The following figure shows a basic single sign-on (SSO) scenario in which a PingFederate server authenticates users to an service provider (SP) application using the X.509 Certificate Adapter:


  1. A user initiates the sign-on process by requesting access to a protected resource.
  2. The identity provider (IdP) portal redirects the request to PingFederate. The browser requests the user’s client certificate. The PingFederate X.509 Certificate Adapter validates the certificate against a list of issuers. Issuers are specified in the adapter instance configuration. If no issuers are specified in the adapter instance configuration, the adapter checks against the server’s list of trusted certificate authorities.
  3. If the certificate is valid, PingFederate allows the sign on to proceed. Otherwise, the user is taken to an error-page template.