---
title: SP single sign-on (SSO)
description: When PingFederate is configured as an SP, it takes inbound SAML assertions and converts them to a local format (cookie or otherwise) that an application can use to create a user's session.
component: java
page_id: java:setup:pf_java_ik_sp_single_sign_on_sso
canonical_url: https://docs.pingidentity.com/integrations/java/setup/pf_java_ik_sp_single_sign_on_sso.html
revdate: June 21, 2024
---

# SP single sign-on (SSO)

When PingFederate is configured as an SP, it takes inbound SAML assertions and converts them to a local format (cookie or otherwise) that an application can use to create a user's session.

For an `OpenToken`, the PingFederate adapter takes the attributes and values from the SAML assertion and stores them in an `OpenToken` cookie or query parameter in the user's browser. The user is then redirected to the target application, which can identify the user from the `OpenToken` using the Agent API.

As with the IdP, you can use the Agent API to read tokens directly. The Agent API is a Java object that provides access to functionality for reading an `OpenToken` from a given HTTP request.