Workspace ONE UEM Integration Kit

Overview of the SSO flow

The following figure shows a basic SSO scenario in which a PingFederate server authenticates users to an SP application using the Workspace ONE IdP Adapter.

sbx1563995096338

Description

  1. A user with an Workspace ONE enrolled device requests access to an SP resource. The request is redirected to PingFederate to perform X.509 authentication.

  2. The browser requests the user’s X.509 certificate. The PingFederate X.509 Certificate Adapter validates the certificate against a list of issuers. If no issuers are specified in the adapter setup, it uses the server’s list of trusted CAs instead.

  3. PingFederate validates the certificate, then passes the device ID from the certificate to the Workspace ONE IdP Adapter.

  4. PingFederate contacts the the Workspace ONE API, provides the device ID to get information about the device’s security posture.

  5. The result of the authentication is returned, and if successful, the user is redirected to the requested resource.