The IdP, acting as an attribute authority, accepts attribute queries, performs a datastore lookup into a user repository such as an LDAP directory, provides values to the requested attributes, and generates an attribute response back to the originating SP requester. The SP then returns the attributes to the requesting application.


When privacy is required for sensitive attributes, you can configure PingFederate to obfuscate, or mask, their values in the server and transaction logs.

Web SSO is distinct from the Attribute Query use case. You can configure PingFederate servers to implement either of these profiles without regard to the other.

The XASP specification enables organizations with an investment in Public Key Infrastructure (PKI) to issue and receive Attribute Queries based on user-certificate authentication.

Under XASP a user authenticates directly with an SP application by providing their X.509 certificate. After the user is authenticated, the SP application requests additional user attributes by contacting the SP PingFederate server. A portion of the user's X.509 certificate is included in the request and can be used to determine the correct IdP to use as the source of the requested attributes. Finally, the SP generates an Attribute Query and transmits it to the IdP over the SOAP back channel.

Because the user arrives at the SP server already authenticated, no PingFederate adapter is used in this case.