Ping Federate Product Guide

PingFederateCapabilities and Use CasesA Ping Identity ebookVersion 1.0aOctober, 2009

Previous Next Table of Contents

Introduction - About this eBook

2

This ebook is designed to give PingFederate customers and users a comprehensive yet easy-to-digest summary of the many capabilities and use cases supported by the latest version of PingFederate.

Designed to be quickly scanned, it makes extensive use of diagrams and hyperlinks to allow quick navigation to interesting topics. Any text you see in italics (other than diagram captions) is a link. For example, you will find a link back to the Table of Contents at the bottom right corner of each page. Also, the entries and page numbers in the Table of Contents itself are all links you can use to quickly navigate to a topic of interest. Finally, the chapter title at the top of each page links back to the beginning of the chapter.

Please send any feedback on this document, including suggestions, corrections or enhancements, to [email protected].

Version 1.0October, 2009

mailto:[email protected]



Introduction - About This Document 2

1. PingFederate Overview 5

Internet Identity Security Platform 6

Three Types of Internet Identity Use Cases 7

PingFederate Add-On Modules 8

Enabling Internet SSO 9

Federated Identity Capabilities 10

Internet Identity Standards Support 11

2. Internet SSO Use Cases 12

SSO for External/SaaS Applications 13

Leading SaaS Apps Support Internet SSO 14

PingFederate Works with All these Apps 15

SaaS Provider Customer SSO 16

Customer-Facing Applications 17

SSO for Internal Applications 18

IdM Suite Federation Alternative 19

SSO for Business Partners 20

Endpoint Enablement 21

3. Integration with Existing Systems 22

The Need for First and Last Mile Integration 23

First Mile Integration at the IdP 24

Last-Mile Integration at the SP 25

Custom Java, .NET and PHP Applications 26

CA SiteMinder 27

Oracle Access Manager 28

IBM Tivoli Access Manager 29

IWA, Active Directory, X.509 and LDAP 30

IIS, Apache, WebSphere and Weblogic 31

Microsoft SharePoint and SAP NetWeaver 32

Citrix XenApps (formerly Presentation Server) 33

4. Internet User Account Management 34

Background/Overview 35

Express Provisioning 36

SaaS Provisioning 37

Express and SaaS Provisioning Compared 38

Continued ...

Table of Contents

3


Previous ...

Identity Management for Salesforce CRM 39

Identity Management for Google Apps 40

Identity Management for Workday 41

5. Endpoint Enablement 42

PingFederate Express 43

Endpoint Program 44

6. Universal Token Translation and the STS 45

Background/Overview 46

Components of the PingFederate STS 47

Generating SAML Assertions from Tokens 48

Generating SAML Assertions from Claims 49

Generating New Tokens from SAML 50

Using the STS for Token Exchange 51

Identity-Enabled Web Services 52

Using the AmberPoint WS-Trust Client 53

Proprietary Token Exchange 54

Securing REST with OAuth 55

7. Advanced Capabilities 56

PingFederate Architecture 57

Self-Contained Server Clustering 58

Programmatic Configuration Migration 59

JMX and SNMP Monitoring 60

Compliance/Logging/ArcSight Partnership 61

Auto-Connect 62

Anchored Trust Model Eliminates Certificate Exchanges 63

HSM, FIPS-140-2 and SafeNet LUNA 64

Who We Are 65

Table of Contents (continued)

4


Chapter 1

PingFederate Overview

5


PingFederate is a Internet Identity Security software platform designed to meet any organizationʼs Internet-facing identity management challenges.

Internet Identity Security PlatformPingFederate Overview

6

PingFederate® has evolved from a standalone federated identity server into a complete Internet identity security platform designed to meet any organizationʼs Internet-facing identity management needs.

It is packaged as a single software product that provides three primary Internet Identity Security functions: Internet SSO, Internet User Account Management and Universal Security Token Translation. These three functions are supported by a set of common services.

The product family also includes a set of add-on modules that extend PingFederate to support external systems.

Internet SSOStandards-BasedFederated Identity

Integration Kits

Universal Security Token

TranslationSecurity Token Service

Internet User Account Management

Express and SaaS Provisioning

Configuration & Administration Runtime Services

Security Token Translators

SaaS Connectors

PingFederateExpress

InternetIdentity SecurityPlatform

Add-OnModules

PingFederate


PingFederate provides three types of Internet Identity use cases: Internet Single Sign On (SSO), Internet User Account Management and Universal Security Token Translation.

Three Types of Internet Identity Use CasesPingFederate Overview

7

PingFederate supports three types of Internet Identity use cases:

Internet Single Sign-On Users sign on once to their corporate network. PingFederate securely and transparently communicates their identities to Internet applications, removing the need for subsequent application sign ons.

Internet User Account Management User accounts at Internet applications are automatically created, updated and deleted throughout the user's life cycle within the organization.

Universal Token Translation Applications in different security domains need to translate security tokens in order to share user identity information. This capability is often used in conjunction with Web services.

Internet SSO

Universal Token Translation

Internet UserAccount Management

Your Organization

Your Suppliers, Customers,Service Providers ...


PingFederate Add-On ModulesPingFederate Overview

8

Integration Kits

Security Token Translators

SaaS Connectors

PingFederateExpress

Integration Kits extend PingFederate's Internet SSO capabilities to work with existing identity management and application infrastructureat identity providers and service providers.

Security Token Translators are plug-ins that enable PingFederate's WS-Trust Security Token Service (STS) to process specific security token types.

SaaS Connectors expedite and optimize connections to leading SaaS providers by providing Quick Connection Templates, support for automated SaaS user account management and support for non-browser-based access devices such as email clients and mobile devices.

PingFederate Express is an Internet Single Sign-On (SSO) "endpoint" solution for Service Providers (application owners) who need to quickly, easily and cost-effectively establish a SAML connection with a PingFederate Identity Provider.

PingFederate incorporates the core functionality necessary to implement Internet SSO, Identity-enabled Web Services and Internet User Account Management into a single server and a single administrative console.

PingFederate


The basis for Internet SSO is a technology and a set of industry standards called Federated Identity.

Enabling Internet SSOPingFederate Overview

9

PingFederate provides Internet SSO by supporting the Security Assertion Markup Language (SAML) and WS-Federation identity federation standards.

Both standards work by securely transmitting information about the user of an application from an organization that maintains an account for that user (called the Identity Provider, or IdP) to the organization providing the desired Web application or resource (called the Service Provider, or SP).

