Ping Federate Product Guide
-
Upload
danishmughal -
Category
Documents
-
view
1.102 -
download
10
Transcript of Ping Federate Product Guide
PingFederateCapabilities and Use CasesA Ping Identity ebookVersion 1.0aOctober, 2009
Previous Next Table of Contents
Introduction - About this eBook
2
This ebook is designed to give PingFederate customers and users a comprehensive yet easy-to-digest summary of the many capabilities and use cases supported by the latest version of PingFederate.
Designed to be quickly scanned, it makes extensive use of diagrams and hyperlinks to allow quick navigation to interesting topics. Any text you see in italics (other than diagram captions) is a link. For example, you will find a link back to the Table of Contents at the bottom right corner of each page. Also, the entries and page numbers in the Table of Contents itself are all links you can use to quickly navigate to a topic of interest. Finally, the chapter title at the top of each page links back to the beginning of the chapter.
Please send any feedback on this document, including suggestions, corrections or enhancements, to [email protected].
Version 1.0October, 2009
Previous Next Table of Contents
Introduction - About This Document 2
1. PingFederate Overview 5
Internet Identity Security Platform 6
Three Types of Internet Identity Use Cases 7
PingFederate Add-On Modules 8
Enabling Internet SSO 9
Federated Identity Capabilities 10
Internet Identity Standards Support 11
2. Internet SSO Use Cases 12
SSO for External/SaaS Applications 13
Leading SaaS Apps Support Internet SSO 14
PingFederate Works with All these Apps 15
SaaS Provider Customer SSO 16
Customer-Facing Applications 17
SSO for Internal Applications 18
IdM Suite Federation Alternative 19
SSO for Business Partners 20
Endpoint Enablement 21
3. Integration with Existing Systems 22
The Need for First and Last Mile Integration 23
First Mile Integration at the IdP 24
Last-Mile Integration at the SP 25
Custom Java, .NET and PHP Applications 26
CA SiteMinder 27
Oracle Access Manager 28
IBM Tivoli Access Manager 29
IWA, Active Directory, X.509 and LDAP 30
IIS, Apache, WebSphere and Weblogic 31
Microsoft SharePoint and SAP NetWeaver 32
Citrix XenApps (formerly Presentation Server) 33
4. Internet User Account Management 34
Background/Overview 35
Express Provisioning 36
SaaS Provisioning 37
Express and SaaS Provisioning Compared 38
Continued ...
Table of Contents
3
Previous Next Table of Contents
Previous ...
Identity Management for Salesforce CRM 39
Identity Management for Google Apps 40
Identity Management for Workday 41
5. Endpoint Enablement 42
PingFederate Express 43
Endpoint Program 44
6. Universal Token Translation and the STS 45
Background/Overview 46
Components of the PingFederate STS 47
Generating SAML Assertions from Tokens 48
Generating SAML Assertions from Claims 49
Generating New Tokens from SAML 50
Using the STS for Token Exchange 51
Identity-Enabled Web Services 52
Using the AmberPoint WS-Trust Client 53
Proprietary Token Exchange 54
Securing REST with OAuth 55
7. Advanced Capabilities 56
PingFederate Architecture 57
Self-Contained Server Clustering 58
Programmatic Configuration Migration 59
JMX and SNMP Monitoring 60
Compliance/Logging/ArcSight Partnership 61
Auto-Connect 62
Anchored Trust Model Eliminates Certificate Exchanges 63
HSM, FIPS-140-2 and SafeNet LUNA 64
Who We Are 65
Table of Contents (continued)
4
Previous Next Table of Contents
Chapter 1
PingFederate Overview
5
Previous Next Table of Contents
PingFederate is a Internet Identity Security software platform designed to meet any organizationʼs Internet-facing identity management challenges.
Internet Identity Security PlatformPingFederate Overview
6
PingFederate® has evolved from a standalone federated identity server into a complete Internet identity security platform designed to meet any organizationʼs Internet-facing identity management needs.
It is packaged as a single software product that provides three primary Internet Identity Security functions: Internet SSO, Internet User Account Management and Universal Security Token Translation. These three functions are supported by a set of common services.
The product family also includes a set of add-on modules that extend PingFederate to support external systems.
Internet SSOStandards-BasedFederated Identity
Integration Kits
Universal Security Token
TranslationSecurity Token Service
Internet User Account Management
Express and SaaS Provisioning
Configuration & Administration Runtime Services
Security Token Translators
SaaS Connectors
PingFederateExpress
InternetIdentity SecurityPlatform
Add-OnModules
PingFederate
Previous Next Table of Contents
PingFederate provides three types of Internet Identity use cases: Internet Single Sign On (SSO), Internet User Account Management and Universal Security Token Translation.
Three Types of Internet Identity Use CasesPingFederate Overview
7
PingFederate supports three types of Internet Identity use cases:
Internet Single Sign-On Users sign on once to their corporate network. PingFederate securely and transparently communicates their identities to Internet applications, removing the need for subsequent application sign ons.
Internet User Account Management User accounts at Internet applications are automatically created, updated and deleted throughout the user's life cycle within the organization.
Universal Token Translation Applications in different security domains need to translate security tokens in order to share user identity information. This capability is often used in conjunction with Web services.
Internet SSO
Universal Token Translation
Internet UserAccount Management
Your Organization
Your Suppliers, Customers,Service Providers ...
Previous Next Table of Contents
PingFederate Add-On ModulesPingFederate Overview
8
Integration Kits
Security Token Translators
SaaS Connectors
PingFederateExpress
Integration Kits extend PingFederate's Internet SSO capabilities to work with existing identity management and application infrastructureat identity providers and service providers.
Security Token Translators are plug-ins that enable PingFederate's WS-Trust Security Token Service (STS) to process specific security token types.
SaaS Connectors expedite and optimize connections to leading SaaS providers by providing Quick Connection Templates, support for automated SaaS user account management and support for non-browser-based access devices such as email clients and mobile devices.
PingFederate Express is an Internet Single Sign-On (SSO) "endpoint" solution for Service Providers (application owners) who need to quickly, easily and cost-effectively establish a SAML connection with a PingFederate Identity Provider.
PingFederate incorporates the core functionality necessary to implement Internet SSO, Identity-enabled Web Services and Internet User Account Management into a single server and a single administrative console.
PingFederate
Previous Next Table of Contents
The basis for Internet SSO is a technology and a set of industry standards called Federated Identity.
Enabling Internet SSOPingFederate Overview
9
PingFederate provides Internet SSO by supporting the Security Assertion Markup Language (SAML) and WS-Federation identity federation standards.
Both standards work by securely transmitting information about the user of an application from an organization that maintains an account for that user (called the Identity Provider, or IdP) to the organization providing the desired Web application or resource (called the Service Provider, or SP).
