With the Microsoft Login Integration Kit, PingFederate includes the Microsoft authentication API in the sign-on flow.
The following figure illustrates a single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the Microsoft IdP Adapter.
Description
- The user opens a web application and chooses the Microsoft sign-on option.
- The sign-on link points to the Microsoft IdP Adapter, which redirects the browser...
- ...to Microsoft with a list of requested permissions. On Microsoft, the user authenticates their identity and then authorizes the requested permissions.
- Microsoft redirects the browser...
- ...to the Microsoft IdP Adapter authorization callback endpoint with an
authorization code.
If the user fails to authenticate or does not authorize the request, the response includes an error code instead.
- PingFederate sends Microsoft the authorization code.
- Microsoft returns an access token.
- PingFederate sends Microsoft a request for user attributes, and presents the access token.
- Microsoft verifies the access token, and provides the user information.
- PingFederate redirects the user to the web application with the user attributes.