The following figure illustrates a single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the Microsoft IdP Adapter.

Description

  1. The user opens a web application and chooses the Microsoft sign-on option.
  2. The sign-on link points to the Microsoft IdP Adapter, which redirects the browser...
  3. ...to Microsoft with a list of requested permissions. On Microsoft, the user authenticates their identity and then authorizes the requested permissions.
  4. Microsoft redirects the browser...
  5. ...to the Microsoft IdP Adapter authorization callback endpoint with an authorization code.

    If the user fails to authenticate or does not authorize the request, the response includes an error code instead.

  6. PingFederate sends Microsoft the authorization code.
  7. Microsoft returns an access token.
  8. PingFederate sends Microsoft a request for user attributes, and presents the access token.
  9. Microsoft verifies the access token, and provides the user information.
  10. PingFederate redirects the user to the web application with the user attributes.