You are on page 1of 66

PingFederate

Capabilities and
Use Cases
A Ping Identity ebook
Version 1.0a
October, 2009
Introduction - About this eBook

This ebook is designed to give PingFederate customers and users a


comprehensive yet easy-to-digest summary of the many capabilities
and use cases supported by the latest version of PingFederate.

Designed to be quickly scanned, it makes extensive use of diagrams


and hyperlinks to allow quick navigation to interesting topics. Any text
you see in italics (other than diagram captions) is a link. For example,
you will find a link back to the Table of Contents at the bottom right
corner of each page. Also, the entries and page numbers in the Table
of Contents itself are all links you can use to quickly navigate to a topic
of interest. Finally, the chapter title at the top of each page links back to
the beginning of the chapter.

Please send any feedback on this document, including suggestions,


corrections or enhancements, to productguideeditor@pingidentity.com.

Version 1.0
October, 2009

2 Previous Next Table of Contents


Table of Contents
Introduction - About This Document 2 3. Integration with Existing Systems 22
The Need for First and Last Mile Integration 23
1. PingFederate Overview 5 First Mile Integration at the IdP 24
Internet Identity Security Platform 6 Last-Mile Integration at the SP 25
Three Types of Internet Identity Use Cases 7 Custom Java, .NET and PHP Applications 26
PingFederate Add-On Modules 8 CA SiteMinder 27
Enabling Internet SSO 9 Oracle Access Manager 28
Federated Identity Capabilities 10 IBM Tivoli Access Manager 29
Internet Identity Standards Support 11 IWA, Active Directory, X.509 and LDAP 30
2. Internet SSO Use Cases 12 IIS, Apache, WebSphere and Weblogic 31
SSO for External/SaaS Applications 13 Microsoft SharePoint and SAP NetWeaver 32
Leading SaaS Apps Support Internet SSO 14 Citrix XenApps (formerly Presentation Server) 33
PingFederate Works with All these Apps 15 4. Internet User Account Management 34
SaaS Provider Customer SSO 16 Background/Overview 35
Customer-Facing Applications 17 Express Provisioning 36
SSO for Internal Applications 18 SaaS Provisioning 37
IdM Suite Federation Alternative 19 Express and SaaS Provisioning Compared 38
SSO for Business Partners 20
Endpoint Enablement 21 Continued ...

3 Previous Next Table of Contents


Table of Contents (continued)

Previous ... 7. Advanced Capabilities 56


Identity Management for Salesforce CRM 39 PingFederate Architecture 57
Identity Management for Google Apps 40 Self-Contained Server Clustering 58
Identity Management for Workday 41 Programmatic Configuration Migration 59
5. Endpoint Enablement 42 JMX and SNMP Monitoring 60
PingFederate Express 43 Compliance/Logging/ArcSight Partnership 61
Endpoint Program 44 Auto-Connect 62
6. Universal Token Translation and the STS 45 Anchored Trust Model Eliminates Certificate
Background/Overview 46 Exchanges 63
Components of the PingFederate STS 47 HSM, FIPS-140-2 and SafeNet LUNA 64
Generating SAML Assertions from Tokens 48
Generating SAML Assertions from Claims 49
Generating New Tokens from SAML 50 Who We Are 65
Using the STS for Token Exchange 51
Identity-Enabled Web Services 52
Using the AmberPoint WS-Trust Client 53
Proprietary Token Exchange 54
Securing REST with OAuth 55

4 Previous Next Table of Contents


Chapter 1

PingFederate Overview

5 Previous Next Table of Contents


PingFederate Overview
Internet Identity Security Platform

PingFederate® has evolved from a


standalone federated identity server
PingFederate into a complete Internet identity
security platform designed to meet
any organizationʼs Internet-facing
Internet Internet Universal identity management needs.
Internet SSO User Account Security Token
Identity It is packaged as a single software
Standards-Based Management Translation
Security Federated Identity product that provides three primary
Express and SaaS Provisioning Security Token Service
Platform Internet Identity Security functions:
Internet SSO, Internet User Account
Configuration & Administration Runtime Services Management and Universal Security
Token Translation. These three
functions are supported by a set of
Add-On Integration Security Token SaaS PingFederate common services.
Modules Kits Translators Connectors Express
The product family also includes a set
of add-on modules that extend
PingFederate to support external
PingFederate is a Internet Identity Security software platform designed to meet any systems.
organizationʼs Internet-facing identity management challenges.

