and an account link is established for this user within PingFederate. This account link is used on subsequent SSO transactions. -
PingFederate retrieves the local user ID from its account link data store. PingFederate’s OpenToken Adapter generates an
OpenToken
based on the assertion and account link. PingFederate then redirects the user’s browser to the web application’s SSO Authentication Service, passing theOpenToken
in the redirect. -
The Authentication Service extracts the contents of the
OpenToken
, establishes a session for the user, and redirects the user’s browser to the Target Resource (theresumePath
URL is sent as a query parameter).