---
title: Overview of the SSO flow
description: The Java Integration Kit consists of two parts:
component: java
page_id: java::pf_java_ik_overview_of_the_sso_flow
canonical_url: https://docs.pingidentity.com/integrations/java/pf_java_ik_overview_of_the_sso_flow.html
revdate: June 21, 2024
section_ids:
  sequence: Sequence
---

# Overview of the SSO flow

The Java Integration Kit consists of two parts:

* The OpenToken Adapter that runs within the PingFederate server

* The Agent Toolkit for Java that's in the Java application

The following figure shows a basic IdP-initiated SSO *(tooltip: \<div class="paragraph">
\<p>An identity federation transaction in which the SSO operation is initiated on the IdP. For example, the user is signed on to the IdP and signs off, triggering an SSO operation on the IdP. The IdP sends the SSO information to the SP.\</p>
\</div>)* scenario in which PingFederate federation servers using the Java Integration Kit exist on both sides of the identity federation:

![xnb1563995422337](_images/xnb1563995422337.jpg)

## Sequence

1. A user initiates an SSO transaction.

2. The IdP application inserts user attributes into the Agent Toolkit for Java, which encrypts the data internally and generates an `OpenToken`.

3. A request containing the `OpenToken` is redirected to the PingFederate IdP server.

4. The server invokes the OpenToken IdP Adapter that retrieves the `OpenToken`, then decrypts, parses, and passes the user attributes to the PingFederate IdP server. The PingFederate IdP server then generates a Security Assertion Markup Language (SAML) assertion.

5. The SAML assertion is sent to the service provider (SP) site.

6. The PingFederate SP server parses the SAML assertion and passes the user attributes to the OpenToken SP Adapter. The Adapter encrypts the data internally and generates an `OpenToken`.

7. A request containing the OpenToken is redirected to the SP application.

8. The Agent Toolkit for Java decrypts and parses the OpenToken and makes the user attributes available to the SP Application.

   |   |                                                                                                                                                                                                                                                               |
   | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You can configure PingFederate to look up additional attributes from an IdP or SP datastore. Learn more in [Datastores](https://docs.pingidentity.com/pingfederate/latest/introduction_to_pingfederate/pf_datastores.html) in the PingFederate documentation. |