Both parties taking part in an Internet SSO connection need software that supports the same federated identity protocol. This software must integrate with identity and authentication sources at the IdP, and it must integrate with the application environment at the SP. With this integration in place, it is possible to look up information about the userʼs session at the IdP and create an equivalent session at the SP.

IdentityManagement

System

TargetApplication

Session Lookup Session Creation

Identity Provider (IdP) Service Provider (SP)

SAML orWS-Federation

ApplicationUser PingFederate™ PingFederate™


Federated Identity CapabilitiesPingFederate Overview

10

Federation Standards• SAML 1.0• SAML 1.1• SAML 2.0• WS-Federation

Federation Roles• Identity Provider (IdP)• Service Provider (SP)• IdP Discovery

Bindings• HTTP Post• HTTP Artifact• HTTP Redirect• SOAP

Profiles• IdP-Initiated SSO• SP-Initiated SSO• Single Log-Out• Attribute Query & XASP• IdP Discovery

Kantara/Liberty AllianceInterop Certifications• IdP Lite• SP Lite• eGov

Identity Mapping• Account Linking• Account Mapping

Attribute Sources• LDAP• JDBC• Custom (via SDK)

Certificate Validation• CRL• OCSP

Trust Models• Unanchored• Anchored

Additional Capabilities• Metadata Exchange• Authentication Context• Auto-Connect• Integration with SafeNet

LUNA


Internet Identity Standards SupportPingFederate Overview

11

Identity Federation

Security Token Service


PolicyManagement

Now

SAML 1.0SAML 1.1SAML 2.0

WS-Federation

WS-TrustSOAP/WSS

LDAPJDBC

RoadmapOpenID

Facebook ConnectInformation Cards

OAuthREST SPML XACML

Ping Identityʼs strategy for PingFederate is to provide support for all relevant Internet identity management standards that our customers expect to deploy, whether they be de jure or de facto. Items in the Roadmap row are in our intermediate term product plan, but have not yet been prioritized for development. We are always interested in speaking with any customers or prospects interested in deploying roadmap functionality. If you are such a person, please send an email to our product management team

at [email protected].




Chapter 2

Internet SSO Use Cases

12


In this use case, an enterprise uses PingFederate to give its employees easy and secureaccess to applications provided by SaaS, outsourcers and other service providers.

SSO for External/SaaS ApplicationsInternet SSO Use Cases

13

In this use case, enterprises use PingFederate to connect to one or more service providers such as Software as a Service (SaaS) suppliers that provide applications for employee use.

With PingFederate, the enterprise can provide SSO access to external applications from multiple devices including Web browsers, mobile devices and rich clients such as Microsoft Outlook.

PingFederate can leverage identities from its existing IdM system and authentication capabilities such as Integrated Windows Authentication (IWA).

For applications with large numbers of users, PingFederate can also automate the management of user accounts at the application provider.

OutsourcingProvider

Other LeadingSaaS Apps

Enterprise

PingFederate


Virtually every major Software-as-a-Service provider now supports Internet SSO.

Leading SaaS Applications Support Internet SSOInternet SSO Use Cases

14

While federated identity was evolving as an essential Internet security technology, another technology was also evolving: the emergence of on-demand Software-as-a-Service applications.

Given the fundamental ability of Internet SSO and federated identity to support scenarios where users are in one place and their applications are in another, it only makes sense that these two trends would converge - and they have.

SSO to SaaS has now emerged as the major use case for Internet SSO. Virtually every major SaaS provider, including those shown here, now support Internet SSO. While some started by offering a proprietary SSO mechanism, the trend in the industry is toward support of the SAML 2 standard for implementing SSO.


PingFederate Works with All these Apps and MoreInternet SSO Use Cases

15

ACI WorldwideADP GlobalviewADP Pre-Employment ServicesADP ProBusinessAdvent SoftwareApollo Enterprise SolutionsAxentis, IncBellomy ResearchBenelogicBrainsharkBusiness Integration GroupConcurCreateHopeDecisionVieweBenefitsePharma SolutionsFinancialKnowledgeFortrex TechnologiesFragomen, Del Rey, Bernsen & LoewryGeezeo.com

GloboforceGoogle AppsGT NexusHealthline NetworksHibbert CompanyHiveLive IncHumanConceptsInfoHRM PtyInnocentiveIntraLinksLegal IntelligenceLivetechnology HoldingsM2 ConsultingMarketToolsMedia DefinedMullinTBGNextJumpNirvanixPeopleCubePointserve

PostiniPowerSteering SoftwarePriceMetrixPureSafetyRazorGatorRearden CommerceReed GroupRideauSalary.comSalesforce CRMSalesforce Customer PortalSalesforce Partner PortalSatuit TechnologiesSavo GroupSBC Systems CompanySchawk Digital SolutionsSimantel GroupSuccess FactorsTechnology & Business SolutionsTharpeRobbins Company

ThreepointofficeTierra Software DevelopmentTrimbleTriple Creek AssociatesTruistTRXValtera CorporationVibeSMGVirtual PremiseVision Global SolutionsVocusWageWorksWebexWebrootWorkdayWorlddocXpress Bill PayZoho CRM


SaaS Providers use PingFederate both to establish SAML-based Internet SSO connections with their customers and to create services mashups.

SaaS Provider Customer SSOInternet SSO Use Cases

16

Over 100 Software-as-a-Service (SaaS) providers already incorporate PingFederate into their product offerings.

These companies use PingFederate three different ways. First, they provide standards-based Internet SSO to their customers. These connections can be SAML 2, SAML 1.x or WS-Federation based.

Second, they use PingFederateʼs Express Provisioning capability to automatically create user accounts in their user store.

Third, they use PingFederate to “mash up” services from other service providers that they re-market to their customers. These mashups can be either browser- or Web Services-based.

ServiceProvider

ServiceSupplier

Customer

Customer

Customer

SaaS Provider

PingFederate


Many non-technology companies now sell products that have an online component. These companies use PingFederate for both inbound and outbound Internet SSO.

Customer-Facing ApplicationsInternet SSO Use Cases

17

Companies in virtually every industry are now enhancing or expanding their product offerings via additional functionality delivered via the Internet. Such companies differ from pure SaaS providers in that their product is more than software. These also tend to be larger, more established companies that have multiple federated identity use cases.