Both parties taking part in an Internet SSO connection need software that supports the same federated identity protocol. This software must integrate with identity and authentication sources at the IdP, and it must integrate with the application environment at the SP. With this integration in place, it is possible to look up information about the userʼs session at the IdP and create an equivalent session at the SP.
IdentityManagement
System
TargetApplication
Session Lookup Session Creation
Identity Provider (IdP) Service Provider (SP)
SAML orWS-Federation
ApplicationUser PingFederate™ PingFederate™
Previous Next Table of Contents
Federated Identity CapabilitiesPingFederate Overview
10
Federation Standards• SAML 1.0• SAML 1.1• SAML 2.0• WS-Federation
Federation Roles• Identity Provider (IdP)• Service Provider (SP)• IdP Discovery
Bindings• HTTP Post• HTTP Artifact• HTTP Redirect• SOAP
Profiles• IdP-Initiated SSO• SP-Initiated SSO• Single Log-Out• Attribute Query & XASP• IdP Discovery
Kantara/Liberty AllianceInterop Certifications• IdP Lite• SP Lite• eGov
Identity Mapping• Account Linking• Account Mapping
Attribute Sources• LDAP• JDBC• Custom (via SDK)
Certificate Validation• CRL• OCSP
Trust Models• Unanchored• Anchored
Additional Capabilities• Metadata Exchange• Authentication Context• Auto-Connect• Integration with SafeNet
LUNA
Previous Next Table of Contents
Internet Identity Standards SupportPingFederate Overview
11
Identity Federation
Security Token Service
Internet User Account Management
PolicyManagement
Now
SAML 1.0SAML 1.1SAML 2.0
WS-Federation
WS-TrustSOAP/WSS
LDAPJDBC
RoadmapOpenID
Facebook ConnectInformation Cards
OAuthREST SPML XACML
Ping Identityʼs strategy for PingFederate is to provide support for all relevant Internet identity management standards that our customers expect to deploy, whether they be de jure or de facto. Items in the Roadmap row are in our intermediate term product plan, but have not yet been prioritized for development. We are always interested in speaking with any customers or prospects interested in deploying roadmap functionality. If you are such a person, please send an email to our product management team
Previous Next Table of Contents
Chapter 2
Internet SSO Use Cases
12
Previous Next Table of Contents
In this use case, an enterprise uses PingFederate to give its employees easy and secureaccess to applications provided by SaaS, outsourcers and other service providers.
SSO for External/SaaS ApplicationsInternet SSO Use Cases
13
In this use case, enterprises use PingFederate to connect to one or more service providers such as Software as a Service (SaaS) suppliers that provide applications for employee use.
With PingFederate, the enterprise can provide SSO access to external applications from multiple devices including Web browsers, mobile devices and rich clients such as Microsoft Outlook.
PingFederate can leverage identities from its existing IdM system and authentication capabilities such as Integrated Windows Authentication (IWA).
For applications with large numbers of users, PingFederate can also automate the management of user accounts at the application provider.
OutsourcingProvider
Other LeadingSaaS Apps
Enterprise
PingFederate
Previous Next Table of Contents
Virtually every major Software-as-a-Service provider now supports Internet SSO.
Leading SaaS Applications Support Internet SSOInternet SSO Use Cases
14
While federated identity was evolving as an essential Internet security technology, another technology was also evolving: the emergence of on-demand Software-as-a-Service applications.
Given the fundamental ability of Internet SSO and federated identity to support scenarios where users are in one place and their applications are in another, it only makes sense that these two trends would converge - and they have.
SSO to SaaS has now emerged as the major use case for Internet SSO. Virtually every major SaaS provider, including those shown here, now support Internet SSO. While some started by offering a proprietary SSO mechanism, the trend in the industry is toward support of the SAML 2 standard for implementing SSO.
Previous Next Table of Contents
PingFederate Works with All these Apps and MoreInternet SSO Use Cases
15
ACI WorldwideADP GlobalviewADP Pre-Employment ServicesADP ProBusinessAdvent SoftwareApollo Enterprise SolutionsAxentis, IncBellomy ResearchBenelogicBrainsharkBusiness Integration GroupConcurCreateHopeDecisionVieweBenefitsePharma SolutionsFinancialKnowledgeFortrex TechnologiesFragomen, Del Rey, Bernsen & LoewryGeezeo.com
GloboforceGoogle AppsGT NexusHealthline NetworksHibbert CompanyHiveLive IncHumanConceptsInfoHRM PtyInnocentiveIntraLinksLegal IntelligenceLivetechnology HoldingsM2 ConsultingMarketToolsMedia DefinedMullinTBGNextJumpNirvanixPeopleCubePointserve
PostiniPowerSteering SoftwarePriceMetrixPureSafetyRazorGatorRearden CommerceReed GroupRideauSalary.comSalesforce CRMSalesforce Customer PortalSalesforce Partner PortalSatuit TechnologiesSavo GroupSBC Systems CompanySchawk Digital SolutionsSimantel GroupSuccess FactorsTechnology & Business SolutionsTharpeRobbins Company
ThreepointofficeTierra Software DevelopmentTrimbleTriple Creek AssociatesTruistTRXValtera CorporationVibeSMGVirtual PremiseVision Global SolutionsVocusWageWorksWebexWebrootWorkdayWorlddocXpress Bill PayZoho CRM
Previous Next Table of Contents
SaaS Providers use PingFederate both to establish SAML-based Internet SSO connections with their customers and to create services mashups.
SaaS Provider Customer SSOInternet SSO Use Cases
16
Over 100 Software-as-a-Service (SaaS) providers already incorporate PingFederate into their product offerings.
These companies use PingFederate three different ways. First, they provide standards-based Internet SSO to their customers. These connections can be SAML 2, SAML 1.x or WS-Federation based.
Second, they use PingFederateʼs Express Provisioning capability to automatically create user accounts in their user store.
Third, they use PingFederate to “mash up” services from other service providers that they re-market to their customers. These mashups can be either browser- or Web Services-based.
ServiceProvider
ServiceSupplier
Customer
Customer
Customer
SaaS Provider
PingFederate
Previous Next Table of Contents
Many non-technology companies now sell products that have an online component. These companies use PingFederate for both inbound and outbound Internet SSO.
Customer-Facing ApplicationsInternet SSO Use Cases
17
Companies in virtually every industry are now enhancing or expanding their product offerings via additional functionality delivered via the Internet. Such companies differ from pure SaaS providers in that their product is more than software. These also tend to be larger, more established companies that have multiple federated identity use cases.
These firms use PingFederate in a hybrid manner. They support both incoming SSO for their customers, as well as outgoing SSO for their employees.
