---
title: Overview of the SSO flow
description: The PHP Integration Kit consists of two parts:
component: php
page_id: php::pf_php_ik_overview_of_the_sso_flow
canonical_url: https://docs.pingidentity.com/integrations/php/pf_php_ik_overview_of_the_sso_flow.html
revdate: July 5, 2024
---

# Overview of the SSO flow

The PHP Integration Kit consists of two parts:

* The OpenToken Adapter, which runs within the PingFederate server

* The Agent Toolkit for PHP, which resides within the PHP user application

The following figure shows a basic IdP-initiated single sign-on (SSO) scenario in which PingFederate federation servers using the PHP Integration Kit exist on both sides of the identity federation:

![guf1563995594120](_images/guf1563995594120.jpg)

**Processing Steps**

1. A user initiates an SSO transaction.

2. The IdP application inserts user attributes into the Agent Toolkit for PHP, which encrypts the data internally and generates an `OpenToken`.

3. A request containing the `OpenToken` is redirected to the PingFederate IdP server.

4. The server invokes the OpenToken IdP Adapter, which retrieves the `OpenToken`, decrypts, parses, and passes the user attributes to the PingFederate IdP server. The PingFederate IdP server then generates a Security Assertion Markup Language (SAML) assertion.

5. The SAML assertion is sent to the SP site.

6. The PingFederate SP server parses the SAML assertion and passes the user attributes to the OpenToken SP Adapter. The Adapter encrypts the data internally and generates an `OpenToken`.

7. A request containing the OpenToken is redirected to the SP application.

8. The Agent Toolkit for PHP decrypts and parses the OpenToken and makes the user attributes available to the SP Application.

   |   |                                                                                                                                                                                                                                                                                   |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | PingFederate can be configured to look up additional attributes from either an IdP or SP data store. For more information, see [Datastores](https://docs.pingidentity.com/pingfederate/latest/introduction_to_pingfederate/pf_datastores.html) in the PingFederate documentation. |