PingGateway 2024.9

Single sign-on (SSO)

The following sections describe how to set up SSO for requests in the same domain:

To require users to authenticate in the correct realm for security reasons, configure SSO or CDSSO with a PolicyEnforcementFilter that refers to an AM policy where the realm is enforced. For an example, refer to Require authentication to a realm.

In SSO using the SingleSignOnFilter, PingGateway processes a request using AM authentication. PingGateway and the authentication provider must run on the same domain.

The following sequence diagram shows the flow of information during SSO between PingGateway and AM as the authentication provider.

sso
  • The browser sends an unauthenticated request to access the sample application.

  • PingGateway intercepts the request, and redirects the browser to AM for authentication.

  • AM authenticates the user, creates an SSO token.

  • AM redirects the request back to the original URI with the token in a cookie and the browser follows the redirect to PingGateway.

  • PingGateway validates the token it gets from the cookie. It adds the AM session info to the request and stores the SSO token in the context for downstream filters and handlers.

  • PingGateway forwards the request to the sample application and the sample application returns the requested resource to the browser.