Overview of the SSO flow

For each request, the Apache Agent does one of the following:

• If the request is for an unprotected resource, the Apache Agent passes the request to the application.
• If the request is for a protected resource, the Apache Agent checks to see if there is a PingFederate session available and if the session parameters meet session policy for that session.
• If a session exists and the session meets session policy for that request, the Apache Agent passes the request through to the application.
• If a session doesn't exist, or if the existing session doesn't meet the session policy for that request, the Apache Agent redirects the browser through the PingFederate server to an identity provider (IdP) for authentication. After authentication, PingFederate redirects the user back to the protected resource with a valid session.

The following diagram illustrates a service provider (SP)-initiated single sign-on (SSO) scenario, showing the request flow and how the PingFederate OpenToken Adapter wraps attributes from an assertion into a secure token (OpenToken) and passes the token to Apache.

In this flow:

1. A user attempts to access a resource on the Apache server protected by the PingFederate Apache Agent.
   1. The user is redirected to the PingFederate server for authentication.
   2. If an OpenToken session already exists, the user is granted immediate access.
2. The PingFederate server redirects the user’s browser to an IdP for authentication using either the SAML or WS-Federation protocols. The IdP partner authenticates the user and returns a SAML assertion.
3. PingFederate validates the assertion and creates an OpenToken for the user including any configured attributes. PingFederate then redirects the browser, including the OpenToken, back to the Apache Agent.
4. The Apache Agent verifies the OpenToken and grants access to the protected resource. The User ID and any attributes from the OpenToken are exposed to the resource as HTTP request headers or Apache environment variables.