---
title: Implementing SP functionality
description: The PingFederate SP server receives an assertion (see Service provider SSO configuration in the PingFederate documentation), wraps the received attributes into OpenToken, and redirects to an application protected by NetWeaver. The PFLoginModule configured in NetWeaver extracts the UserID from OpenToken and authenticates the user. Note that UserID is the value of the "subject" attribute in the OpenToken.
component: sap-netweaver
page_id: sap-netweaver:setup:pf_sap_netweaver_ik_implementing_sp_functionality
canonical_url: https://docs.pingidentity.com/integrations/sap-netweaver/setup/pf_sap_netweaver_ik_implementing_sp_functionality.html
revdate: June 25, 2024
---

# Implementing SP functionality

The PingFederate SP server receives an assertion (see [Service provider SSO configuration](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/pf_servic_provid_sso_config.html) in the PingFederate documentation), wraps the received attributes into `OpenToken`, and redirects to an application protected by NetWeaver. The `PFLoginModule` configured in NetWeaver extracts the `UserID` from OpenToken and authenticates the user. Note that `UserID` is the value of the "subject" attribute in the OpenToken.

The following figure illustrates the request flow and how the PingFederate OpenToken SP Adapter wraps attributes from the assertion into `OpenToken` and passes them to SAP NetWeaver (J2EE Engine):

![qyr1563995644419](_images/qyr1563995644419.jpg)

**Processing Steps**

1. The PingFederate SP server receives a SAML assertion from the IdP.

2. The PingFederate SP server wraps the attributes from the SAML assertion into an `OpenToken` and redirects the token through the user's browser to the application(s) deployed on the SAP J2EE Server.

3. `PFLoginModule`, installed in SAP J2EE Server, parses the `OpenToken` and retrieves the `UserID`.

4. The SAP J2EE server authenticates the user using this UserID and grants access to the SAP Application.