The following figure illustrates a single sign-on (SSO) scenario in which PingFederate authenticates users to an SP application using the RSA SecurID IdP Adapter.

A flow diagram that shows the interaction between PingFederate and the RSA Authentication Manager server.


  1. The user initiates SSO from an SP application through the PingFederate SP server.

    This SP-initiated scenario represents the optimal use case, where both the identity provider (IdP) and SP use PingFederate. If your SP partner does not support this scenario, however, PingFederate accepts any valid SAML authentication request.

    You can also enable IdP-initiated SSO. In this case, the SSO flow would not include this step or the next one.

  2. The PingFederate SP server generates a SAML AuthnRequest and sends it to the PingFederate IdP server.
  3. The PingFederate IdP server requests user authentication using the RSA SecurID Adapter. The adapter challenges the user for a RSA SecurID passcode.
  4. The adapter sends authentication credentials to RSA Authentication Manager.
  5. The RSA Authentication Manager validates the credentials sent by the adapter and sends a response to PingFederate.
  6. If the validation fails, user access is denied. If validation succeeds, the PingFederate IdP server generates a SAML assertion with the username as the Subject and passes it to the PingFederate SP server.