1. The user initiates SSO from an SP application through a PingFederate SP server.
    Note: This SP-initiated scenario represents the optimal use case, one in which both the IdP and SP are using PingFederate. However, PingFederate accepts any valid SAML authentication request from an SP. In addition, you can enable IdP-initiated SSO; in this case, the user attempts SSO to an SP application from the IdP site, and the processing sequence would not include the next step.
  2. The PingFederate SP server generates a SAML AuthnRequest to the PingFederate IdP server.
  3. If not already logged on at the IdP (via a first-factor adapter such as LDAP or IWA), the user is challenged to authenticate.
  4. The PingFederate IdP server obtains user-session information via the first-factor adapter.
  5. The VIP Adapter requests a one-time password (OTP) from the user.
  6. The VIP Adapter uses the username obtained by the first-factor adapter and the OTP to verify the user and the code via the Symantec VIP API.
  7. If the validation succeeds, the PingFederate IdP server generates a SAML assertion with the username as the Subject and passes it to the PingFederate SP server.
  8. (Not shown) The user is logged on to the SP target application.