These firms use PingFederate in a hybrid manner. They support both incoming SSO for their customers, as well as outgoing SSO for their employees.

PingFederate is a particularly good choice for this use case because pricing is connection- versus seat-based, the model most common with identity management products designed to manage employee identities.

Customer

Customer

Enterprise

OutsourcingProviderPingFederate


In this example, PingFederate gives users who log into their Windows network SSO access to applications protected by SiteMinder and a home-grown Web Access

Management system.

SSO for Internal ApplicationsInternet SSO Use Cases

18

Many organizations, especially larger ones, find themselves in the situation of having multiple security domains where users in one domain often need access to applications in another domain.

In this situation, a single PingFederate instance can be configured in a hybrid role where it supports one or more domains acting as Identity Providers, and also one or more domains acting as Service Providers.

Deploying PingFederate for Internal Single Sign-On so that users can log in once and access Web-based applications in other domains is often far less costly than consolidating security domains - an option that in many cases is not even technically feasible.

HomegrownWAM

Integrated Windows Authentication

SiteMinder

PingFederate


Many identity management suite user choose PingFederate to deliver Internet SSO functionality instead of the federated identity module sold by their suite vendor.

IdM Suite Federation AlternativeInternet SSO Use Cases

19

Identity management suite customers often choose to implement PingFederate instead of the federated identity module offered by their suite vendor.

These customers generally choose PingFederate for one or more of the following reasons:• Easier to learn, deploy and use• Much faster time-to-connection• Out-of-the-box integration with other

products, particularly those from their suite vendorʼs competitors

• Extensive support for SaaS SSO: provisioning, mobile devices, email clients etc.

• No need to upgrade to latest version of IdM suite just to use the federation module

• Availability of PingEnable implementation and support services

• Significantly lower total cost of ownership

Oracle Access Manager

SiteMinder

Tivoli Access Manager

Partner

SaaS

ServiceProvider

PingFederate


Enterprises with large supply or demand chains often use PingFederate to implement Internet SSO either to or from their business partners.

SSO for Business PartnersInternet SSO Use Cases

20

Companies with extensive supply or demand chains often desire to provide SSO support to or from business partners including suppliers, dealers, distributors, affiliates and customers.

Depending on the specific requirements, PingFederate allows these companies to act as an IdP, SP or both.

Companies implementing Partner SSO often do so by implementing a partner portal. PingFederate has Integration Kits available for leading portal platforms.

In industries with an available industry federation hub such as Covisint or Exostar, PingFederate can also connect to business partners via that hub.

Enterprise

Suppliers

Dealers

IndustryHub

Partners

PingFederate


Organizations recognizing the strategic advantages provided by Internet SSO often see themselves becoming a federation hub surrounded by dozens of partners.

Endpoint EnablementInternet SSO Use Cases

Many organizations initially deploy Internet SSO to support a tactical project requirement. Once they have experienced the benefits of Internet SSO, many realize they can reap significant strategic benefits from the technology by deploying it widely.

These organizations then develop “endpoint” enablement programs designed to turn their organization into a federation “hub” surrounded by dozens, hundreds or even thousands of partner organizations acting as federation “spokes”.

Large scale deployment of federated identity requires not only highly scalable and reliable Internet SSO software such as PingFederate at the hub, but also a much lighter weight form factor such as PingFederate Express for deployment by partner organizations.

21

FederationHub


Chapter 3

Integration with Existing Systems

22


User attributes originate at the IdP and are used at the SP to establish a session in the target applications. PingFederate integrates with both IdP and SP systems to facilitate

the transfer of these attributes.

The Need for “First and Last Mile” IntegrationIntegration with Existing Systems

23

As a stand-alone server, PingFederate must integrate programmatically with Identity Management (IdM) systems and end-user applications to complete the “first and last mile” implementation of a federated identity network that implements Internet SSO.

To enable both the Identity Provider (IdP) and Service Provider (SP) sides of this integration, PingFederate provides commercial integration kits, which include adapters that plug into the PingFederate server and agents that interface with local IdM systems or applications.

PingFederate also has a SDK that can be used to create custom adapters for systems that do not have an available Integration Kit.

SAML/WS-Federation

Authentication Service/

Application

Target Application

Identity Attributes

Identity Attributes

Identity Provider Service Provider

PingFederatePingFederate


Ping Identity offers a wide variety of Integration Kits that provide “first mile” integration at the Identity Provider.

“First Mile” Integration at the Identity ProviderIntegration with Existing Systems

IdP integration involves retrieving user identity attributes from the IdP domain and sending them to the PingFederate server. Typically, the identity attributes are retrieved from an authenticated user session. For IdP integration, a number of attribute-retrieval approaches can be used, depending upon the IdP deployment/implementation environment.

Ping Identity offers a broad range of commercial integration kits that address various IdP scenarios, most of which involve either custom application integration, integration with a commercial IdM product, or integration with an existing authentication system.

CustomApplications

AuthenticationSystems

Identity Mgt Systems

Portals

Java.NETPHP

SAP NetWeaverCustom/Homegrown

CA SiteMinderOracle Access Manager

Tivoli Access Manager

Windows IWA/NTLMActive Directory/LDAPStrong Authentication

SAML

Identity Provider

PingFederate

24


Ping Identity provides a wide variety of Integration Kits that provide “last mile” integration at the Service Provider.

“Last Mile” Integration at the Service ProviderIntegration with Existing Systems

An SP is the consumer of identity attributes provided by the IdP through a SAML assertion. SP integration involves passing the identity attributes from PingFederate to the target SP application. The SP application uses this information to set a valid session or other security context for the user represented by the identity attributes. Session creation can involve a number of approaches, and as for the IdP, Ping Identity offers commercial integration kits that address the various SP scenarios. Most SP scenarios involve custom-application integration, server-agent integration, integration with an IdM product, or integration with a commercial application.

Java.NETPHP

CitrixMicrosoft SharePoint

CA SiteMinderOracle Access ManagerTivoli Access Manager

ApacheMicrosoft IISSAP NetweaverWebLogicWebSphere

Web and AppServers

CustomApplications

Identity Mgt Systems

CommercialApplications

SAML

Service Provider

PingFederate

25


PingFederate can integrate with custom/homegrown identity management and authentication systems at the IdP as well as custom applications at the SP.

Custom Java, .NET and PHP ApplicationsIntegration with Existing Systems

26

Identity Providers A federation partner can use a custom authentication service or application to play the IdP role in the federation partnership. Integration with a custom application is handled through application-level integration kits, which allow software developers to integrate their custom applications with a PingFederate server acting as an IdP.

