Overview of the SSO flow
With the PingOne Risk Integration Kit, PingFederate includes PingOne Risk in the sign-on flow.
The following figure shows how PingOne Risk is integrated into the sign-on process:
Description
-
A user initiates the sign-on process by requesting access to a protected resource.
-
When device profiling is enabled, one of the following occurs, depending on the device profiling method:
-
An adapter that is earlier in the authentication flow runs a script that creates a device profile. The script passes the device profile to the PingOne Risk IdP Adapter in a series of HTTP cookies.
-
The PingOne Risk IdP Adapter creates a device profile.
-
-
The PingOne Risk IdP Adapter collects transaction information, such as the user’s IP address.
-
The adapter sends the transaction information and optional device profile to PingOne Risk.
-
PingOne Risk returns a JSON payload with the risk result and other information, such as the IP reputation, to the adapter.
-
The PingOne Risk IdP Adapter makes the risk result and other information available in the PingFederate authentication policy.
-
PingFederate executes the authentication policy, which branches based on the risk result provided by the adapter.
-
PingFederate returns the resource that the user requested.
-
The adapter notifies PingOne Risk whether authentication ultimately succeeded. This helps PingOne Risk evaluate subsequent sign-on attempts.