Microsoft EAM Integration Kit

Overview of the SSO flow

The following figure demonstrates an example single sign-on (SSO) process flow.

A diagram illustrating a typical sign on process leveraging the integration kit.

In summary:

  1. A user initiates the sign-on process by requesting access to an application that’s protected by Microsoft Entra ID.

  2. The user authenticates with Microsoft Entra ID using a primary authentication method.

  3. Microsoft Entra ID makes an OpenID Connect (OIDC) request to PingFederate for secondary authentication.

  4. PingFederate validates the OIDC request, then sets the id_token_hint and claims provided by Microsoft Entra ID as tracked parameters.

  5. The Microsoft EAM IdP Adapter picks up the id_token_hint and claims; validates the id_token_hint; then sets the sub, acr, and amr values for downstream adapters like PingID.

  6. The downstream adapter requests a second authentication factor from the user.

  7. The user authenticates with the downstream adapter using a secondary authentication method.

  8. The downstream adapter shares the used amr and acr values with PingFederate.

  9. PingFederate sends a response to Microsoft Entra ID with the id_token, including the sub, acr, and amr claims required by Microsoft Entra ID.

  10. Microsoft Entra ID validates the id_token, signature, and claims.

  11. Microsoft Entra ID grants the user access to the protected application.