---
title: IdP single sign-on (SSO)
description: When PingFederate is configured as an IdP, it needs to be able to identify a user before issuing a SAML assertion for that user. When using the OpenToken Adapter with PingFederate, this means that the PingFederate server attempts to read a cookie or query parameter containing an OpenToken and then use the values within to identify the user.
component: java
page_id: java:setup:pf_java_ik_idp_single_sign_on_sso
canonical_url: https://docs.pingidentity.com/integrations/java/setup/pf_java_ik_idp_single_sign_on_sso.html
revdate: June 21, 2024
---

# IdP single sign-on (SSO)

When PingFederate is configured as an IdP, it needs to be able to identify a user before issuing a SAML assertion for that user. When using the OpenToken Adapter with PingFederate, this means that the PingFederate server attempts to read a cookie or query parameter containing an OpenToken and then use the values within to identify the user.

The application that starts the SSO must include an OpenToken so that PingFederate can identify the user. Use the Agent API to write an OpenToken. The API is a Java object that provides access to functionality for writing an OpenToken to a given HTTP response.