The following figure illustrates a service provider (SP)-initiated single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the Facebook IdP Adapter.


  1. The user opens a web application and chooses the Login with Facebook option.
  2. The sign-on link points to the Facebook IdP Adapter, which redirects the browser...
  3. Facebook for authentication with a list of requested permissions.

    The user authenticates their identity and then authorizes the requested permissions. Facebook redirects the browser to the PingFederate Facebook IdP Adapter authorization callback endpoint with an authorization code.

    If the user fails to authenticate or does not authorize the request, the response includes an error code instead.

  4. The Facebook IdP Adapter makes an HTTP request to the Facebook API to obtain an access token. It provides the app ID and secret, and the authorization code. The Facebook API returns an access token.
  5. The Facebook IdP Adapter requests user information from the Facebook API. It provides the access token and an "app secret proof".
    Note: For information about the app secret proof, see Securing Graph API Requests in the Facebook documentation.
  6. PingFederate redirects the user to the web application with the user information from Facebook.