PingFederate is a particularly good choice for this use case because pricing is connection- versus seat-based, the model most common with identity management products designed to manage employee identities.
Customer
Customer
Enterprise
OutsourcingProviderPingFederate
Previous Next Table of Contents
In this example, PingFederate gives users who log into their Windows network SSO access to applications protected by SiteMinder and a home-grown Web Access
Management system.
SSO for Internal ApplicationsInternet SSO Use Cases
18
Many organizations, especially larger ones, find themselves in the situation of having multiple security domains where users in one domain often need access to applications in another domain.
In this situation, a single PingFederate instance can be configured in a hybrid role where it supports one or more domains acting as Identity Providers, and also one or more domains acting as Service Providers.
Deploying PingFederate for Internal Single Sign-On so that users can log in once and access Web-based applications in other domains is often far less costly than consolidating security domains - an option that in many cases is not even technically feasible.
HomegrownWAM
Integrated Windows Authentication
SiteMinder
PingFederate
Previous Next Table of Contents
Many identity management suite user choose PingFederate to deliver Internet SSO functionality instead of the federated identity module sold by their suite vendor.
IdM Suite Federation AlternativeInternet SSO Use Cases
19
Identity management suite customers often choose to implement PingFederate instead of the federated identity module offered by their suite vendor.
These customers generally choose PingFederate for one or more of the following reasons:• Easier to learn, deploy and use• Much faster time-to-connection• Out-of-the-box integration with other
products, particularly those from their suite vendorʼs competitors
• Extensive support for SaaS SSO: provisioning, mobile devices, email clients etc.
• No need to upgrade to latest version of IdM suite just to use the federation module
• Availability of PingEnable implementation and support services
• Significantly lower total cost of ownership
Oracle Access Manager
SiteMinder
Tivoli Access Manager
Partner
SaaS
ServiceProvider
PingFederate
Previous Next Table of Contents
Enterprises with large supply or demand chains often use PingFederate to implement Internet SSO either to or from their business partners.
SSO for Business PartnersInternet SSO Use Cases
20
Companies with extensive supply or demand chains often desire to provide SSO support to or from business partners including suppliers, dealers, distributors, affiliates and customers.
Depending on the specific requirements, PingFederate allows these companies to act as an IdP, SP or both.
Companies implementing Partner SSO often do so by implementing a partner portal. PingFederate has Integration Kits available for leading portal platforms.
In industries with an available industry federation hub such as Covisint or Exostar, PingFederate can also connect to business partners via that hub.
Enterprise
Suppliers
Dealers
IndustryHub
Partners
PingFederate
Previous Next Table of Contents
Organizations recognizing the strategic advantages provided by Internet SSO often see themselves becoming a federation hub surrounded by dozens of partners.
Endpoint EnablementInternet SSO Use Cases
Many organizations initially deploy Internet SSO to support a tactical project requirement. Once they have experienced the benefits of Internet SSO, many realize they can reap significant strategic benefits from the technology by deploying it widely.
These organizations then develop “endpoint” enablement programs designed to turn their organization into a federation “hub” surrounded by dozens, hundreds or even thousands of partner organizations acting as federation “spokes”.
Large scale deployment of federated identity requires not only highly scalable and reliable Internet SSO software such as PingFederate at the hub, but also a much lighter weight form factor such as PingFederate Express for deployment by partner organizations.
21
FederationHub
Previous Next Table of Contents
Chapter 3
Integration with Existing Systems
22
Previous Next Table of Contents
User attributes originate at the IdP and are used at the SP to establish a session in the target applications. PingFederate integrates with both IdP and SP systems to facilitate
the transfer of these attributes.
The Need for “First and Last Mile” IntegrationIntegration with Existing Systems
23
As a stand-alone server, PingFederate must integrate programmatically with Identity Management (IdM) systems and end-user applications to complete the “first and last mile” implementation of a federated identity network that implements Internet SSO.
To enable both the Identity Provider (IdP) and Service Provider (SP) sides of this integration, PingFederate provides commercial integration kits, which include adapters that plug into the PingFederate server and agents that interface with local IdM systems or applications.
PingFederate also has a SDK that can be used to create custom adapters for systems that do not have an available Integration Kit.
SAML/WS-Federation
Authentication Service/
Application
Target Application
Identity Attributes
Identity Attributes
Identity Provider Service Provider
PingFederatePingFederate
Previous Next Table of Contents
Ping Identity offers a wide variety of Integration Kits that provide “first mile” integration at the Identity Provider.
“First Mile” Integration at the Identity ProviderIntegration with Existing Systems
IdP integration involves retrieving user identity attributes from the IdP domain and sending them to the PingFederate server. Typically, the identity attributes are retrieved from an authenticated user session. For IdP integration, a number of attribute-retrieval approaches can be used, depending upon the IdP deployment/implementation environment.
Ping Identity offers a broad range of commercial integration kits that address various IdP scenarios, most of which involve either custom application integration, integration with a commercial IdM product, or integration with an existing authentication system.
CustomApplications
AuthenticationSystems
Identity Mgt Systems
Portals
Java.NETPHP
SAP NetWeaverCustom/Homegrown
CA SiteMinderOracle Access Manager
Tivoli Access Manager
Windows IWA/NTLMActive Directory/LDAPStrong Authentication
SAML
Identity Provider
PingFederate
24
Previous Next Table of Contents
Ping Identity provides a wide variety of Integration Kits that provide “last mile” integration at the Service Provider.
“Last Mile” Integration at the Service ProviderIntegration with Existing Systems
An SP is the consumer of identity attributes provided by the IdP through a SAML assertion. SP integration involves passing the identity attributes from PingFederate to the target SP application. The SP application uses this information to set a valid session or other security context for the user represented by the identity attributes. Session creation can involve a number of approaches, and as for the IdP, Ping Identity offers commercial integration kits that address the various SP scenarios. Most SP scenarios involve custom-application integration, server-agent integration, integration with an IdM product, or integration with a commercial application.
Java.NETPHP
CitrixMicrosoft SharePoint
CA SiteMinderOracle Access ManagerTivoli Access Manager
ApacheMicrosoft IISSAP NetweaverWebLogicWebSphere
Web and AppServers
CustomApplications
Identity Mgt Systems
CommercialApplications
SAML
Service Provider
PingFederate
25
Previous Next Table of Contents
PingFederate can integrate with custom/homegrown identity management and authentication systems at the IdP as well as custom applications at the SP.
Custom Java, .NET and PHP ApplicationsIntegration with Existing Systems
26
Identity Providers A federation partner can use a custom authentication service or application to play the IdP role in the federation partnership. Integration with a custom application is handled through application-level integration kits, which allow software developers to integrate their custom applications with a PingFederate server acting as an IdP.