Service Providers Some applications use their own authentication mechanisms and are responsible for their own user-session management. When there is limited or no access to the Web or application server hosting the application, integration with these custom applications is handled through application-level integration kits. With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the SP application, which can then use them for its own authentication and session management.

JavaApplication

.NETApplication

PHP Application

SAML


JavaApplication

.NETApplication

PHP ApplicationPingFederate PingFederate


PingFederate and its SiteMinder Integration Kit can be used by SiteMinder shops acting in the Identity Provider role, Service Provider role or both.

CA SiteMinderIntegration with Existing Systems

27

PingFederate, when combined with its SiteMinder Integration Kit, provides a comprehensive Internet SSO solution that does not require any custom development: • As an Identity Provider, you can

provide your users with SSO to external services over the Internet such as Software-as-a-service (SaaS) and Business Process Outsourcing (BPO) where they are automatically authenticated by your SiteMinder server.

• As a Service Provider, you can provide your external partners and customers Internet SSO to SiteMinder protected applications.

• You can provide internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures regardless of the version of SiteMinder or identity and access management system (IdM) each organization has deployed.

SAMLSiteMinderSiteMinder


PingFederate PingFederate


PingFederate and its Oracle Access Manager Integration Kit can be used by OAM shops acting in the Identity Provider role , Service Provider role or both.

Oracle Access ManagerIntegration with Existing Systems

28

PingFederate, when used with its Oracle Access Manager (OAM) Integration Kit, provides a comprehensive Internet SSO solution that can be installed in as little as a day: • As an Identity Provider, you can

provide your users with SSO to external services over the Internet such as Software-as-a-service (SaaS) and Business Process Outsourcing (BPO) where they are automatically authenticated by OAM.

• As a service provider you can provide your external partners and customers Internet SSO to OAM protected applications.

• You can provide internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures regardless of the version of OAM or identity and access management system (IdM) each organization has deployed.

SAML

Identity Provider

Oracle Access Manager Oracle Access Manager

Service Provider



SAML

Identity Provider

Tivoli Access Manager Tivoli Access Manager

Service Provider


PingFederate can be integrated with Tivoli Access Manager via a fixed price service engagement. When done so, TAM can act as an IdP, SP or both.

IBM Tivoli Access ManagerIntegration with Existing Systems

29

Ping Identity offers a fixed price integration service for deploying PingFederate with Tivoli Access Manager. The TAM IdP integration kit leverages Tivoli Access Manager WebSEAL as a point of user authentication and requires a secure deployment configuration. • As an Identity Provider, you can

provide your users with SSO to external services over the Internet such as Software-as-a-service (SaaS) and Business Process Outsourcing (BPO) where they are automatically authenticated by TAM.

• As a service provider you can provide your external partners and customers Internet SSO to TAM protected applications.

• You can provide internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures regardless of the version of TAM or identity and access management system (IdM) each organization has deployed.


PingFederate authentication system integration kits gives users who have authenticated locally SSO access to applications hosted by Service Providers.

Microsoft IWA, Active Directory, X.509 and LDAPIntegration with Existing Systems

30

Initial user authentication is normally handled outside of the PingFederate server using an authentication application or service. PingFederate authentication system integration kits leverage this local authentication to access applications outside the security domain.

These integration kits access authentication credentials that are validated against a Windows security context, which could be NTLM or Integrated Windows Authentication (IWA) working with Active Directory, and pass them to the PingFederate IdP server.

The X.509 Certificate Integration Kit uses the PingFederate security infrastructure to perform client X.509 certificate authentication for SSO to SP applications.

PingFederate also packages an LDAP Authentication Service Adapter and logon form that can authenticate users directly against an LDAP data store for SP-initiated SSO scenarios.

X.509

IWA/NTLM

LDAP

SAML

Identity Provider

PingFederate


PingFederate Web and Application Server Integration Kits allow Service Providers to provide SSO to applications running on those servers without

having to integrate each application.

Microsoft IIS, Apache, WebSphere and WebLogicIntegration with Existing Systems

31

PingFederate Web and App server Integration Kits allow SP enterprises to accept SAML assertions and provide SSO to all applications running on their Web and/or application server; there is no need to integrate each application. Applications running on the Web/application server must delegate authentication to the server; if the application employs its own authentication mechanism, integration must occur at the application level.

With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the server agent, which is typically a Web filter or JAAS (Java Authentication and Authorization Service) Login Module. The server agent extracts the identity attributes, which the server then uses to authenticate and create a session for the user.

These integration kits do not require any development; integration with PingFederate is accomplished entirely through the PingFederate administrative console.

TheApacheSoftware Foundationh t t p : / / w w w . a p a c h e . o r g /

IIS Server

WebSphere

WebLogic

SAML

Service Provider

PingFederate


PingFederate portal Integration Kits support two of the most popular commercially available portals - Microsoft SharePoint and SAP NetWeaver.

Microsoft SharePoint and SAP NetWeaverIntegration with Existing Systems

32

The PingFederate NetWeaver Integration Kit supplies both outgoing (IdP-side) SSO support for NetWeaver users, as well as incoming (SP-side) Internet SSO support for NetWeaver applications.

The PingFederate SharePoint Integration Kit provides incoming (SP-side) SSO support for SharePoint applications. (For IdP-side support in a Microsoft environment, use the PingFederate IWA/NTML Integration Kit.)

These integration kits do not require any development; integration with PingFederate is accomplished entirely through the PingFederate administrative console.

SAML

SharePoint

NetWeaver


NetWeaver



PingFederate and its Citrix Integration Kit turn Citrix XenApp into a SAML Service Provider, making virtualized applications available to external users.

Citrix XenApp (formerly Presentation Server)Integration with Existing Systems

33

Giving external users such as customers, contractors and partners SSO access to virtualized applications used to require Citrix XenApp (formerly Presentation Server) administrators to manage passwords and user credentials for each external user. The subsequent cost and effort required to manage external user accounts is significantly higher than managing internal users and employee accounts through traditional Identity Management systems.

PingFederate eliminates this burden by tightly integrating with XenApp via the Citrix Web Interface. The combination turns XenApp into a SAML or WS-Federation Service Provider. External users, whose identities are managed by their Identity Provider, get SSO access to any applications virtualized by XenApp.

