Overview of the SSO flow

With the Amazon Cloud Identity Connector, PingFederate includes a Amazon authentication server in the sign-on flow.

The following diagram shows a service provider (SP)-initiated single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the Amazon IdP Adapter.

Amazon Cloud Identity Connector - Overview of the SSO flow

Processing Steps

The user opens a web application and selects the Amazon sign-on option.
The sign-on link points to the PingFederate Amazon IdP Adapter, which redirects the browser...
...to Amazon with a list of requested permissions and the authorization callback endpoint. On Amazon, the user authenticates their identity and then authorizes the requested permissions.
Amazon redirects the browser...
...to the PingFederate Amazon IdP Adapter authorization callback endpoint with an authorization code.
If the user fails to authenticate or does not authorize the request, the response includes an error code instead.
PingFederate sends Amazon the client ID, client secret, authorization code, and the PingFederate authorization callback URL.
Amazon returns an access token.
PingFederate sends Amazon a request for user attributes and presents the access token.
Amazon verifies the access token and provides the user information.
PingFederate redirects the user to the web application with the user attributes.