Service Providers Some applications use their own authentication mechanisms and are responsible for their own user-session management. When there is limited or no access to the Web or application server hosting the application, integration with these custom applications is handled through application-level integration kits. With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the SP application, which can then use them for its own authentication and session management.
JavaApplication
.NETApplication
PHP Application
SAML
Identity Provider Service Provider
JavaApplication
.NETApplication
PHP ApplicationPingFederate PingFederate
Previous Next Table of Contents
PingFederate and its SiteMinder Integration Kit can be used by SiteMinder shops acting in the Identity Provider role, Service Provider role or both.
CA SiteMinderIntegration with Existing Systems
27
PingFederate, when combined with its SiteMinder Integration Kit, provides a comprehensive Internet SSO solution that does not require any custom development: • As an Identity Provider, you can
provide your users with SSO to external services over the Internet such as Software-as-a-service (SaaS) and Business Process Outsourcing (BPO) where they are automatically authenticated by your SiteMinder server.
• As a Service Provider, you can provide your external partners and customers Internet SSO to SiteMinder protected applications.
• You can provide internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures regardless of the version of SiteMinder or identity and access management system (IdM) each organization has deployed.
SAMLSiteMinderSiteMinder
Identity Provider Service Provider
PingFederate PingFederate
Previous Next Table of Contents
PingFederate and its Oracle Access Manager Integration Kit can be used by OAM shops acting in the Identity Provider role , Service Provider role or both.
Oracle Access ManagerIntegration with Existing Systems
28
PingFederate, when used with its Oracle Access Manager (OAM) Integration Kit, provides a comprehensive Internet SSO solution that can be installed in as little as a day: • As an Identity Provider, you can
provide your users with SSO to external services over the Internet such as Software-as-a-service (SaaS) and Business Process Outsourcing (BPO) where they are automatically authenticated by OAM.
• As a service provider you can provide your external partners and customers Internet SSO to OAM protected applications.
• You can provide internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures regardless of the version of OAM or identity and access management system (IdM) each organization has deployed.
SAML
Identity Provider
Oracle Access Manager Oracle Access Manager
Service Provider
PingFederate PingFederate
Previous Next Table of Contents
SAML
Identity Provider
Tivoli Access Manager Tivoli Access Manager
Service Provider
PingFederate PingFederate
PingFederate can be integrated with Tivoli Access Manager via a fixed price service engagement. When done so, TAM can act as an IdP, SP or both.
IBM Tivoli Access ManagerIntegration with Existing Systems
29
Ping Identity offers a fixed price integration service for deploying PingFederate with Tivoli Access Manager. The TAM IdP integration kit leverages Tivoli Access Manager WebSEAL as a point of user authentication and requires a secure deployment configuration. • As an Identity Provider, you can
provide your users with SSO to external services over the Internet such as Software-as-a-service (SaaS) and Business Process Outsourcing (BPO) where they are automatically authenticated by TAM.
• As a service provider you can provide your external partners and customers Internet SSO to TAM protected applications.
• You can provide internal SSO for the enterprise and its acquisitions, affiliates, subsidiaries and joint ventures regardless of the version of TAM or identity and access management system (IdM) each organization has deployed.
Previous Next Table of Contents
PingFederate authentication system integration kits gives users who have authenticated locally SSO access to applications hosted by Service Providers.
Microsoft IWA, Active Directory, X.509 and LDAPIntegration with Existing Systems
30
Initial user authentication is normally handled outside of the PingFederate server using an authentication application or service. PingFederate authentication system integration kits leverage this local authentication to access applications outside the security domain.
These integration kits access authentication credentials that are validated against a Windows security context, which could be NTLM or Integrated Windows Authentication (IWA) working with Active Directory, and pass them to the PingFederate IdP server.
The X.509 Certificate Integration Kit uses the PingFederate security infrastructure to perform client X.509 certificate authentication for SSO to SP applications.
PingFederate also packages an LDAP Authentication Service Adapter and logon form that can authenticate users directly against an LDAP data store for SP-initiated SSO scenarios.
X.509
IWA/NTLM
LDAP
SAML
Identity Provider
PingFederate
Previous Next Table of Contents
PingFederate Web and Application Server Integration Kits allow Service Providers to provide SSO to applications running on those servers without
having to integrate each application.
Microsoft IIS, Apache, WebSphere and WebLogicIntegration with Existing Systems
31
PingFederate Web and App server Integration Kits allow SP enterprises to accept SAML assertions and provide SSO to all applications running on their Web and/or application server; there is no need to integrate each application. Applications running on the Web/application server must delegate authentication to the server; if the application employs its own authentication mechanism, integration must occur at the application level.
With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the server agent, which is typically a Web filter or JAAS (Java Authentication and Authorization Service) Login Module. The server agent extracts the identity attributes, which the server then uses to authenticate and create a session for the user.
These integration kits do not require any development; integration with PingFederate is accomplished entirely through the PingFederate administrative console.
TheApacheSoftware Foundationh t t p : / / w w w . a p a c h e . o r g /
IIS Server
WebSphere
WebLogic
SAML
Service Provider
PingFederate
Previous Next Table of Contents
PingFederate portal Integration Kits support two of the most popular commercially available portals - Microsoft SharePoint and SAP NetWeaver.
Microsoft SharePoint and SAP NetWeaverIntegration with Existing Systems
32
The PingFederate NetWeaver Integration Kit supplies both outgoing (IdP-side) SSO support for NetWeaver users, as well as incoming (SP-side) Internet SSO support for NetWeaver applications.
The PingFederate SharePoint Integration Kit provides incoming (SP-side) SSO support for SharePoint applications. (For IdP-side support in a Microsoft environment, use the PingFederate IWA/NTML Integration Kit.)
These integration kits do not require any development; integration with PingFederate is accomplished entirely through the PingFederate administrative console.
SAML
SharePoint
NetWeaver
Identity Provider Service Provider
NetWeaver
PingFederate PingFederate
Previous Next Table of Contents
PingFederate and its Citrix Integration Kit turn Citrix XenApp into a SAML Service Provider, making virtualized applications available to external users.
Citrix XenApp (formerly Presentation Server)Integration with Existing Systems
33
Giving external users such as customers, contractors and partners SSO access to virtualized applications used to require Citrix XenApp (formerly Presentation Server) administrators to manage passwords and user credentials for each external user. The subsequent cost and effort required to manage external user accounts is significantly higher than managing internal users and employee accounts through traditional Identity Management systems.
PingFederate eliminates this burden by tightly integrating with XenApp via the Citrix Web Interface. The combination turns XenApp into a SAML or WS-Federation Service Provider. External users, whose identities are managed by their Identity Provider, get SSO access to any applications virtualized by XenApp.
