There are many options for deploying PingFederate in your network environment, depending on your needs and infrastructure capabilities.
For example, you can choose a standalone or proxy configuration. The following diagram illustrates PingFederate installed in a demilitarized zone (DMZ):
In this configuration, the users access PingFederate via a web application server, an enterprise identity management (EIM) system, or both. PingFederate may, in turn, retrieve information from a datastore to use in processing the transaction.
You can also deploy PingFederate with a proxy server. The following diagram depicts a proxy-server configuration in which the proxy is accessed by users and web browsers. The proxy, in turn, communicates with PingFederate to request SSO.