This architecture is especially popular with service providers that need to provide external access to legacy applications.

XenApp

WebInterface

SAML

Service Provider

PingFederate

IdentityProvider


Chapter 4


34


Service providers such as SaaS vendors often have their own user account directories that are beyond the reach and control of enterprise provisioning solutions.

Background/OverviewInternet User Account Management

35

While many organizations have struggled to deploy a workable enterprise provisioning solution, Cloud computing has created a new provisioning challenge: additional user directories often beyond the reach and control of their enterprise solution. These additional directories must be populated and managed before users can use those external applications.

To meet this challenge, PingFederate now offers two different types of Internet user account management:• Express Provisioning is a Service

Provider-side solution that uses the attributes in incoming SAML assertions to create and update user accounts.

• SaaS Provisioning is an Identity Provider-side solution that integrates a corporate directory with a SaaS providerʼs provisioning API to automatically create, update and delete user accounts in the Service Providerʼs directory for a selected set of users.

EnterpriseDirectory

UserDirectory

UserDirectory

UserDirectory

EnterpriseService Providers

?

??


Express Provisioning uses the attributes contained within incoming SAML assertions to create or update user accounts within the Service Providerʼs user store.

Express ProvisioningInternet User Account Management

PingFederate Express Provisioning uses information passed via Internet SSO inside the SAML assertion to automatically and dynamically create user accounts in the destination application directory if they do not already exist. This enables the application provider to create user accounts "on-the-fly," adding convenience for users and reducing staff overhead by automating Internet user account management.

Express Provisioning works for both LDAP and JDBC user stores at the Service Provider.

It is useful for “arms length” use cases where the userʼs identity does not need to be known in advance by the Service Provider such as supply chain portals, collaborative projects and many SaaS applications.

LDAPor

JDBC

Service Provider

SAML

!

"

#

PingFederate

36


PingFederate SaaS Provisioning watches a directory group or filter for user changes. When they occur, it automatically pushes them to the SaaS provider.

SaaS ProvisioningInternet User Account Management

SaaS Provisioning allows SaaS applications to automatically create and remove users by replicating user account information from the SaaS customers' enterprise directories.

A group or filter in the SaaS customer's enterprise directory contains all of the users that are authorized to use the SaaS application. When administrators add, remove or update users in the enterprise directory, PingFederate automatically "replicates" those changes to the SaaS application's remote directory.

SaaS Provisioning eliminates the need to manually maintain SaaS user directories. It also eliminates zombie accounts by quickly and automatically disabling accounts when users are removed from the corporate directory. This reduces the risk of data loss and compliance audit failures.

ProvisioningAPI

LDAPor

ActiveDirectory

Enterprise SaaS Provider

PingFederate

37


Express and SaaS Provisioning ComparedInternet User Account Management

38

Requirement Express Provisioning SaaS Provisioning

Use Case

Account Data Source

Other Party Requirement

Target Directory/Interface Supported

SP provides just-in-time access to applications

IdP establishes user accounts at SP before enabling SSO

SSO transaction IdP corporate directory

IdP must have SAML-based Internet SSO solution

Service Provider must have a provisioning API

LDAP, JDBC Google Apps, Salesforce


SaaS Provisioning, one of the capabilities included in the PingFederate SaaS Connector for Salesforce, works by passing changes made in your corporate directory to the Salesforce Account store via Salesforceʼs provisioning API.

Identity Management for Salesforce CRMInternet User Account Management

39

With the growth of SaaS, PingFederate offers SaaS Connectors for leading SaaS providers including Salesforce CRM.

The Salesforce Connector includes a Quick Connection template to simplify connection setup with pre-populated connection settings, user/account provisioning parameters, and SSO endpoint parameters. It also implements SaaS Provisioning to eliminate manual account setup for these applications.

Finally, they allow PingFederate to SSO-enable the numerous means your users employ to access Salesforce CRM: desktop browsers, mobile device browsers, and even rich client applications such as the Salesforce Outlook email plug-ins.

Provisioner Salesforce Driver

CorporateDirectory

SSOEndpoint

ProvisioningAPI Accounts

PingFederate


SaaS Provisioning, one of the capabilities included in the PingFederate SaaS Connector for Google Apps, works by passing changes made in your corporate directory to the

Google Apps account store via Googleʼs provisioning API.

Identity Management for Google AppsInternet User Account Management

40

With the growth of SaaS, PingFederate offers SaaS Connectors for leading SaaS providers including Google Apps that works with Google Docs and Gmail.

The Google Apps Connector includes a Quick Connection template to simplify connection setup with pre-populated connection settings, user/account provisioning parameters, and SSO endpoint parameters.

It also implements SaaS Provisioning to eliminate manual account setup for these applications. Automated user account provisioning is particularly important for applications like Gmail that tend to be used by every employee in the organization.

Provisioner Google Driver

CorporateDirectory

SSOEndpoint


PingFederate


Ping Identity is currently developing a SaaS Connector for Workday. If you would like to be notified when this product becomes available, send an

email to [email protected].

Identity Management for WorkdayInternet User Account Management

With the growth of SaaS, PingFederate offers SaaS Connectors for leading SaaS providers. Ping Identity is currently developing a SaaS Connector for Workday.

The Workday Connector will include a Quick Connection template to simplify connection setup with pre-populated connection settings, user/account provisioning parameters, and SSO endpoint parameters.

It also implements SaaS Provisioning to eliminate manual account setup for Workday. Automated user account provisioning is particularly important for applications like Workday that tend to be used by every employee in the organization.

Provisioner Workday Driver

CorporateDirectory

SSOEndpoint


PingFederate

41




Chapter 5

Endpoint Enablement

42


PingFederate Express is an Internet SSO "endpoint" solution for Service Providers who need to quickly, easily and cost-effectively establish a SAML connection with a PingFederate Identity Provider.

PingFederate ExpressEndpoint Enablement

PingFederate Express™ is an Internet SSO "endpoint" solution for Service Providers who need to quickly, easily and cost-effectively establish a SAML connection with a PingFederate Identity Provider. It delivers enterprise-class performance, reliability and security, yet it requires no additional hardware, federated identity expertise or ongoing maintenance.

Many PingFederate customers have smaller Service Provider partners with limited IT resources, time and expertise. PingFederate Express gives these partners an Internet SSO solution that is quick, easy, and cost effective to deploy en masse, without requiring additional hardware purchases or significant time and effort on either side of the connection.