This architecture is especially popular with service providers that need to provide external access to legacy applications.
XenApp
WebInterface
SAML
Service Provider
PingFederate
IdentityProvider
Previous Next Table of Contents
Chapter 4
Internet User Account Management
34
Previous Next Table of Contents
Service providers such as SaaS vendors often have their own user account directories that are beyond the reach and control of enterprise provisioning solutions.
Background/OverviewInternet User Account Management
35
While many organizations have struggled to deploy a workable enterprise provisioning solution, Cloud computing has created a new provisioning challenge: additional user directories often beyond the reach and control of their enterprise solution. These additional directories must be populated and managed before users can use those external applications.
To meet this challenge, PingFederate now offers two different types of Internet user account management:• Express Provisioning is a Service
Provider-side solution that uses the attributes in incoming SAML assertions to create and update user accounts.
• SaaS Provisioning is an Identity Provider-side solution that integrates a corporate directory with a SaaS providerʼs provisioning API to automatically create, update and delete user accounts in the Service Providerʼs directory for a selected set of users.
EnterpriseDirectory
UserDirectory
UserDirectory
UserDirectory
EnterpriseService Providers
?
??
Previous Next Table of Contents
Express Provisioning uses the attributes contained within incoming SAML assertions to create or update user accounts within the Service Providerʼs user store.
Express ProvisioningInternet User Account Management
PingFederate Express Provisioning uses information passed via Internet SSO inside the SAML assertion to automatically and dynamically create user accounts in the destination application directory if they do not already exist. This enables the application provider to create user accounts "on-the-fly," adding convenience for users and reducing staff overhead by automating Internet user account management.
Express Provisioning works for both LDAP and JDBC user stores at the Service Provider.
It is useful for “arms length” use cases where the userʼs identity does not need to be known in advance by the Service Provider such as supply chain portals, collaborative projects and many SaaS applications.
LDAPor
JDBC
Service Provider
SAML
!
"
#
PingFederate
36
Previous Next Table of Contents
PingFederate SaaS Provisioning watches a directory group or filter for user changes. When they occur, it automatically pushes them to the SaaS provider.
SaaS ProvisioningInternet User Account Management
SaaS Provisioning allows SaaS applications to automatically create and remove users by replicating user account information from the SaaS customers' enterprise directories.
A group or filter in the SaaS customer's enterprise directory contains all of the users that are authorized to use the SaaS application. When administrators add, remove or update users in the enterprise directory, PingFederate automatically "replicates" those changes to the SaaS application's remote directory.
SaaS Provisioning eliminates the need to manually maintain SaaS user directories. It also eliminates zombie accounts by quickly and automatically disabling accounts when users are removed from the corporate directory. This reduces the risk of data loss and compliance audit failures.
ProvisioningAPI
LDAPor
ActiveDirectory
Enterprise SaaS Provider
PingFederate
37
Previous Next Table of Contents
Express and SaaS Provisioning ComparedInternet User Account Management
38
Requirement Express Provisioning SaaS Provisioning
Use Case
Account Data Source
Other Party Requirement
Target Directory/Interface Supported
SP provides just-in-time access to applications
IdP establishes user accounts at SP before enabling SSO
SSO transaction IdP corporate directory
IdP must have SAML-based Internet SSO solution
Service Provider must have a provisioning API
LDAP, JDBC Google Apps, Salesforce
Previous Next Table of Contents
SaaS Provisioning, one of the capabilities included in the PingFederate SaaS Connector for Salesforce, works by passing changes made in your corporate directory to the Salesforce Account store via Salesforceʼs provisioning API.
Identity Management for Salesforce CRMInternet User Account Management
39
With the growth of SaaS, PingFederate offers SaaS Connectors for leading SaaS providers including Salesforce CRM.
The Salesforce Connector includes a Quick Connection template to simplify connection setup with pre-populated connection settings, user/account provisioning parameters, and SSO endpoint parameters. It also implements SaaS Provisioning to eliminate manual account setup for these applications.
Finally, they allow PingFederate to SSO-enable the numerous means your users employ to access Salesforce CRM: desktop browsers, mobile device browsers, and even rich client applications such as the Salesforce Outlook email plug-ins.
Provisioner Salesforce Driver
CorporateDirectory
SSOEndpoint
ProvisioningAPI Accounts
PingFederate
Previous Next Table of Contents
SaaS Provisioning, one of the capabilities included in the PingFederate SaaS Connector for Google Apps, works by passing changes made in your corporate directory to the
Google Apps account store via Googleʼs provisioning API.
Identity Management for Google AppsInternet User Account Management
40
With the growth of SaaS, PingFederate offers SaaS Connectors for leading SaaS providers including Google Apps that works with Google Docs and Gmail.
The Google Apps Connector includes a Quick Connection template to simplify connection setup with pre-populated connection settings, user/account provisioning parameters, and SSO endpoint parameters.
It also implements SaaS Provisioning to eliminate manual account setup for these applications. Automated user account provisioning is particularly important for applications like Gmail that tend to be used by every employee in the organization.
Provisioner Google Driver
CorporateDirectory
SSOEndpoint
ProvisioningAPI Accounts
PingFederate
Previous Next Table of Contents
Ping Identity is currently developing a SaaS Connector for Workday. If you would like to be notified when this product becomes available, send an
email to [email protected].
Identity Management for WorkdayInternet User Account Management
With the growth of SaaS, PingFederate offers SaaS Connectors for leading SaaS providers. Ping Identity is currently developing a SaaS Connector for Workday.
The Workday Connector will include a Quick Connection template to simplify connection setup with pre-populated connection settings, user/account provisioning parameters, and SSO endpoint parameters.
It also implements SaaS Provisioning to eliminate manual account setup for Workday. Automated user account provisioning is particularly important for applications like Workday that tend to be used by every employee in the organization.
Provisioner Workday Driver
CorporateDirectory
SSOEndpoint
ProvisioningAPI Accounts
PingFederate
41
Previous Next Table of Contents
Chapter 5
Endpoint Enablement
42
Previous Next Table of Contents
PingFederate Express is an Internet SSO "endpoint" solution for Service Providers who need to quickly, easily and cost-effectively establish a SAML connection with a PingFederate Identity Provider.
PingFederate ExpressEndpoint Enablement
PingFederate Express™ is an Internet SSO "endpoint" solution for Service Providers who need to quickly, easily and cost-effectively establish a SAML connection with a PingFederate Identity Provider. It delivers enterprise-class performance, reliability and security, yet it requires no additional hardware, federated identity expertise or ongoing maintenance.
