Illustration of the SP-initiated SSO flow

The figure above illustrates an SP-initiated SSO scenario, showing the request flow and how the PingFederate OpenToken Adapter wraps attributes from an assertion into a secure OpenToken and passes it to IIS. For more detail, see OpenToken Adapter in the PingFederate documentation.


  1. A user attempts to access a resource on the IIS server protected by the OpenToken IIS Agent.
  2. The user is redirected to the PingFederate server for authentication.
  3. If an OpenToken session already exists, the user is granted immediate access.
  4. The PingFederate server redirects the user’s browser to an IdP for authentication using either the SAML or WS-Federation protocols. The IdP partner authenticates the user and returns a SAML assertion.
  5. PingFederate validates the assertion and creates an OpenToken for the user including any configured attributes. PingFederate then redirects the browser, including the OpenToken, back to the OpenToken IIS Agent’s OpenToken Exchange service, which converts the OpenToken into a cookie, and redirects to the original resource.
  6. The OpenToken IIS Agent verifies the OpenToken and grants access to the protected resource. The User ID and any attributes from the OpenToken are exposed to the resource as HTTP Request Headers.