1. The user initiates SSO from an SP application through the PingFederate SP server.

    This SP-initiated scenario represents the optimal use case, where both the identity provider (IdP) and SP use PingFederate. If your SP partner does not support this scenario, however, PingFederate accepts any valid SAML authentication request.

    You can also enable IdP-initiated SSO. In this case, the SSO flow would not include this step or the next one.

  2. The PingFederate SP server generates a SAML AuthnRequest and sends it to the PingFederate IdP server.
  3. The IdP requests authentication from the adapter and it asks for the User ID.
  4. The adapter sends the User ID to Entrust.
  5. Entrust responds with a list of authenticators configured for the user.

    If the Default to Primary Authenticator setting is enabled, the adapter displays the appropriate window. This setting is not enabled by default.

  6. The adapter displays the list of authenticators and the user selects the one they want to use.
  7. The adapter sends the selected authenticator to Entrust.
  8. Entrust responds with the next step to the user (sends SMS OTP, TOTP, Entrust soft token push notification, mobile smart credential push authentication, Grid card selection, KBA) and the adapter.
  9. The adapter presents the appropriate screen (enter OTP, KBA, grid selection, enter temporary access tokens) and sends the user response to Entrust.
  10. Entrust validates the credentials sent and responds to PingFederate.
  11. If the validation fails, the user is denied. If validation succeeds, the PingFederate IdP server generates a SAML assertion with the username as the Subject and passes it to the PingFederate SP server.