Many PingFederate customers have smaller Service Provider partners with limited IT resources, time and expertise. PingFederate Express gives these partners an Internet SSO solution that is quick, easy, and cost effective to deploy en masse, without requiring additional hardware purchases or significant time and effort on either side of the connection.
PingFederate Express can be purchased by the IdP under Ping Identityʼs Endpoint Program, or by the SP. In either case, service providers receive their license key and technical support directly from Ping.
Identity Provider
Service Providers
PingFederate
PingFederate E X P R E S S
PingFederate E X P R E S S
43
Previous Next Table of Contents
Under the PingFederate Endpoint Program, organizations seeking to expedite the creation of Internet Identity connections can purchase PingFederate and PingFederate Express licenses for their partners.
Endpoint ProgramEndpoint Enablement
Every Internet Identity connection requires two parties. One party is generally highly motivated to establish connections and may need to deploy dozens or even hundreds of connections as quickly as possible. The other side of the connection, which we refer to as an “Endpoint”, is generally less motivated and may be a neophyte to Internet Identity technologies and best practices.It is in the initiating party's best interests to provide their Endpoint partners with an easy way to complete an Internet Identity connection without initiating a lengthy and costly evaluation cycle. Ping Identity's Endpoint Program allows customers to purchase a cost-effective block of Endpoint licenses, services and support for their customers, enabling them to quickly and easily deploy Internet Identity connections.Two products are available under the Endpoint program to support different use cases: PingFederate Express and PingFederate licensed for a single connection.
Endpoint Program Member
PingFederate PingFederate
PingFederate E X P R E S S
44
Previous Next Table of Contents
Chapter 6
Universal Token Translation and the STS
45
Previous Next Table of Contents
Background/OverviewUniversal Token Translation and the STS
46
The concept of Universal Token Translation and Security Token Services (STSs) originated with Web Services. The lack of a standard method for communicating user identities hindered early Web Services applications from gaining widespread business acceptance. Standards such as WS-Security and WS-Trust emerged in the SOAP world that enable Web Services to share user identities, but initially they were complex and difficult to implement.
PingFederate provides a key component required to identity-enable Web Services: a WS-Trust Security Token Service (STS). On the Web service client side, which can be a Web application or rich desktop application, the STS converts whatever security token that is used locally into a standard SAML security token containing the user's identity that is shared with the Web Services provider. On the Web Service provider side, the STS validates security tokens and can generate a new local token for consumption by other applications.
As organizations rolled out the initial STS-based Web Services deployment, two additional STS use cases have emerged.
First, while WS-Trust envisions token processing as occurring in two phases at the Web service client and provider, the underlying STS has no such restriction. As a result, larger organizations with multiple security domains have recognized the value of the STS as a “universal token translator” that can convert any type of security token into any other type of security token - even if there are no Web services being used.
Second, even though they were “born” in the world of SOAP, security experts have realized the concept of embedded tokens and STSs could play key role in securing REST-style Web Services as well.
Previous Next Table of Contents
Components of the the PingFederate STSUniversal Token Translation and the STS
47
OpenToken
SiteMinder
Kerberos
X.509
...
Software Development Kits
PingFederateSecurity Token Translators
PingFederate Security Token Service
STS Client SDKfor .NET
STS Client SDK for Java
Token Translator SDK
As of version 6.0, PingFederate includes a WS-Trust compliant Security Token Service (STS) that accepts one type of security token as input and produces an equivalent security token of a different type as output. It uses a plug-in architecture to support the processing and generation of different token types. It is accessed programmatically via STS Client SDKs.
Token Translators are plug-ins that allow the STS to process (i.e. consume) and/or generate particular types of security tokens. Token Translators for several common token types are available from Ping Identity. Users can also build custom Token Translators using the the Token Translator SDK if needed.
The .NET and Java Client SDKs act as WS-Trust clients and allow programs written in .NET and Java to interact with the PingFederate STS. PingFederate can also work with third party WS-Trust clients such as AmberPoint.
The Token Translator SDK allows users to create their own token processor and generator plug-ins.
WS-Trust STS
Token Translator(s)
Previous Next Table of Contents
Using the PingFederate STS, an Identity Provider can generate SAML assertions equivalent to existing security tokens used in local security domains.
Generating SAML Assertions from Existing TokensUniversal Token Translation and the STS
48
A common use of the PingFederate STS is to generate a SAML assertion equivalent to a token used in a local security domain. Once generated, the SAML assertion can the used to transfer identity attributes to another security domain. SAML is an ideal format for transportation across security domains due to its inherent portability and security.
To do this, a program passes the local token to a PingFederate STS that has the proper Token Processor plug-in installed. The STS then creates an equivalent SAML assertion and returns it to the calling program.
This technique can be used for any token type for which Ping Identity offers a Token Processor. It can also be used for other token types by using the Token Processor SDK to create a custom token processor.
STS
Token Processor for Existing Token Type
Java or .NET Application
STS Client SDK
NewSAML
Assertion
ExistingSecurityToken
Token Processors Available from Ping Identity
CA SiteMinderOracle Access ManagerMicrosoft KerberosX.509 Certificate
Username/LDAPSAML 1.1SAML 2.0OpenToken
To generate a SAML assertion equivalentto other token types, use the Token TranslatorSDK to build the required STS plug-in.
Previous Next Table of Contents
In addition to being able to generate SAML assertions from incoming tokens, the PingFederate STS can also create assertions from claims and attributes.
Generating SAML from Claims and AttributesUniversal Token Translation and the STS
49
In some cases, the application calling the STS does not have an existing security token with the same set of attributes that need to be in the generated SAML assertion. In these cases, the STS can accept claims (attributes) submitted via the RST call from the Java or .NET client.
In addition, whether the input to the STS is claims or an existing security token, the STS has the ability to look up additional attributes to be included in the SAML assertion it generates.
To do this, the STS uses PingFederateʼs attribute lookup service, which supports LDAP and JDBC data sources out of the box. The lookup service can be extended to support custom data source via the PingFederate SDK.
STS
Java or .NET Application
STS Client SDK
NewSAML
Assertion
LDAPJDBC
Custom
Claims
Previous Next Table of Contents
A Service Provider can use an incoming SAML assertion as the basis for the creation of a new, equivalent security token that works in the local security domain.
Generating New Security Tokens from SAMLIdentity-Enabled Web Services
50
Another use of the PingFederate STS is to generate a new security token from a SAML assertion that was transported over from another security domain. Once generated, the new token can be used to represent the original identity in the local security domain.
To do this, a program passes the SAML assertion to a PingFederate STS that has the proper Token Generator plug-in installed. The STS then validates the SAML assertion, creates an equivalent security token and returns it to the calling program.
