--- title: Viewing SP protocol endpoints description: Your federation partners or security token service (STS) clients need to know the applicable service provider (SP) services endpoints to communicate with your PingFederate server. Configured service endpoints for SAML connections are included in metadata export files. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:help_sp_protocol_endpoints canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_sp_protocol_endpoints.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: virtual-server-id-support: Virtual server ID support --- # Viewing SP protocol endpoints Your federation partners or security token service (STS) clients need to know the applicable service provider (SP) services endpoints to communicate with your PingFederate server. Configured service endpoints for SAML connections are included in metadata export files. Go to **Help > SP Endpoints** to see a list of applicable OpenID Connect, SAML, WS-Federation, and WS-Trust STS endpoints. A pop-up window displays only those endpoints related to the federation protocols enabled on the **System > Server > Protocol Settings > Federation Info** tab. These endpoints are built into PingFederate and cannot be changed. PingFederate provides a favorite icon for all protocol endpoints. For more information, see [Customizing the favicon for application and protocol endpoints](pf_customiz_favicon_for_applicat_and_protocol_endpoints.html). The table below describes each endpoint. | Service | URL and Description | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Third Party Initiated Login (OpenID Connect 1.0) | `/sp/init_login.ping`The URL that receives and processes login requests initiated by an OpenID Provider (OP) or another party. This protocol endpoint supports HTTP GET and POST methods and the following parameters:- `iss`: the Issuer Identifier of the OP, to which PingFederate sends the authentication requests.This parameter is always required. \* `target_link_url`: the destination of the request after authentication.This parameter is required if no default target URL is specified in the SP configuration or the IdP connection. If specified, the parameter value always overrides the default target URL. \* `login_hint`: a hint to the OP about the end user.This parameter is optional.If your use case supports a generic login, you can add the `login_hint` parameter with a default value to the IdP connection on the **OpenID Provider Info** window. Furthermore, you may select the checkbox under **Application Endpoint Override** so that the application can optionally override the login hint value by including the `login_hint` parameter in the URL.Other parameters if any are not sent to the OP unless they are defined with a default value (or default values) in the IdP connection. For more information, see [Configuring request parameters and SSO URLs](pf_config_request_parameter_sso_url.html).For more information about Third Party Initiated Login flow, see the [OpenID Connect specification](https://openid.net/specs/openid-connect-core-1_0.html). | | Single Logout Service (SAML 2.0) | `/sp/SLO.saml2`The URL that receives and processes logout requests and responses. | | Assertion Consumer Service (SAML 2.0) | `/sp/ACS.saml2`A SAML 2.0 implementation that receives and processes assertions from an IdP. The numbers reflect the index value PingFederate uses to handle each binding. | | Artifact Resolution Service (SAML 2.0) | `/sp/ARS.ssaml2`The SOAP endpoint that processes artifacts returned from a federation partner to retrieve the referenced XML message on the back channel. See the note at the end of this table. | | Assertion Consumer Service (SAML 1.x) | `/sp/acs.saml1`A SAML 1.x implementation URL that receives and processes assertions from an IdP. | | Single Sign-on Service (WS-Federation) | `/sp/prp.wsf`The WS-Federation implementation URL that receives and processes security tokens and SLO messages. | | WS-Trust STS (two endpoints) | `/sp/sts.wst`The SOAP endpoint that receives and processes SAML security-token requests from STS clients (web service providers at the SP site), validating SAML tokens or validating and exchanging SAML tokens based on the configured IdP connection.`/pf/sts.wst`Initiates direct STS token-to-token exchange and token validation, from an IdP token processor to an SP token generator, when that feature is configured. For more information, see [Token translator mappings](pf_token_translator_mappings.html). If you configure multiple token-generator instances of the same type for the connection or token-to-token mapping, a query parameter, TokenGeneratorId, must be added to either of these endpoints. For more information, see Managing token generators.See the note at the end of this table. | | If mutual SSL/TLS is used for authentication, you must configure a secondary PingFederate listening partner for use by partners or STS clients for the relevant endpoints such as .ssaml and \*.wst. For more information, see Configuring PingFederate properties. | | ## Virtual server ID support For SAML connections using multiple virtual server IDs, each virtual server ID has its own set of protocol endpoints. For more information, see [Multiple virtual server IDs](../introduction_to_pingfederate/virtual_server_id.html). You can export a connection metadata for your partner on the **System > Protocol Metadata > Metadata Export** window. For more information, see [Exporting connection-specific SAML metadata](help_exportmetadatatasklet_exportconnectionstate.html). For WS-Federation and SAML connections using multiple virtual server IDs, you can provide your partner the federation metadata endpoint (`/pf/federation_metadata.ping`) with the `PartnerIdpId` and `vsid` parameters. See the table below for an example. | Partner's entity ID | Your virtual server ID | Federation metadata URL | | ------------------- | ---------------------- | --------------------------------------------------------------------- | | SP | idev1 | | | | idev2 | | In this example, the base URL and the runtime port of your PingFederate server are www\.example.com and 443, respectively. The federation metadata endpoint returns information that is specific for a given virtual server ID when the request includes the `vsid` parameter. For WS-Trust STS, you can provide your partner the STS metadata endpoint (`/pf/sts_mex.ping`) with the `PartnerIdpId` and `vsid` parameters. The STS metadata endpoint returns information that is specific for a given virtual server ID when the STS metadata request includes the `vsid` parameter. For more information about these metadata endpoints, see [System-services endpoints](../developers_reference_guide/pf_sys_services_endpoints.html). The virtual server ID concept does not apply to the `/pf/sts.wst` endpoint because token-to-token exchange does not involves any connections. As needed, you can pass the token-to-token endpoint to your partners as-is.