---
title: SP single sign-on integration
description: When PingFederate is configured as an SP, it takes inbound SAML assertions and converts them to some local format (cookie or otherwise) that can be used by an application to create a user's session. For an OpenToken, the PingFederate adapter takes the attributes and values from the SAML assertion and stores them in an OpenToken cookie or query parameter in the user's browser. The user is then redirected to the target application, which can then identify the user from the OpenToken, using the Agent API.
component: net
page_id: net:setup:pf_net_ik_sp_single_sign_on_integration
canonical_url: https://docs.pingidentity.com/integrations/net/setup/pf_net_ik_sp_single_sign_on_integration.html
revdate: June 20, 2024
section_ids:
  reading-attributes: Reading attributes
  receiving-multi-value-attributes: Receiving multi-value attributes
---

# SP single sign-on integration

When PingFederate is configured as an SP, it takes inbound SAML assertions and converts them to some local format (cookie or otherwise) that can be used by an application to create a user's session. For an `OpenToken`, the PingFederate adapter takes the attributes and values from the SAML assertion and stores them in an `OpenToken` cookie or query parameter in the user's browser. The user is then redirected to the target application, which can then identify the user from the `OpenToken`, using the `Agent` API.

As with the IdP, you can use the Agent API to read tokens directly. The Agent API is a .NET class that provides access to functionality for reading an `OpenToken` from a given HTTP request.

## Reading attributes

The readToken method inspects the cookie (or query parameters, depending on the agent configuration), decodes the OpenToken, and returns a collection of attributes.

If there is no token, it returns a `null` result. If an errors occurs while reading the token, it returns a `null` result and a `TokenException` is thrown.

The following code snippet shows the readToken method:

```
try {
   IDictionary userInfo = agent.ReadToken(Request);
   if(userInfo != null) {
      String username = (String)userInfo[Agent.TOKEN_SUBJECT];
   }
}
catch(TokenException e) {
   // Handle exception
}
```

## Receiving multi-value attributes

The Agent Toolkit for .NET supports receiving multi-value attributes from PingFederate. Multi-value attributes are passed using the `opentoken.MultiStringDictionary` collection.

The following code snippet shows how to process multi-value attributes:

```
try {
   MultiStringDictionary userInfo =
    agent.ReadTokenMultiStringDictionary(Request);
   if(userInfo != null) {
      String username = userInfo[Agent.TOKEN_SUBJECT][0];
      List<String> groups = userInfo["GROUP"];
   }
}
catch(TokenException e) {
   // Handle exception
}
```