Overview of the SSO flow
The following figure illustrates a single sign-on (SSO) scenario in which PingFederate authenticates users to a protected resource using the Island Enterprise Browser Device Trust IdP Adapter.
Description
-
A user initiates the sign-on process by requesting access to a protected resource.
-
The Island Enterprise Browser Device Trust IdP Adapter determines if the incoming request is from the Island Enterprise browser.
You can find more information about what happens with requests originating from any source in Using Island Device Signals.
-
If Island Enterprise manages the user’s browser, the adapter makes a backend call to the Island Enterprise challenge API endpoint to generate a challenge.
-
The adapter sends a
302redirect to the PingFederate resume path with the challenge set in the response header. -
The Island Enterprise browser processes the challenge and sets the response in the resume path request header.
-
The adapter finds the challenge response set by the browser and makes a backend call to the Island Enterprise verify challenge response API endpoint.
-
The Island Enterprise verify challenge response API endpoint verifies the response.
-
After successful verification, the adapter has access to the device signals from the browser.
-
The adapter uses the decoded device signals to fulfill the core contract for the authentication policy for subsequent decision-making.