If an SP’s SSO implementation employs account linking, the flow of events is somewhat different since a user must authenticate to the SP application the first time SSO is initiated (for more information, see Key Concepts in the PingFederate documentation). In this case, PingFederate and the OpenToken Adapter support an integration mechanism to redirect the user to an Account Link Service to which a user initially authenticates. Upon successful authentication, the account link service must redirect the user back to PingFederate with an OpenToken, which PingFederate uses to create an account link for the user. For subsequent SSO requests, PingFederate uses the account link established in the first SSO request to identify the user. It then creates an OpenToken and sends it to the Authentication Service associated with the application.


  1. PingFederate receives an assertion under either the SAML 2.0 or WS-Federation protocol.
  2. If this is the first time the user has initiated SSO to this SP, PingFederate redirects the browser to the Application Server’s Account Link Service, where the user must authenticate. Upon successful authentication, an OpenToken is returned to PingFederate, and an account link is established for this user within PingFederate. This account link is used on subsequent SSO transactions.
  3. PingFederate retrieves the local user ID from its account link data store. PingFederate's OpenToken Adapter generates an OpenToken based on the assertion and account link, and then redirects the user’s browser to the Web application’s SSO Authentication Service, passing the OpenToken in the redirect.
  4. The Authentication Service extracts the contents of the OpenToken, establishes a session for the user, and redirects the user’s browser to the Target Resource (the resumePath URL sent as a query parameter).

In an Account Linking event, the user’s browser is redirected to the configured Link Service in the SP OpenToken Adapter instance.