PingFederate Express can be purchased by the IdP under Ping Identityʼs Endpoint Program, or by the SP. In either case, service providers receive their license key and technical support directly from Ping.

Identity Provider

Service Providers

PingFederate

PingFederate E X P R E S S


43

http://www.pingidentity.com/information-library/what-is-saml.cfm

http://www.pingidentity.com/information-library/what-is-saml.cfm


Under the PingFederate Endpoint Program, organizations seeking to expedite the creation of Internet Identity connections can purchase PingFederate and PingFederate Express licenses for their partners.

Endpoint ProgramEndpoint Enablement

Every Internet Identity connection requires two parties. One party is generally highly motivated to establish connections and may need to deploy dozens or even hundreds of connections as quickly as possible. The other side of the connection, which we refer to as an “Endpoint”, is generally less motivated and may be a neophyte to Internet Identity technologies and best practices.It is in the initiating party's best interests to provide their Endpoint partners with an easy way to complete an Internet Identity connection without initiating a lengthy and costly evaluation cycle. Ping Identity's Endpoint Program allows customers to purchase a cost-effective block of Endpoint licenses, services and support for their customers, enabling them to quickly and easily deploy Internet Identity connections.Two products are available under the Endpoint program to support different use cases: PingFederate Express and PingFederate licensed for a single connection.

Endpoint Program Member



44


Chapter 6

Universal Token Translation and the STS

45


Background/OverviewUniversal Token Translation and the STS

46

The concept of Universal Token Translation and Security Token Services (STSs) originated with Web Services. The lack of a standard method for communicating user identities hindered early Web Services applications from gaining widespread business acceptance. Standards such as WS-Security and WS-Trust emerged in the SOAP world that enable Web Services to share user identities, but initially they were complex and difficult to implement.

PingFederate provides a key component required to identity-enable Web Services: a WS-Trust Security Token Service (STS). On the Web service client side, which can be a Web application or rich desktop application, the STS converts whatever security token that is used locally into a standard SAML security token containing the user's identity that is shared with the Web Services provider. On the Web Service provider side, the STS validates security tokens and can generate a new local token for consumption by other applications.

As organizations rolled out the initial STS-based Web Services deployment, two additional STS use cases have emerged.

First, while WS-Trust envisions token processing as occurring in two phases at the Web service client and provider, the underlying STS has no such restriction. As a result, larger organizations with multiple security domains have recognized the value of the STS as a “universal token translator” that can convert any type of security token into any other type of security token - even if there are no Web services being used.

Second, even though they were “born” in the world of SOAP, security experts have realized the concept of embedded tokens and STSs could play key role in securing REST-style Web Services as well.


Components of the the PingFederate STSUniversal Token Translation and the STS

47

OpenToken

SiteMinder

Kerberos

X.509

...

Software Development Kits

PingFederateSecurity Token Translators

PingFederate Security Token Service

STS Client SDKfor .NET

STS Client SDK for Java

Token Translator SDK

As of version 6.0, PingFederate includes a WS-Trust compliant Security Token Service (STS) that accepts one type of security token as input and produces an equivalent security token of a different type as output. It uses a plug-in architecture to support the processing and generation of different token types. It is accessed programmatically via STS Client SDKs.

Token Translators are plug-ins that allow the STS to process (i.e. consume) and/or generate particular types of security tokens. Token Translators for several common token types are available from Ping Identity. Users can also build custom Token Translators using the the Token Translator SDK if needed.

The .NET and Java Client SDKs act as WS-Trust clients and allow programs written in .NET and Java to interact with the PingFederate STS. PingFederate can also work with third party WS-Trust clients such as AmberPoint.

The Token Translator SDK allows users to create their own token processor and generator plug-ins.

WS-Trust STS

Token Translator(s)


Using the PingFederate STS, an Identity Provider can generate SAML assertions equivalent to existing security tokens used in local security domains.

Generating SAML Assertions from Existing TokensUniversal Token Translation and the STS

48

A common use of the PingFederate STS is to generate a SAML assertion equivalent to a token used in a local security domain. Once generated, the SAML assertion can the used to transfer identity attributes to another security domain. SAML is an ideal format for transportation across security domains due to its inherent portability and security.

To do this, a program passes the local token to a PingFederate STS that has the proper Token Processor plug-in installed. The STS then creates an equivalent SAML assertion and returns it to the calling program.

This technique can be used for any token type for which Ping Identity offers a Token Processor. It can also be used for other token types by using the Token Processor SDK to create a custom token processor.

STS

Token Processor for Existing Token Type

Java or .NET Application

STS Client SDK

NewSAML

Assertion

ExistingSecurityToken

Token Processors Available from Ping Identity

CA SiteMinderOracle Access ManagerMicrosoft KerberosX.509 Certificate

Username/LDAPSAML 1.1SAML 2.0OpenToken

To generate a SAML assertion equivalentto other token types, use the Token TranslatorSDK to build the required STS plug-in.


In addition to being able to generate SAML assertions from incoming tokens, the PingFederate STS can also create assertions from claims and attributes.

Generating SAML from Claims and AttributesUniversal Token Translation and the STS

49

In some cases, the application calling the STS does not have an existing security token with the same set of attributes that need to be in the generated SAML assertion. In these cases, the STS can accept claims (attributes) submitted via the RST call from the Java or .NET client.

In addition, whether the input to the STS is claims or an existing security token, the STS has the ability to look up additional attributes to be included in the SAML assertion it generates.

To do this, the STS uses PingFederateʼs attribute lookup service, which supports LDAP and JDBC data sources out of the box. The lookup service can be extended to support custom data source via the PingFederate SDK.

STS


STS Client SDK

NewSAML

Assertion

LDAPJDBC

Custom

Claims


A Service Provider can use an incoming SAML assertion as the basis for the creation of a new, equivalent security token that works in the local security domain.

Generating New Security Tokens from SAMLIdentity-Enabled Web Services

50

Another use of the PingFederate STS is to generate a new security token from a SAML assertion that was transported over from another security domain. Once generated, the new token can be used to represent the original identity in the local security domain.

To do this, a program passes the SAML assertion to a PingFederate STS that has the proper Token Generator plug-in installed. The STS then validates the SAML assertion, creates an equivalent security token and returns it to the calling program.

This technique can be used for any token type for which Ping Identity offers a Token Generator. It can also be used for other token types by using the Token Translator SDK to create a custom token generator.