6 Previous Next Table of Contents


PingFederate Overview
Three Types of Internet Identity Use Cases
PingFederate supports three types of
Internet Identity use cases:

Internet Single Sign-On Users sign on


once to their corporate network.
Internet SSO PingFederate securely and
transparently communicates their
identities to Internet applications,
removing the need for subsequent
application sign ons.

Internet User
Internet User Account Management
Account Management
User accounts at Internet applications
are automatically created, updated and
deleted throughout the user's life cycle
within the organization.
Universal Token Translation
Your Organization Universal Token Translation
Applications in different security
domains need to translate security
Your Suppliers, Customers, tokens in order to share user identity
Service Providers ... information. This capability is often
used in conjunction with Web services.
PingFederate provides three types of Internet Identity use cases: Internet Single Sign On
(SSO), Internet User Account Management and Universal Security Token Translation.

7 Previous Next Table of Contents


PingFederate Overview
PingFederate Add-On Modules

PingFederate
incorporates the core
functionality necessary
to implement Internet
PingFederate
SSO, Identity-enabled
Web Services and
Internet User Account
Management into a
single server and a
single administrative Integration Security Token SaaS PingFederate
console.
Kits Translators Connectors Express

Integration Kits extend Security Token SaaS Connectors PingFederate


PingFederate's Internet Translators are plug- expedite and optimize Express is an
SSO capabilities to work ins that enable connections to leading Internet Single Sign-
with existing identity PingFederate's WS- SaaS providers by On (SSO) "endpoint"
management and Trust Security Token providing Quick solution for Service
application Service (STS) to Connection Providers
infrastructure process specific security Templates, support for (application owners)
at identity providers and token types. automated SaaS user who need to quickly,
service providers. account management easily and cost-
and support for non- effectively establish a
browser-based access SAML connection
devices such as email with a PingFederate
clients and mobile Identity Provider. 
devices.

8 Previous Next Table of Contents


PingFederate Overview
Enabling Internet SSO
PingFederate provides Internet SSO by
supporting the Security Assertion Markup
Language (SAML) and WS-Federation
identity federation standards.
Identity Provider (IdP) Service Provider (SP)
Both standards work by securely
transmitting information about the user of
an application from an organization that
maintains an account for that user (called
Application the Identity Provider, or IdP) to the
User PingFederate™ PingFederate™ Target
Application organization providing the desired Web
application or resource (called the Service
Provider, or SP).
Identity
Management
System Both parties taking part in an Internet SSO
connection need software that supports
Session Lookup SAML or Session Creation the same federated identity protocol. This
WS-Federation
software must integrate with identity and
authentication sources at the IdP, and it
must integrate with the application
environment at the SP. With this
The basis for Internet SSO is a technology and a set of integration in place, it is possible to look
up information about the userʼs session at
industry standards called Federated Identity.
the IdP and create an equivalent session
at the SP.

9 Previous Next Table of Contents


PingFederate Overview
Federated Identity Capabilities

Federation Standards Profiles Attribute Sources


• SAML 1.0 • IdP-Initiated SSO • LDAP
• SAML 1.1 • SP-Initiated SSO • JDBC
• SAML 2.0 • Single Log-Out • Custom (via SDK)
• WS-Federation • Attribute Query & XASP
• IdP Discovery Certificate Validation
Federation Roles • CRL
• Identity Provider (IdP) Kantara/Liberty Alliance • OCSP
• Service Provider (SP) Interop Certifications
• IdP Discovery • IdP Lite Trust Models
• SP Lite • Unanchored
Bindings • eGov • Anchored
• HTTP Post
• HTTP Artifact Identity Mapping Additional Capabilities
• HTTP Redirect • Account Linking • Metadata Exchange
• SOAP • Account Mapping • Authentication Context
• Auto-Connect
• Integration with SafeNet
LUNA

10 Previous Next Table of Contents


PingFederate Overview
Internet Identity Standards Support

Identity Security Internet User Policy


Federation Token Service Account Management Management

SAML 1.0
SAML 1.1 WS-Trust LDAP
Now
SAML 2.0 SOAP/WSS JDBC
WS-Federation

OpenID
OAuth
Roadmap Facebook Connect SPML XACML
REST
Information Cards

Ping Identityʼs strategy for PingFederate is to provide support for all relevant Internet identity management standards that our
customers expect to deploy, whether they be de jure or de facto. Items in the Roadmap row are in our intermediate term product
plan, but have not yet been prioritized for development. We are always interested in speaking with any customers or prospects
interested in deploying roadmap functionality. If you are such a person, please send an email to our product management team
at marketing@pingidentity.com.

