---
title: About SP-initiated SSO with the SamlFederationHandler and PingAM
description: SP-initiated SSO occurs when a user attempts to access a protected application directly through the SP. Because the user's federated identity is managed by the IdP, the SP sends a SAML authentication request to the IdP. After the IdP authenticates the user, it provides the SP with a SAML assertion for the user.
component: pinggateway
version: 2025.11
page_id: pinggateway:gateway-guide:federation-about-sp-init
canonical_url: https://docs.pingidentity.com/pinggateway/2025.11/gateway-guide/federation-about-sp-init.html
revdate: 2025-10-22T14:04:06Z
---

# About SP-initiated SSO with the SamlFederationHandler and PingAM

SP-initiated SSO occurs when a user attempts to access a protected application directly through the SP. Because the user's federated identity is managed by the IdP, the SP sends a SAML authentication request to the IdP. After the IdP authenticates the user, it provides the SP with a SAML assertion for the user.

The following sequence diagram shows the flow of information in SP-initiated SSO, when PingGateway acts as a SAML 2.0 SP:

![saml-sp-initiated](https://kroki.io/plantuml/svg/eNqFU8tu2zAQvPMrFrnkYidtDjkYtQH3gdRAgwiR25MvtLSWCCgkS1JW_Un9jX5ZZyW7dp009UUgPTM7O7tU15eKPji_C6aqE_36STdv3t7SGJ-bW8qMrWhRsk0m7QAL3gWdjLNK0bI2kQpXMuGbHK2Z2sgl8Y-iaaPZcrMjY4GwlgvhUGdS_YokRbdJnQ5MLlDksDUFxyv1bwY5ixpus-EQKbZF_aKCeGu40g31Coajoq52VOstyxUHmDYWKE1rY0up1oBoI5OuAvMTQP_xfqUur5XCbcOUZ-OFRR2doJvnD0q3ydn2ac1BeR2SKYzXULyg_vc-uA5Wh8MF6Uhf4zlS6s7vV9YcSvvgtjiEHr8os-fwO5Tv9I5Wdp_D35w8O_eSBZcwJ3jW3qP_IeHB0dx7paZT6QaZU6qZNgypATOdKrE8nuXZhD4vlxndfVpS4O8txyTpC96_JK-Q1Qz2J33PZF0ihFVLk4XEN6LSBLBW9kwNPHOaMeZYeochKqi9G89EbkKPe1KBCYumbkakbSlrGqhxVcTYhTA4_9iXomeVRiu7j47y-f0X5AG6uI-0wZoJSAT7XkTnm25MCWP9P0fwCAuZhruUglm3CYuITOfHOMbRc2E2piAPXudCCTe-wRQR8UH-kcFmrO6xK2j3uEL23lTGYtcPc1jZfnP7Y_aQL-U9Jo3wsMknCmh3ZU-zf31uMH0MObXBwkD0Tp6M1xVTrF0nFVKt05-E8OKixF717039BkFEkuQ=)