When the PingFederate Identity Provider (IdP) server receives an authentication request for Service Provider-initiated SSO or a user clicks a hyperlink for IdP-initiated SSO, PingFederate invokes the Kerberos Adapter and returns to the browser an HTTP 401 Unauthorized response. When PingFederate receives a Kerberos ticket from the browser, it validates the ticket against the domain defined in the Kerberos Adapter configuration. If validation succeeds, PingFederate retrieves the username, the domain, and the security identifiers (ObjectSID and SIDs) from the ticket; generates a SAML assertion with the username and optionally the associated domain, security identifiers, or both; and passes it to the SP.

Note:

The Kerberos Adapter supports authentications by Kerberos only.