STS

Token Generator for New Token Type


STS Client SDK

ExistingSAML

AssertionNew

SecurityToken

Token Generators Available from Ping Identity

SAML 1.1SAML 2.0

OpenToken

To generate other types of tokens, use the Token TranslatorSDK to build the required STS plug-in.


By making two calls to the PingFederate STS, it is a possible for a program to convert virtually any security token into an equivalent token of another type.

Using the STS for Token ExchangeUniversal Token Translation and the STS

51

By combining the two previous scenarios, it is possible to use the PingFederate STS to exchange virtually any security token type for and equivalent token of any other type.

PingFederate uses SAML as an intermediary to perform this operation. The calling program needs only make two calls to perform this complex operation: one to generate the intermediary SAML assertion from the existing security token, and a second to generate the new token from the SAML assertion.

STS STS


STS Client SDK

ExistingSecurityToken

NewSecurityToken

NewSAML

Assertion


In this use case, the IdP use the STS to convert a local security token into a SAML assertion for inclusion in a SOAP message. The SP who receives the message then

uses the STS to create a token that works in its local security context.

Identity-Enabled Web ServicesUniversal Token Translation and the STS

This is the use case for which Security Token Services were originally created. In this scenario, a Web Service Provider needs to know the identity of the maker of requests to determine whether and how to respond to the request. (Identity in this context can mean person, application, system or any combination of the three.)

In this scenario, PingFederate can play a role at the IdP, SP or both. On the IdP side, the application acting as the client for the Identity-enabled Web Service uses the PingFederate STS to generate a portable, extensible and secure SAML assertion from the userʼs local security token. It incorporates the SAML assertion into the header of the SOAP message it sends to the Web service provider.

On the SP side, the application acting as the Web service provider role submits the incoming SAML assertion to the PingFederate STS to validate the assertion and/or to generate an equivalent local security token.

LocalSecurityToken

LocalSecurityToken

SAMLWeb

Service Client

Web Service Provider

SOAP Message


!"

#

$ %


52


AmberPointʼs WS-Trust client has been certified for use with the PingFederate STS.

Using the AmberPoint WS-Trust clientUniversal Token Translation and the STS

53

AmberPoint is the leading provider of management solutions for composite applications such as SOA-based systems. Utilizing a policy-based approach, AmberPoint solutions ensure system health by providing visibility into and control of composite applications, their constituent components and the transactions flowing across them.

Ping Identity and AmberPoint have established a partnership under which the companies have certified AmberPointʼs WS-Trust client for use with the PingFederate STS. Ping Identity expects to certify additional third party WS-Trust clients in the future.

PingFederate

STS

WS-Trust Client


In this example of local token translation, a user whose identity is managed by SiteMinder needs to gain access to an application protected by IBM.

Proprietary Token ExchangeUniversal Token Translation and the STS

54

A common use for Universal Token Translation is a large company with multiple security domains that encounters situations where users whose identities are managed in one domain need programmatic access to applications managed in another domain.

In this scenario, PingFederate creates an IBM LTPA (Lightweight Third Party Authentication) security token based on attributes obtained from a SiteMinder cookie. This gives the user access to the target application without requiring the IBM domain to maintain redundant information about the user. It is not necessary to use any Web Services or SOA technology to make this scenario work.

This scenario can work for any token types supported by PingFederate Token Translators, as well as custom token translators created with the Token Translator SDK.

SiteMinder Domain IBM Domain

PingFederate

Java or .NetApplication

SiteMinderCookie

IBMLTPAToken

!

"

#


At a recent Google Campfire event, Ping Identity demonstrated a prototype of its PingFederate software extended to use the OAuth open source secure

authentication standard to identity-enable REST-based Web Service requests.

Securing REST with OAuth

Gadget Acts asWeb Service Client

Web ServiceProvider

PingFederate

My DatacenterGoogle Sites

Google SecureData Connector(REST/OAuth)

!

"

#

$

Universal Token Translation and the STS

55

At a recent Google Campfire event, Ping Identity demonstrated a prototype of its PingFederate software extended to use the OAuth open source secure authentication standard to identity-enable REST-based Web Service requests. This allows an administrator to specify any number of domains that are authorized to submit requests. When a Web Service request comes in, PingFederate uses OAuth to determine whether or not the request came from an approved domain. The demonstration also showed how PingFederate could centralize all necessary OAuth key cryptography processing, eliminating the need to perform key cryptography at every application that accepts identity-enabled Web Service calls.

REST and OAuth support are currently on the PingFederate development roadmap. If you are interested in these features, please drop a line to [email protected].




Chapter 7

Advanced Capabilities

56


The PingFederate architecture consists of three Internet Identity services supported by a common set of management and runtime services.

PingFederate ArchitectureAdvanced Capabilities

57

The PingFederate architecture consists of three Internet Identity services: Identity Federation, SaaS Provisioning and Security Token Service.

These three identity services share a common management environment consisting of a management console, management API and a set of SDKs for extending functionality of the system. They also share a set of runtime services including key management, logging, monitoring, clustering, attribute mapping, data store access and several others.

A set of optional add-on modules extend PingFederate functionality to support specific use cases and external systems.

Add-On Modules

Internet Identity Services

Management Services Runtime Services

KeyManagement

ExpressProvisioning

AccountLinking

AttributeMapping

Logging Monitoring Clustering

Data StoreAccess

Admin Console

Admin API

SDKs

IntegrationKits

Security TokenTranslators SaaS Connectors PingFederate Express

Identity Federation Service Security Token ServiceSaaS Provisioning Service

LicenseKeys

PingFederate


PingFederate includes the capability for multiple servers in multiple locations to be configured to act as a single entity to improve throughput and/or availability.

Self-Contained Server ClusteringAdvanced Capabilities

PingFederate provides built-in clustering features that allow a group of PingFederate servers to appear to browsers and partner federation servers as a single system.

In this configuration, all client traffic normally goes though a load balancer, which routes requests to the PingFederate servers in the cluster. User-session states and configuration data are shared among the servers, enabling them to process requests as a single entity.

When deployed appropriately, server clustering can facilitate high availability of critical services. Clustering can also increase performance and overall system throughput. Several configuration options are available so users can obtain the desired combination of availability and performance.

58


ConfigCopy is a scriptable command-line tool that can translate part of all of a PingFederate configuration from one server to another, such as from test to production.

