Overview of the SSO flow
With the Magic Link Integration Kit, PingFederate sends a one-time link to the user as part of the sign-on flow.
Same device SSO flow description
The following figure shows how the Magic Link IdP Adapter is integrated into the sign-on process when the user authenticates on the same device:
-
The user initiates single sign-on with PingFederate.
-
The adapter gets the user’s contact information from a data store, an incoming user ID, or an attribute from earlier in the authentication flow.
-
The adapter sends the user a one-time link in an email and presents the user with a template that instructs them to check their email.
-
The user opens their email clicks the magic link in their inbox on the same device that they used to initiate the sign-on process.
-
If Show Confirmation is enabled, the adapter presents the user with a template that requires user interaction to confirm authentication.
-
The adapter validates whether the user has clicked the magic link.
-
PingFederate grants access to the requested resource in the window where the user initiated the sign-on process.
Different device SSO flow description
The following figure shows how the Magic Link IdP Adapter is integrated into the sign-on process when the user authenticates on a different device:
-
The user initiates single sign-on with PingFederate on one device, such as their laptop.
-
The adapter gets the user’s contact information from a data store, an incoming user ID, or an attribute from earlier in the authentication flow.
-
The adapter sends the user a one-time link in an email and presents the user with a template that instructs them to check their email.
-
The user clicks the magic link in their inbox on a different device, such as their phone.
-
If Show Confirmation is enabled, the adapter presents the user with a template that requires user interaction to confirm authentication on their secondary device.
-
The adapter validates whether the user has clicked the magic link.
-
PingFederate grants access to the requested resource on the user’s original device, in the window where the user initiated the sign-on process.
-
The adapter directs the user to close the page on their secondary device and continue on their original device.