The following figure shows how PingOne Protect is integrated into the sign-on process:

A flow diagram describing PingOne Protect.


  1. A user initiates the sign-on process by requesting access to a protected resource.
  2. When device profiling is enabled, one of the following occurs, depending on the device profiling method:
    • An adapter that is earlier in the authentication flow runs a script that creates a device profile. The script passes the device profile to the PingOne Protect IdP Adapter in a series of HTTP cookies.
    • The PingOne Protect IdP Adapter creates a device profile.
  3. The PingOne Protect IdP Adapter collects transaction information, such as the user's IP address.
  4. The adapter sends the transaction information and optional device profile to PingOne Protect.
  5. PingOne Protect returns a JSON payload with the risk result and other information, such as the IP reputation, to the adapter.
  6. The PingOne Protect IdP Adapter makes the risk result and other information available in the PingFederate authentication policy.
  7. PingFederate executes the authentication policy, which branches based on the risk result provided by the adapter.
  8. PingFederate returns the resource that the user requested.
  9. The adapter notifies PingOne Protect whether authentication ultimately succeeded. This helps PingOne Protect evaluate subsequent sign-on attempts.