11 Previous Next Table of Contents


Chapter 2

Internet SSO Use Cases

12 Previous Next Table of Contents


Internet SSO Use Cases
SSO for External/SaaS Applications
In this use case, enterprises use
PingFederate to connect to one or
more service providers such as
Software as a Service (SaaS)
suppliers that provide applications
for employee use.

Enterprise With PingFederate, the enterprise


can provide SSO access to
external applications from multiple
devices including Web browsers,
mobile devices and rich clients
such as Microsoft Outlook.

PingFederate PingFederate can leverage


Other Leading
identities from its existing IdM
SaaS Apps system and authentication
capabilities such as Integrated
Windows Authentication (IWA).
Outsourcing
Provider For applications with large numbers
of users, PingFederate can also
automate the management of user
In this use case, an enterprise uses PingFederate to give its employees easy and secure accounts at the application
access to applications provided by SaaS, outsourcers and other service providers. provider.

13 Previous Next Table of Contents


Internet SSO Use Cases
Leading SaaS Applications Support Internet SSO
While federated identity was evolving
as an essential Internet security
technology, another technology was
also evolving: the emergence of on-
demand Software-as-a-Service
applications.

Given the fundamental ability of


Internet SSO and federated identity to
support scenarios where users are in
one place and their applications are in
another, it only makes sense that
these two trends would converge -
and they have.

SSO to SaaS has now emerged as


the major use case for Internet SSO.
Virtually every major SaaS provider,
including those shown here, now
support Internet SSO. While some
started by offering a proprietary SSO
mechanism, the trend in the industry
is toward support of the SAML 2
Virtually every major Software-as-a-Service provider now supports Internet SSO.
standard for implementing SSO.

14 Previous Next Table of Contents


Internet SSO Use Cases
PingFederate Works with All these Apps and More

ACI Worldwide Globoforce Postini Threepointoffice


ADP Globalview Google Apps PowerSteering Software Tierra Software Development
ADP Pre-Employment Services GT Nexus PriceMetrix Trimble
ADP ProBusiness Healthline Networks PureSafety Triple Creek Associates
Advent Software Hibbert Company RazorGator Truist
Apollo Enterprise Solutions HiveLive Inc Rearden Commerce TRX
Axentis, Inc HumanConcepts Reed Group Valtera Corporation
Bellomy Research InfoHRM Pty Rideau VibeSMG
Benelogic Innocentive Salary.com Virtual Premise
Brainshark IntraLinks Salesforce CRM Vision Global Solutions
Business Integration Group Legal Intelligence Salesforce Customer Portal Vocus
Concur Livetechnology Holdings Salesforce Partner Portal WageWorks
CreateHope M2 Consulting Satuit Technologies Webex
DecisionView MarketTools Savo Group Webroot
eBenefits Media Defined SBC Systems Company Workday
ePharma Solutions MullinTBG Schawk Digital Solutions Worlddoc
FinancialKnowledge NextJump Simantel Group Xpress Bill Pay
Fortrex Technologies Nirvanix Success Factors Zoho CRM
Fragomen, Del Rey, Bernsen & Loewry PeopleCube Technology & Business Solutions
Geezeo.com Pointserve TharpeRobbins Company

15 Previous Next Table of Contents


Internet SSO Use Cases
SaaS Provider Customer SSO
Over 100 Software-as-a-Service
(SaaS) providers already incorporate
PingFederate into their product
offerings.

Customer These companies use PingFederate


Service three different ways. First, they
Supplier provide standards-based Internet
SaaS Provider SSO to their customers. These
connections can be SAML 2, SAML
1.x or WS-Federation based.
Customer

Service Second, they use PingFederateʼs


Express Provisioning capability to
PingFederate Provider
automatically create user accounts in
their user store.
Customer
Third, they use PingFederate to
“mash up” services from other service
providers that they re-market to their
SaaS Providers use PingFederate both to establish SAML-based Internet SSO customers. These mashups can be
connections with their customers and to create services mashups. either browser- or Web Services-
based.

