Overview of the SSO flow
The PHP Integration Kit consists of two parts:
-
The OpenToken Adapter, which runs within the PingFederate server
-
The Agent Toolkit for PHP, which resides within the PHP user application
The following figure shows a basic IdP-initiated single sign-on (SSO) scenario in which PingFederate federation servers using the PHP Integration Kit exist on both sides of the identity federation:
Processing Steps
-
A user initiates an SSO transaction.
-
The IdP application inserts user attributes into the Agent Toolkit for PHP, which encrypts the data internally and generates an
OpenToken
. -
A request containing the
OpenToken
is redirected to the PingFederate IdP server. -
The server invokes the OpenToken IdP Adapter, which retrieves the
OpenToken
, decrypts, parses, and passes the user attributes to the PingFederate IdP server. The PingFederate IdP server then generates a Security Assertion Markup Language (SAML) assertion. -
The SAML assertion is sent to the SP site.
-
The PingFederate SP server parses the SAML assertion and passes the user attributes to the OpenToken SP Adapter. The Adapter encrypts the data internally and generates an
OpenToken
. -
A request containing the OpenToken is redirected to the SP application.
-
The Agent Toolkit for PHP decrypts and parses the OpenToken and makes the user attributes available to the SP Application.
PingFederate can be configured to look up additional attributes from either an IdP or SP data store. For more information, see Datastores in the PingFederate documentation.