Not authenticated. Login via PingFed-B (which authenticates against PingFed-A).
Logged in as SAML session active
Access App2
Choose which flow to demonstrate:
Auth Code: browser redirects through PingFed-B — no login prompt if session exists.
Token Exchange: App1 calls PingFed-B /token directly with the SAML assertion.