When PingFederate is configured as an SP, it takes inbound SAML assertions and converts them to some local format (cookie or otherwise) that can be used by an application to create a user’s session. For an OpenToken, the PingFederate adapter takes the attributes and values from the SAML assertion and stores them in an OpenToken cookie or query parameter in the user’s browser. The user is then redirected to the target application, which can then identify the user from the OpenToken, using the Agent API.

As with the IdP, you can use the Agent API to read tokens directly. The Agent API is a Java object that provides access to functionality for reading an OpenToken from a given HTTP request.