Programmatic Configuration MigrationAdvanced Capabilities

PingFederate provides a configuration-migration tool called ConfigCopy that can be used for scripting the transfer of administrative-console configurations from one PingFederate server to another—for example, from a test environment to production.

This tool performs three processing steps:1. Retrieves configuration data from a

source PingFederate server

2. Modifies the configuration with any changes required for the target environment

3. Imports the updated configuration into the target PingFederate server

ConfigCopy can perform these functions in real time, from server to server, or by using an intermediate file.

ConfigCopyTool

Dev/Test Server Production Server

Modify ConfigurationParameters (optional)

!

"

#

59


PingFederate supports runtime monitoring via both SNMP and JMX.

Runtime Monitoring with SNMP and JMXAdvanced Capabilities

PingFederate supports runtime monitoring and reporting through the Simple Network Management Protocol (SNMP), a standard used by network management consoles to monitor network and server activity across an enterprise. Embedded within each PingFederate server is an SNMP agent that brokers the communication between the management console and PingFederate. PingFederate responds to Get requests for total and failed transactions. It also generates a “heartbeat” Trap at regular intervals.

In addition, PingFederate supports runtime monitoring and reporting through Java Management Extensions (JMX). Similar to SNMP, JMX technology represents a Java-centric approach to application management and monitoring. PingFederateʼs JMX server reports monitoring data for SSO and SLO transactions as well as for SaaS Provisioning.

SNMP Agent

SNMP

Network Management

Console

JMX Server

JConsole or other JMX Client

JMX

PingFederate

60


PingFederate log files can be used as the basis for a Cloud compliance strategy using ArcSight or another security information and event management (SIEM) product.

Logging, Compliance and ArcSight PartnershipAdvanced Capabilities

PingFederate generates log files that document the systemʼs activities including actions performed by administrative console users, individual identity-federation runtime transactions at specified levels of detail,PingFederate runtime and administrative server activity, SaaS Provisioning activity and HTTP requests.

Ping Identity has recently announced a partnership with ArcSight, a leading provider of security information and event management (SIEM) products. ArcSight IdentityView, a specialized application built on the ArcSight SIEM Platform, can analyze logs created by PingFederate. It can report on unauthorized user access and monitor internal controls, providing comprehensive collection and analysis of user activity across an enterprise. In partnership, these technologies will provide a user monitoring solution that extends from the enterprise to the Cloud.

Log Files

IdentityView

Other SIEM Products

PingFederate

61


PingFederateʼs Auto-Connect allows organizations to provide Internet SSO on the fly, without the need to pre-configure partner-specific SAML connections.

Auto-ConnectAdvanced Capabilities

PingFederate allows organizations to provide secure Internet SSO on the fly—that is, without the need for configuring partner-specific, browser-based SSO connection parameters. This feature—Auto-Connect™—extends SAML 2.0 SP-initiated SSO or SLO and metadata specifications to enable deployments to retrieve partner connection information securely on an as-needed basis.

The feature is especially useful to an SP who wants to provide SSO capability to more than one partner. A Software-as-a-Service (SaaS) provider, for example, can provide SSO to innumerable clients without specifying redundant connection information for each one. Auto-Connect can also help an enterprise acting as an IdP, to provide easily scalable SSO for multiple outsourced services.

For either an IdP or SP PingFederate server, you can implement Auto-Connect for any number of partners by configuring a common initial setup and a list of allowed domain names in white lists.

App

Service Provider Identity Provider

Engine

IdP White List

Engine

SP White List

Browser

Engine App

! "

#

$

%

&'

()

*

PingFederatePingFederate

62


Anchored Trust Model Eliminates Cert ExchangesAdvanced Capabilities

63

During Setup of SAML

Connection

• IdP Obtains Signing Certificate from a Trusted CA• IdP Sends Signing Certificate and Subject Distinguished Name (DN) to SP (For

PingFederate Express, this arrives as part of the configuration file)

During SSO Transactions

• IdP includes its signing certificate in each SAML assertion it sends to the SP• SP matches the Subject DN and the CA issuer against the values received at

connection setup• SP validates the digital signature using the digital certificate included in the SAML

assertion

When IdP Certificate

Expires

• When the IdPʼs certificate is about to expire, it can renew and start using the new certificate to sign messages

• As long as the IdP uses a new certificate with the same Subject DN and CA issuer, the SAML connection keeps working

PingFederate 6.1 includes a new “anchored” trust model option that can eliminate annual partner certificate exchanges. Used by default with PingFederate Express connections, the new anchored trust model can optionally be used wherever

PingFederate processes digital signatures.


PingFederate includes out-of-the-box integration with SafeNetʼs LUNA SA hardware security module (HSM) for customers needing to comply with FIPS 140-2.

FIPS 140-2, HSM and SafeNet LUNA PartnershipAdvanced Capabilities

SafeNet provides complete security utilizing its encryption technologies to protect communications, intellectual property and digital identities, and offers a full spectrum of products including hardware, software, and chips.

PingFederate provides out of box integration with the SafeNet's Luna SA Hardware Security Module (HSM). The combination of these technologies helps address the Federal Information Processing Standard (FIPS) 140-2 regulation which requires storage and processing of all keys and certificates on a certified cryptographic module.

The FIPs requirement is broadly adopted within the government, financial, and healthcare industries.

LUNA SAHardware Security

Module (HSM)

PingFederate

64


Who We Are

65

We are Ping Identity. We provide Internet Identity Security and Single Sign-On solutions to hundreds of enterprises worldwide. Our identity solutions enable secure access to Internet applications without the need to re-login again and again.

At Ping, we deliver products with uncompromising quality and elegance, on time, every time. We make complex security and integration challenges look simple, and we believe in the value of speed to success. Our solutions deploy in hours or days, not weeks or months.

We believe in open standards and in solutions that deploy without dependencies. Too many identity management solutions are a nightmare to implement, or they force companies to install more than they need. Many identity management products donʼt work without heavy lifting or expensive customization. We believe you should not have to compromise security, timelines, or success when attempting to connect to SaaS providers, partners or customers, so weʼre taking Internet security in a new direction - a simpler direction.

© 2009 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingConnect, PingEnable, Auto-Connect, PingFederate Express and the Ping Identity logo are trademarks, service marks or registered trademarks of Ping Identity Corporation. All other trademarks or registered trademarks are the properties of their respective owners. 1a091015.

Ping Federate Product Guide

Documents

Transcript of Ping Federate Product Guide