The following diagram shows a service provider (SP)-initiated single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the Amazon IdP Adapter.
- The user opens a web application and selects the Amazon sign-on option.
- The sign-on link points to the PingFederate Amazon IdP Adapter, which redirects the browser...
- ...to Amazon with a list of requested permissions and the authorization callback endpoint. On Amazon, the user authenticates their identity and then authorizes the requested permissions.
- Amazon redirects the browser...
- ...to the PingFederate Amazon IdP Adapter authorization callback endpoint with an
If the user fails to authenticate or does not authorize the request, the response includes an error code instead.
- PingFederate sends Amazon the client ID, client secret, authorization code, and the PingFederate authorization callback URL.
- Amazon returns an access token.
- PingFederate sends Amazon a request for user attributes and presents the access token.
- Amazon verifies the access token and provides the user information.
- PingFederate redirects the user to the web application with the user attributes.