This technique can be used for any token type for which Ping Identity offers a Token Generator. It can also be used for other token types by using the Token Translator SDK to create a custom token generator.
STS
Token Generator for New Token Type
Java or .NET Application
STS Client SDK
ExistingSAML
AssertionNew
SecurityToken
Token Generators Available from Ping Identity
SAML 1.1SAML 2.0
OpenToken
To generate other types of tokens, use the Token TranslatorSDK to build the required STS plug-in.
Previous Next Table of Contents
By making two calls to the PingFederate STS, it is a possible for a program to convert virtually any security token into an equivalent token of another type.
Using the STS for Token ExchangeUniversal Token Translation and the STS
51
By combining the two previous scenarios, it is possible to use the PingFederate STS to exchange virtually any security token type for and equivalent token of any other type.
PingFederate uses SAML as an intermediary to perform this operation. The calling program needs only make two calls to perform this complex operation: one to generate the intermediary SAML assertion from the existing security token, and a second to generate the new token from the SAML assertion.
STS STS
Java or .NET Application
STS Client SDK
ExistingSecurityToken
NewSecurityToken
NewSAML
Assertion
Previous Next Table of Contents
In this use case, the IdP use the STS to convert a local security token into a SAML assertion for inclusion in a SOAP message. The SP who receives the message then
uses the STS to create a token that works in its local security context.
Identity-Enabled Web ServicesUniversal Token Translation and the STS
This is the use case for which Security Token Services were originally created. In this scenario, a Web Service Provider needs to know the identity of the maker of requests to determine whether and how to respond to the request. (Identity in this context can mean person, application, system or any combination of the three.)
In this scenario, PingFederate can play a role at the IdP, SP or both. On the IdP side, the application acting as the client for the Identity-enabled Web Service uses the PingFederate STS to generate a portable, extensible and secure SAML assertion from the userʼs local security token. It incorporates the SAML assertion into the header of the SOAP message it sends to the Web service provider.
On the SP side, the application acting as the Web service provider role submits the incoming SAML assertion to the PingFederate STS to validate the assertion and/or to generate an equivalent local security token.
LocalSecurityToken
LocalSecurityToken
SAMLWeb
Service Client
Web Service Provider
SOAP Message
Identity Provider Service Provider
!"
#
$ %
PingFederate PingFederate
52
Previous Next Table of Contents
AmberPointʼs WS-Trust client has been certified for use with the PingFederate STS.
Using the AmberPoint WS-Trust clientUniversal Token Translation and the STS
53
AmberPoint is the leading provider of management solutions for composite applications such as SOA-based systems. Utilizing a policy-based approach, AmberPoint solutions ensure system health by providing visibility into and control of composite applications, their constituent components and the transactions flowing across them.
Ping Identity and AmberPoint have established a partnership under which the companies have certified AmberPointʼs WS-Trust client for use with the PingFederate STS. Ping Identity expects to certify additional third party WS-Trust clients in the future.
PingFederate
STS
WS-Trust Client
Previous Next Table of Contents
In this example of local token translation, a user whose identity is managed by SiteMinder needs to gain access to an application protected by IBM.
Proprietary Token ExchangeUniversal Token Translation and the STS
54
A common use for Universal Token Translation is a large company with multiple security domains that encounters situations where users whose identities are managed in one domain need programmatic access to applications managed in another domain.
In this scenario, PingFederate creates an IBM LTPA (Lightweight Third Party Authentication) security token based on attributes obtained from a SiteMinder cookie. This gives the user access to the target application without requiring the IBM domain to maintain redundant information about the user. It is not necessary to use any Web Services or SOA technology to make this scenario work.
This scenario can work for any token types supported by PingFederate Token Translators, as well as custom token translators created with the Token Translator SDK.
SiteMinder Domain IBM Domain
PingFederate
Java or .NetApplication
SiteMinderCookie
IBMLTPAToken
!
"
#
Previous Next Table of Contents
At a recent Google Campfire event, Ping Identity demonstrated a prototype of its PingFederate software extended to use the OAuth open source secure
authentication standard to identity-enable REST-based Web Service requests.
Securing REST with OAuth
Gadget Acts asWeb Service Client
Web ServiceProvider
PingFederate
My DatacenterGoogle Sites
Google SecureData Connector(REST/OAuth)
!
"
#
$
Universal Token Translation and the STS
55
At a recent Google Campfire event, Ping Identity demonstrated a prototype of its PingFederate software extended to use the OAuth open source secure authentication standard to identity-enable REST-based Web Service requests. This allows an administrator to specify any number of domains that are authorized to submit requests. When a Web Service request comes in, PingFederate uses OAuth to determine whether or not the request came from an approved domain. The demonstration also showed how PingFederate could centralize all necessary OAuth key cryptography processing, eliminating the need to perform key cryptography at every application that accepts identity-enabled Web Service calls.
REST and OAuth support are currently on the PingFederate development roadmap. If you are interested in these features, please drop a line to [email protected].
Previous Next Table of Contents
Chapter 7
Advanced Capabilities
56
Previous Next Table of Contents
The PingFederate architecture consists of three Internet Identity services supported by a common set of management and runtime services.
PingFederate ArchitectureAdvanced Capabilities
57
The PingFederate architecture consists of three Internet Identity services: Identity Federation, SaaS Provisioning and Security Token Service.
These three identity services share a common management environment consisting of a management console, management API and a set of SDKs for extending functionality of the system. They also share a set of runtime services including key management, logging, monitoring, clustering, attribute mapping, data store access and several others.
A set of optional add-on modules extend PingFederate functionality to support specific use cases and external systems.
Add-On Modules
Internet Identity Services
Management Services Runtime Services
KeyManagement
ExpressProvisioning
AccountLinking
AttributeMapping
Logging Monitoring Clustering
Data StoreAccess
Admin Console
Admin API
SDKs
IntegrationKits
Security TokenTranslators SaaS Connectors PingFederate Express
Identity Federation Service Security Token ServiceSaaS Provisioning Service
LicenseKeys
PingFederate
Previous Next Table of Contents
PingFederate includes the capability for multiple servers in multiple locations to be configured to act as a single entity to improve throughput and/or availability.
Self-Contained Server ClusteringAdvanced Capabilities
PingFederate provides built-in clustering features that allow a group of PingFederate servers to appear to browsers and partner federation servers as a single system.
In this configuration, all client traffic normally goes though a load balancer, which routes requests to the PingFederate servers in the cluster. User-session states and configuration data are shared among the servers, enabling them to process requests as a single entity.
When deployed appropriately, server clustering can facilitate high availability of critical services. Clustering can also increase performance and overall system throughput. Several configuration options are available so users can obtain the desired combination of availability and performance.
