--- title: Overview of the SSO flow description: With the Symantec VIP integration kit, PingFederate includes the Symantec VIP service in the authentication flow. component: symantec-vip page_id: symantec-vip::pf_symantec_vip_ik_overview_of_the_sso_flow canonical_url: https://docs.pingidentity.com/integrations/symantec-vip/pf_symantec_vip_ik_overview_of_the_sso_flow.html revdate: June 24, 2025 section_ids: description: Description --- # Overview of the SSO flow With the Symantec VIP integration kit, PingFederate includes the Symantec VIP service in the authentication flow. ![Diagram showing how PingFederate includes Symantec VIP in the authentication flow.](_images/SSOFlowOverview.jpg) ## Description 1. The user initiates single sign-on (SSO) *(tooltip: \
\

The process of authenticating an identity (signing on) at one website (usually with a user ID and password) and then accessing resources secured by other domains without reauthenticating.\

\
)* from an service provider (SP) *(tooltip: \
\

In SAML, an entity that receives and accepts an authentication assertion issued by an IdP, typically for the purpose of allowing access to a protected resource.\

\
)* application through a PingFederate SP server. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This SP-initiated scenario represents the optimal use case, one in which both the identity provider (IdP) *(tooltip: \
\

A service that manages identity information and provides authentication services to relying clients or SPs within a federated or distributed network.\

\
)* and SP are using PingFederate. However, PingFederate accepts any valid Security Assertion Markup Language (SAML) *(tooltip: \
\

A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\

\
)* authentication request from an SP.In addition, you can enable IdP-initiated SSO *(tooltip: \
\

An identity federation transaction in which the SSO operation is initiated on the IdP. For example, the user is signed on to the IdP and signs off, triggering an SSO operation on the IdP. The IdP sends the SSO information to the SP.\

\
)*. In this case, the user attempts SSO to an SP application from the IdP site, and the processing sequence would not include the following step. | 2. The PingFederate SP server generates a SAML AuthnRequest to the PingFederate IdP server. 3. If not already signed on at the IdP (using a first-factor adapter such as Lightweight Directory Access Protocol (LDAP) *(tooltip: \
\

An open, cross platform protocol used for interacting with directory services.\

\
)* or Integrated Windows authentication (IWA) *(tooltip: \
\

Internet Information Services (IIS) authentication protocol for authenticated connections between IIS and other Microsoft services.\

\
)*), the user is challenged to authenticate. 4. The PingFederate IdP server obtains user-session information via the first-factor adapter. 5. The Symantec VIP IdP adapter requests a one-time passcode (OTP) *(tooltip: \
\

A passcode valid for only one sign-on or transaction on a computer system or other digital device. Also known as a one-time password, one-time PIN, or dynamic password.\

\
)* from the user. 6. The Symantec VIP IdP adapter uses the username obtained by the first-factor adapter and the OTP to verify the user and the code via the Symantec VIP application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)*. 7. If the validation succeeds, the PingFederate IdP server generates a SAML assertion with the username as the Subject and passes it to the PingFederate SP server. 8. (Not shown) The user is signed on to the SP target application.