--- title: Overview of the service provider SSO flow description: With the Agentless Integration Kit, PingFederate includes your custom service provider (SP) application in the sign-on flow. component: agentless page_id: agentless::pf_agentless_ik_overview_of_the_service_provider_sso_flow canonical_url: https://docs.pingidentity.com/integrations/agentless/pf_agentless_ik_overview_of_the_service_provider_sso_flow.html revdate: April 25, 2025 section_ids: description: Description --- # Overview of the service provider SSO flow With the Agentless Integration Kit, PingFederate includes your custom service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* application in the sign-on flow. The following figure shows how your custom application is integrated into the sign-on process using the Reference ID SP Adapter: ![A diagram illustrating the typical sign-on process.](_images/jrn1579905286339.png) ## Description 1. The identity provider (IdP) sends a SAML assertion to PingFederate. 2. PingFederate validates the assertion and temporarily captures the user-session attributes. The Reference ID SP Adapter generates a reference value (ABC). Learn more in [Development considerations](custom_application_setup/pf_agentless_ik_development_considerations.html). 3. PingFederate redirects the browser…​ 4. …​to the SP application with the reference value (ABC). The reference is included in the URL query string: https\://target.example.com?REF=*\* 5. The SP application sends the reference value (ABC) to PingFederate and requests the user-session attributes. The application makes the request through an authenticated direct HTTP call to the pickup endpoint: https\://pingfederate.example.com:9031/ext/ref/pickup?REF=*\* | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The applications must authenticate to PingFederate using one of the three methods described in [Authentication methods](custom_application_setup/pf_agentless_ik_authentication_methods.html). If the authentication fails, the HTTP request results in an HTTP response `401 – Unauthorized` status code message.If you select **Include Null Attributes** in the adapter configuration, null attributes are included in the response from the pickup endpoint. Learn more in [Reference ID SP Adapter settings reference](custom_application_setup/pf_agentless_ik_reference_id_sp_adapter_settings_reference.html). | 6. PingFederate verifies the reference value (ABC) and returns the user-session attributes to the SP application in the HTTP response. 7. The target application uses the attributes associated with the reference value to create a user session, which allows the user to access the resource.