16 Previous Next Table of Contents


Internet SSO Use Cases
Customer-Facing Applications
Companies in virtually every industry
are now enhancing or expanding their
product offerings via additional
functionality delivered via the Internet.
Such companies differ from pure
SaaS providers in that their product is
Enterprise more than software. These also tend
to be larger, more established
Customer
companies that have multiple
federated identity use cases.

These firms use PingFederate in a


hybrid manner. They support both
Outsourcing incoming SSO for their customers, as
Customer
PingFederate Provider well as outgoing SSO for their
employees.

PingFederate is a particularly good


choice for this use case because
Many non-technology companies now sell products that have an online component. pricing is connection- versus seat-
These companies use PingFederate for both inbound and outbound Internet SSO. based, the model most common with
identity management products
designed to manage employee
identities.

17 Previous Next Table of Contents


Internet SSO Use Cases
SSO for Internal Applications
Many organizations, especially larger
ones, find themselves in the situation
of having multiple security domains
where users in one domain often need
access to applications in another
SiteMinder domain.

In this situation, a single PingFederate


instance can be configured in a hybrid
role where it supports one or more
domains acting as Identity Providers,
and also one or more domains acting
Integrated Windows as Service Providers.
Authentication
PingFederate
Deploying PingFederate for Internal
Single Sign-On so that users can log
Homegrown in once and access Web-based
WAM applications in other domains is often
far less costly than consolidating
security domains - an option that in
many cases is not even technically
feasible.
In this example, PingFederate gives users who log into their Windows network SSO
access to applications protected by SiteMinder and a home-grown Web Access
Management system.

18 Previous Next Table of Contents


Internet SSO Use Cases
IdM Suite Federation Alternative
Identity management suite customers
often choose to implement
PingFederate instead of the federated
identity module offered by their suite
Partner vendor.

SiteMinder These customers generally choose


PingFederate for one or more of the
following reasons:
• Easier to learn, deploy and use
• Much faster time-to-connection
Oracle Access Manager
SaaS • Out-of-the-box integration with other
products, particularly those from their
suite vendorʼs competitors
PingFederate • Extensive support for SaaS SSO:
provisioning, mobile devices, email
Tivoli Access Manager clients etc.
Service
• No need to upgrade to latest version
Provider of IdM suite just to use the federation
module
• Availability of PingEnable
implementation and support services
• Significantly lower total cost of
Many identity management suite user choose PingFederate to deliver Internet SSO ownership
functionality instead of the federated identity module sold by their suite vendor.

19 Previous Next Table of Contents


Internet SSO Use Cases
SSO for Business Partners
Companies with extensive supply or
demand chains often desire to provide
Suppliers SSO support to or from business
partners including suppliers, dealers,
distributors, affiliates and customers.
Dealers
Depending on the specific
Enterprise requirements, PingFederate allows
these companies to act as an IdP, SP
or both.
Partners
Companies implementing Partner
PingFederate SSO often do so by implementing a
Industry partner portal. PingFederate has
Hub Integration Kits available for leading
portal platforms.

In industries with an available industry


federation hub such as Covisint or
Exostar, PingFederate can also
connect to business partners via that
hub.
Enterprises with large supply or demand chains often use PingFederate to
implement Internet SSO either to or from their business partners.

20 Previous Next Table of Contents


Internet SSO Use Cases
Endpoint Enablement
Many organizations initially deploy
Internet SSO to support a tactical
project requirement. Once they have
experienced the benefits of Internet
SSO, many realize they can reap
significant strategic benefits from the
technology by deploying it widely.

These organizations then develop


Federation “endpoint” enablement programs
Hub designed to turn their organization into
a federation “hub” surrounded by
dozens, hundreds or even thousands
of partner organizations acting as
federation “spokes”.

Large scale deployment of federated


identity requires not only highly
scalable and reliable Internet SSO
software such as PingFederate at the
Organizations recognizing the strategic advantages provided by Internet SSO often hub, but also a much lighter weight
see themselves becoming a federation hub surrounded by dozens of partners. form factor such as PingFederate
Express for deployment by partner
organizations.

