--- title: Overview of the SSO flow description: The following figure shows a basic single sign-on (SSO) scenario in which a PingFederate server authenticates users to an service provider (SP) application using the MobileIron Adapter and X.509 Adapter. component: mobileiron page_id: mobileiron::pf_mobileiron_ik_overview_of_the_sso_flow canonical_url: https://docs.pingidentity.com/integrations/mobileiron/pf_mobileiron_ik_overview_of_the_sso_flow.html revdate: April 14, 2026 section_ids: description: Description --- # Overview of the SSO flow The following figure shows a basic single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* scenario in which a PingFederate server authenticates users to an service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* application using the MobileIron Adapter and X.509 Adapter. ![Diagram showing the SSO flow using the MobileIron Adapter.](_images/mobileiron-ik-sso-flow-overview-diagram.png) ## Description 1. A user requests access to an SP resource through a device enrolled with MobileIron. The request is redirected to PingFederate to perform X.509 authentication. 2. The browser requests the user's X.509 certificate. The PingFederate X.509 Certificate Adapter validates that certificate against a list of issuers. If you didn't specify any issuers during the adapter setup, the adapter uses the server's list of trusted certificate authorities instead. 3. During validation, the X.509 Certificate Adapter parses the device identifier from the certificate and passes it to the MobileIron Adapter. 4. The MobileIron Adapter uses the device identifier to contact the MobileIron Device API to retrieve the device's posture. 5. The API returns the result of the authentication. If authentication was successful, the user is redirected to the requested resource.