---
title: OpenToken Adapter
description: To transfer identity and other user information between the PingFederate server and an end application, the PingFederate architecture allows for custom adapters to be deployed with the server.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_opentoken_adapt
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_opentoken_adapt.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  processing-steps: Processing steps
---

# OpenToken Adapter

To transfer identity and other user information between the PingFederate server and an end application, the PingFederate architecture allows for custom adapters to be deployed with the server.

PingFederate ships with a deployed OpenToken Adapter, which uses a secure token format `OpenToken` to transfer user attributes between an application and the PingFederate server.

On the identity provider (IdP) side, the OpenToken Adapter allows the PingFederate server to receive a user's identity from the IdP application.

For SAML connections, the IdP application can provide an authentication context to the service provider (SP) by including the `authnContext` attribute with the desired value in the secure token. Standard URIs are defined in the SAML specifications. Learn more about assertions and protocol for SAML, in [Assertions and Protocol for the OASIS2 Security Assertion Markup Language3 (SAML) V1.1](https://groups.oasis-open.org/higherlogic/ws/public/document?document_id=3406) and [Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0](https://docs.oasis-open.org/security/saml/v2.0/saml-authn-context-2.0-os.pdf) in the OASIS documentation.

If the secure token does not contain the `authnContext` attribute, PingFederate sets the authentication context as follows:

* `urn:oasis:names:tc:SAML:1.0:am:unspecified` for SAML 1.x

* `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified` for SAML 2.0

As needed, the authentication context can be overridden by either an instance of the Requested AuthN Context Authentication Selector or the `SAML_AUTHN_CTX` attribute in the SAML attribute contract. The latter takes precedence.

On the SP side, the OpenToken Adapter can be used to transfer user-identity information to the target SP application.

Specialized application integration kits are available from the Ping Identity [Downloads](https://www.pingidentity.com/en/resources/downloads.html) website. Many kits leverage the OpenToken Adapter to integrate applications with the PingFederate server. The agent portions of the integration kits reside with the application and use the OpenToken to communicate with the OpenToken Adapter.

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | To integrate applications for use with the OpenToken Adapter, download an integration kit for PingFederate from the Ping Identity [Downloads](https://www.pingidentity.com/en/resources/downloads.html) website and follow instructions for installing and using Agent Toolkits in the accompanying documentation. Follow the configuration instructions in [Configuring an OpenToken IdP Adapter instance](pf_configuring_opentoken_idp_adapter_instance.html) to setup and to use with your applications. |

The following figure shows a basic IdP-initiated single sign-on (SSO) scenario using PingFederate with the Java Integration Kit on both sides of an identity federation.

![A workflow diagram of an Identity Provider initiatied single sign-on POST when using with a Java Integration Kit on both sides of an identity federation.](_images/its1564003596576.jpg)IdP-Initiated SSO: POST/POST

## Processing steps

1. A user initiates an SSO transaction.

2. The IdP application inserts attributes into the Agent Toolkit for Java, which encrypts the data internally and generates an `OpenToken`.

3. A request containing the `OpenToken` is redirected to the PingFederate IdP server.

4. The server invokes the OpenToken IdP Adapter, which retrieves the `OpenToken`, decrypts, parses, and passes it to the PingFederate IdP server. The PingFederate IdP server then generates a SAML assertion.

5. The SAML assertion is sent to the SP site.

6. The PingFederate SP server parses the SAML assertion and passes the user attributes to the OpenToken SP Adapter. The Adapter encrypts the data internally and generates an `OpenToken`.

7. A request containing the `OpenToken` is redirected to the SP application.

8. The Agent Toolkit for Java decrypts and parses the `OpenToken` and makes the attributes available to the SP Application.