58
Previous Next Table of Contents
ConfigCopy is a scriptable command-line tool that can translate part of all of a PingFederate configuration from one server to another, such as from test to production.
Programmatic Configuration MigrationAdvanced Capabilities
PingFederate provides a configuration-migration tool called ConfigCopy that can be used for scripting the transfer of administrative-console configurations from one PingFederate server to another—for example, from a test environment to production.
This tool performs three processing steps:1. Retrieves configuration data from a
source PingFederate server
2. Modifies the configuration with any changes required for the target environment
3. Imports the updated configuration into the target PingFederate server
ConfigCopy can perform these functions in real time, from server to server, or by using an intermediate file.
ConfigCopyTool
Dev/Test Server Production Server
Modify ConfigurationParameters (optional)
!
"
#
59
Previous Next Table of Contents
PingFederate supports runtime monitoring via both SNMP and JMX.
Runtime Monitoring with SNMP and JMXAdvanced Capabilities
PingFederate supports runtime monitoring and reporting through the Simple Network Management Protocol (SNMP), a standard used by network management consoles to monitor network and server activity across an enterprise. Embedded within each PingFederate server is an SNMP agent that brokers the communication between the management console and PingFederate. PingFederate responds to Get requests for total and failed transactions. It also generates a “heartbeat” Trap at regular intervals.
In addition, PingFederate supports runtime monitoring and reporting through Java Management Extensions (JMX). Similar to SNMP, JMX technology represents a Java-centric approach to application management and monitoring. PingFederateʼs JMX server reports monitoring data for SSO and SLO transactions as well as for SaaS Provisioning.
SNMP Agent
SNMP
Network Management
Console
JMX Server
JConsole or other JMX Client
JMX
PingFederate
60
Previous Next Table of Contents
PingFederate log files can be used as the basis for a Cloud compliance strategy using ArcSight or another security information and event management (SIEM) product.
Logging, Compliance and ArcSight PartnershipAdvanced Capabilities
PingFederate generates log files that document the systemʼs activities including actions performed by administrative console users, individual identity-federation runtime transactions at specified levels of detail,PingFederate runtime and administrative server activity, SaaS Provisioning activity and HTTP requests.
Ping Identity has recently announced a partnership with ArcSight, a leading provider of security information and event management (SIEM) products. ArcSight IdentityView, a specialized application built on the ArcSight SIEM Platform, can analyze logs created by PingFederate. It can report on unauthorized user access and monitor internal controls, providing comprehensive collection and analysis of user activity across an enterprise. In partnership, these technologies will provide a user monitoring solution that extends from the enterprise to the Cloud.
Log Files
IdentityView
Other SIEM Products
PingFederate
61
Previous Next Table of Contents
PingFederateʼs Auto-Connect allows organizations to provide Internet SSO on the fly, without the need to pre-configure partner-specific SAML connections.
Auto-ConnectAdvanced Capabilities
PingFederate allows organizations to provide secure Internet SSO on the fly—that is, without the need for configuring partner-specific, browser-based SSO connection parameters. This feature—Auto-Connect™—extends SAML 2.0 SP-initiated SSO or SLO and metadata specifications to enable deployments to retrieve partner connection information securely on an as-needed basis.
The feature is especially useful to an SP who wants to provide SSO capability to more than one partner. A Software-as-a-Service (SaaS) provider, for example, can provide SSO to innumerable clients without specifying redundant connection information for each one. Auto-Connect can also help an enterprise acting as an IdP, to provide easily scalable SSO for multiple outsourced services.
For either an IdP or SP PingFederate server, you can implement Auto-Connect for any number of partners by configuring a common initial setup and a list of allowed domain names in white lists.
App
Service Provider Identity Provider
Engine
IdP White List
Engine
SP White List
Browser
Engine App
! "
#
$
%
&'
()
*
PingFederatePingFederate
62
Previous Next Table of Contents
Anchored Trust Model Eliminates Cert ExchangesAdvanced Capabilities
63
During Setup of SAML
Connection
• IdP Obtains Signing Certificate from a Trusted CA• IdP Sends Signing Certificate and Subject Distinguished Name (DN) to SP (For
PingFederate Express, this arrives as part of the configuration file)
During SSO Transactions
• IdP includes its signing certificate in each SAML assertion it sends to the SP• SP matches the Subject DN and the CA issuer against the values received at
connection setup• SP validates the digital signature using the digital certificate included in the SAML
assertion
When IdP Certificate
Expires
• When the IdPʼs certificate is about to expire, it can renew and start using the new certificate to sign messages
• As long as the IdP uses a new certificate with the same Subject DN and CA issuer, the SAML connection keeps working
PingFederate 6.1 includes a new “anchored” trust model option that can eliminate annual partner certificate exchanges. Used by default with PingFederate Express connections, the new anchored trust model can optionally be used wherever
PingFederate processes digital signatures.
Previous Next Table of Contents
PingFederate includes out-of-the-box integration with SafeNetʼs LUNA SA hardware security module (HSM) for customers needing to comply with FIPS 140-2.
FIPS 140-2, HSM and SafeNet LUNA PartnershipAdvanced Capabilities
SafeNet provides complete security utilizing its encryption technologies to protect communications, intellectual property and digital identities, and offers a full spectrum of products including hardware, software, and chips.
PingFederate provides out of box integration with the SafeNet's Luna SA Hardware Security Module (HSM). The combination of these technologies helps address the Federal Information Processing Standard (FIPS) 140-2 regulation which requires storage and processing of all keys and certificates on a certified cryptographic module.
The FIPs requirement is broadly adopted within the government, financial, and healthcare industries.
LUNA SAHardware Security
Module (HSM)
PingFederate
64
Previous Next Table of Contents
Who We Are
65
We are Ping Identity. We provide Internet Identity Security and Single Sign-On solutions to hundreds of enterprises worldwide. Our identity solutions enable secure access to Internet applications without the need to re-login again and again.
At Ping, we deliver products with uncompromising quality and elegance, on time, every time. We make complex security and integration challenges look simple, and we believe in the value of speed to success. Our solutions deploy in hours or days, not weeks or months.
We believe in open standards and in solutions that deploy without dependencies. Too many identity management solutions are a nightmare to implement, or they force companies to install more than they need. Many identity management products donʼt work without heavy lifting or expensive customization. We believe you should not have to compromise security, timelines, or success when attempting to connect to SaaS providers, partners or customers, so weʼre taking Internet security in a new direction - a simpler direction.
© 2009 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingConnect, PingEnable, Auto-Connect, PingFederate Express and the Ping Identity logo are trademarks, service marks or registered trademarks of Ping Identity Corporation. All other trademarks or registered trademarks are the properties of their respective owners. 1a091015.