---
title: Bridging multiple IdPs to multiple SPs
description: PingFederate can bridge single sign-on (SSO) and single log-out (SLO) transactions between multiple identity providers (IdPs) and service providers (SPs).
component: pingfederate
version: 13.1
page_id: pingfederate:introduction_to_pingfederate:pf_bridg_multi_idp_to_multi_sp
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/introduction_to_pingfederate/pf_bridg_multi_idp_to_multi_sp.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Bridging multiple IdPs to multiple SPs

PingFederate can bridge single sign-on (SSO) and single log-out (SLO) transactions between multiple identity providers (IdPs) and service providers (SPs).

## About this task

This PingFederate federation hub use case is a combination of [Bridging an IdP to multiple SPs](pf_bridg_idp_to_multipl_sp.html) and [Bridging multiple IdPs to an SP](pf_bridg_multi_idp_to_sp.html).

![Diagram depicting the Federation Hub and how it bridges multiples IdPs to multiple SPs.](_images/ago1564003078226.png)

## Steps

1. Create multiple contracts to bridge the attributes between the IdPs and the SPs. For more information, see [Federation hub and authentication policy contracts](pf_fed_hub_auth_polic_contract.html).

2. For each identity provider, create an IdP connection between the IdP and PingFederate, the federation hub as the SP.

3. Add the applicable authentication policy contracts to the IdP connection in the **Target Session Mapping** window.

4. In the **Selectors** window, configure an authentication selector to map each IdP to the corresponding IdP connection in an authentication policy. For example, see an instance of the [Identifier First Adapter](../administrators_reference_guide/pf_identifier_first_adapter.html).

5. For each service provider, create an SP connection between PingFederate, the federation hub as the IdP, and the SP.

6. Add the corresponding authentication policy contract to the SP connection in the **Authentication Source Mapping** window.

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
   | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | PingFederate includes the Entity ID of the original IdP, `Authenticating Authority`, in SAML 2.0 assertions so that the SP can determine the original issuer of the assertions. This is especially important when bridging multiple IdPs to one SP—the SP should take the information about the original issuer into consideration before granting access to protected resources.In the **Attribute Contract** window, add an attribute for SAML 1.x assertions and WS-Federation security tokens. Then, in the **Attribute Contract Fulfillment**, map **Context: Authenticating Authority** as the attribute value.For information about `Authenticating Authority`, see section in the SAML 2.0 specification. |

   |   |                                                                                                                                                                                              |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | If the SP does not take action based on `Authenticating Authority`, in the **Issuance Criteria** window, you can define validation rules to protect against user impersonation between IdPs. |

7. For each SP supporting the SAML IdP-initiated SSO profile, map the expected target resources to the corresponding SP connections in the **Applications > Integration > Target URL Mapping** window.

8. Work with each IdP to connect to the federation hub as the SP.

9. Work with each SP to connect to the federation hub as the IdP.