The most recent sets of standards, SAML 2.0 and WS-Federation, define two roles in an identity
federation partnership: an Identity Provider (IdP) and a Service Provider (SP).
SAML 1.x specifications used the terms Asserting Party (for IdP) and Relying Party (for SP). For
consistency and clarity, however, PingFederate® adopts the later terms IdP
and SP across all specifications.
A third role, defined in the SAML 2.0 specifications and available in PingFederate, is that of
an IdP Discovery provider.
With OAuth 2.0 and OpenID Connect 1.0 support, PingFederate can be configured as an
authorization server (AS), an OpenID Provider (OP), and a Relying Party (RP). (Note that OP and
RP are the synonyms for IdP and SP, respectively.)
An IdP, also called the SAML authority, is a system entity that authenticates a user,
or SAML subject, and transmits referential identity information based on that
NoteThe SAML subject may be a person, a web application, or a web server.
Since the subject is often a person, the term user is generally employed throughout our
An SP is the consumer of identity information provided by the IdP. Based on trust, technical
agreements, and verification of adherence to protocols, SP applications and systems determine
whether (or how) to use information contained in an SSO token: a SAML assertion, a JSON Web
Token (JWT), or an OAuth access token in conjunction with an ID token.
IdP discovery provider
This role provides an IdP look-up service that can be incorporated into the implementation of
either an IdP or an SP, or it can be employed as a stand-alone server.
An OAuth AS issues access tokens and refresh tokens to OAuth clients after the resource owner
has fulfilled the authentication requirement.
An OP is an AS that is capable of authenticating the resource owner and providing claims (user
attributes) to an RP about the authentication event and the user.