With the PingOne Protect Integration Kit, PingFederate includes PingOne Protect in the sign-on flow.
The following figure shows how PingOne Protect is integrated into the sign-on process:
Description
- A user initiates the sign-on process by requesting access to a protected resource.
- When device profiling is enabled, one of the following occurs, depending on the
device profiling method:
- An adapter that is earlier in the authentication flow runs a script that creates a device profile. The script passes the device profile to the PingOne Protect IdP Adapter in a series of HTTP cookies.
- The PingOne Protect IdP Adapter creates a device profile.
- The PingOne Protect IdP Adapter collects transaction information, such as the user's IP address.
- The adapter sends the transaction information and optional device profile to PingOne Protect.
- PingOne Protect returns a JSON payload with the risk result and other information, such as the IP reputation, to the adapter.
- The PingOne Protect IdP Adapter makes the risk result and other information available in the PingFederate authentication policy.
- PingFederate executes the authentication policy, which branches based on the risk result provided by the adapter.
- PingFederate returns the resource that the user requested.
- The adapter notifies PingOne Protect whether authentication ultimately succeeded. This helps PingOne Protect evaluate subsequent sign-on attempts.