PingID Administration Guide

Integrate with PingID for PingFederate SSO

Integrate PingID as an authentication solution with PingFederate either as a federation solution or as an identity bridge.

You can use PingID for PingFederate:

  • As a secondary, or passwordless authentication solution for federated single sign-on (SSO).

  • As a secondary or passwordless authentication solution when PingFederate is your PingOne identity bridge.

The process involves:

  1. Registering the PingID service

  2. Installing the PingID Integration Kit for PingFederate

  3. Download the PingFederate properties file

  4. Configuring an IdP adapter instance in PingFederate

  5. Configuring a PingID Adapter instance

  6. Creating a PingFederate policy contract, and creating a PingFederate policy for the relevant solution:

The following diagrams provide pictorial representation of secondardy and passwordless authentication solutions.

Secondary authentication

Diagram of PingFederate as the secondary authentication solution for PingFederate.

  1. The user initiates the sign-on process at the user browser.

  2. The user browser sends the SSO request to the SP.

  3. The SP sends the authentication request to PingFederate.

  4. PingFederate starts the authentication policy using an IdP adapter for primary authentication and PingID for secondary authentication with a PingID adapter.

  5. PingFederate routes the authentication request to the PingID service.

  6. The PingID service sends the authentication request to the PingID mobile app, and for example, the user scans their fingerprint to authenticate.

  7. The PingID mobile app sends the authentication response to the PingID service.

  8. The PingID service sends the authentication response to PingFederate.

  9. PingFederate approves the authentication response and returns an access token to the SP.

  10. The SP authorizes the app.

  11. The app signs the user on.

Passwordless authentication

Diagram of PingFederate as a passwordless authentication solution for PingFederate.

  1. The user initiates the sign-on process in the browser at the SP.

  2. The SP sends the authentication request to PingFederate.

  3. PingFederate starts the authentication policy, which uses an IdP adapter for primary authentication. For more information, see Configuring a PingID Adapter instance.

  4. PingFederate sends the authentication request to the PingID service (PingOne).

  5. The PingID service (PingOne) sends the Web Authentication request to the user browser.

  6. The user browser sends the authentication request to the FIDO platform on the user’s FIDO-compatible device (for example Windows Hello, iOS and Android devices, and so on), and the user uses biometrics to authenticate.

  7. The FIDO platform sends the authentication approval to the user browser.

  8. The user browser sends the authentication approval response using Web Authentication protocol to the PingID service (PingOne).

  9. The PingID service (PingOne) sends the authentication response to PingFederate.

  10. PingFederate returns an access token to the SP.

  11. The SP authorizes sign on to the app in the user browser.

  12. The app signs the user on.

Managing users

Once you have PingID integrated with PingFederate, you will use the PingOne admin portal to manage users. For more information, see PingID User Life Cycle Management.