PingFederate uses two connections to bridge an identity provider (IdP) to a SP:

  • An IdP connection where end users authenticate and PingFederate, the federation hub, is the SP
  • An SP connection to the target application where PingFederate, the federation hub, is the IdP

Generally speaking, PingFederate consumes assertions from the IdP through the IdP connection and generates new assertions to the SP through the SP connection.

If the SP connection does not use a virtual server ID, the issuer of the assertions to the SP is the ID defined for the protocol between PingFederate, the federation hub as the IdP, and the SP.

If the SP connection uses multiple virtual server IDs for the purpose of connecting to multiple environments serviced by the same partner using one connection, PingFederate automatically retains information about AuthnRequest messages sent to the virtual server ID specific endpoint for SP-initiated single sign-on (SSO). When the IdP returns the corresponding assertions to PingFederate as the SP, PingFederate retrieves the preserved information and uses that specific virtual server ID as the issuer in assertions sent to the SP. For IdP-initiated SSO, the issuer of the assertions to the SP is the default virtual server ID.