Identity mapping is at the core of identity federation. One of the primary goals of SAML is to provide a way for an identity provider (IdP) to send a secure token (the assertion) containing user-identity information that a service provider (SP) can translate, or map, to local user stores.

For browser-based SSO, PingFederate enables two modes of identity mapping between domains: account linking and account mapping.

For WS-Trust STS, account mapping is used.

Refer to subsequent topics for more information about these identity mapping options.