21 Previous Next Table of Contents


Chapter 3

Integration with Existing


Systems

22 Previous Next Table of Contents


Integration with Existing Systems
The Need for “First and Last Mile” Integration

As a stand-alone server, PingFederate


must integrate programmatically with
Identity Management (IdM) systems
Identity Provider Service Provider and end-user applications to
complete the “first and last mile”
implementation of a federated identity
SAML/ network that implements Internet
WS-Federation SSO.
Identity Identity
Attributes Attributes To enable both the Identity Provider
PingFederate (IdP) and Service Provider (SP) sides
PingFederate of this integration, PingFederate
provides commercial integration kits,
Authentication which include adapters that plug into
Target
Service/ Application the PingFederate server and agents
Application
that interface with local IdM systems
or applications.

PingFederate also has a SDK that can


be used to create custom adapters
User attributes originate at the IdP and are used at the SP to establish a session in the for systems that do not have an
target applications. PingFederate integrates with both IdP and SP systems to facilitate available Integration Kit.
the transfer of these attributes.

23 Previous Next Table of Contents


Integration with Existing Systems
“First Mile” Integration at the Identity Provider

IdP integration involves retrieving user


Identity Provider identity attributes from the IdP
domain and sending them to the
Java Custom PingFederate server. Typically, the
.NET Applications identity attributes are retrieved from
PHP
an authenticated user session. For
Windows IWA/NTLM
IdP integration, a number of attribute-
Authentication
Active Directory/LDAP retrieval approaches can be used,
Systems
Strong Authentication depending upon the IdP deployment/
implementation environment.
CA SiteMinder SAML
Identity Mgt
Oracle Access Manager Ping Identity offers a broad range of
Systems
Tivoli Access Manager
PingFederate commercial integration kits that
address various IdP scenarios, most
SAP NetWeaver of which involve either custom
Portals
Custom/Homegrown application integration, integration
with a commercial IdM product, or
integration with an existing
authentication system.

Ping Identity offers a wide variety of Integration Kits that provide “first
mile” integration at the Identity Provider.

24 Previous Next Table of Contents


Integration with Existing Systems
“Last Mile” Integration at the Service Provider
An SP is the consumer of identity
attributes provided by the IdP through
Service Provider
a SAML assertion. SP integration
Java involves passing the identity
Custom attributes from PingFederate to the
.NET
Applications
PHP target SP application. The SP
application uses this information to
Apache
Microsoft IIS set a valid session or other security
Web and App context for the user represented by
SAP Netweaver
Servers
WebLogic the identity attributes.
WebSphere
SAML
CA SiteMinder
Session creation can involve a
Identity Mgt
Oracle Access Manager number of approaches, and as for the
Systems
PingFederate Tivoli Access Manager IdP, Ping Identity offers commercial
integration kits that address the
various SP scenarios. Most SP
Commercial Citrix
scenarios involve custom-application
Applications Microsoft SharePoint
integration, server-agent integration,
integration with an IdM product, or
integration with a commercial
application.

Ping Identity provides a wide variety of Integration Kits that provide


“last mile” integration at the Service Provider.

25 Previous Next Table of Contents


Integration with Existing Systems
Custom Java, .NET and PHP Applications
Identity Providers A federation partner
can use a custom authentication service
or application to play the IdP role in the
federation partnership. Integration with a
Identity Provider Service Provider custom application is handled through
application-level integration kits, which
allow software developers to integrate
their custom applications with a
Java Java PingFederate server acting as an IdP.
Application Application
Service Providers Some applications
.NET .NET use their own authentication
Application Application mechanisms and are responsible for
SAML
PHP PHP their own user-session management.
Application Application When there is limited or no access to
PingFederate PingFederate the Web or application server hosting
the application, integration with these
custom applications is handled through
application-level integration kits. With
these integration kits, PingFederate
PingFederate can integrate with custom/homegrown identity management and sends the identity attributes from the
authentication systems at the IdP as well as custom applications at the SP. SAML assertion to the SP application,
which can then use them for its own
authentication and session
management.

26 Previous Next Table of Contents


Integration with Existing Systems
CA SiteMinder
PingFederate, when combined with its
SiteMinder Integration Kit, provides a
comprehensive Internet SSO solution
that does not require any custom
development: 
• As an Identity Provider, you can
provide your users with SSO to
Identity Provider Service Provider external services over the Internet
such as Software-as-a-service
(SaaS) and Business Process
Outsourcing (BPO) where they are
SiteMinder SiteMinder
SAML automatically authenticated by your
SiteMinder server.
PingFederate PingFederate • As a Service Provider, you can
provide your external partners and
customers Internet SSO to
SiteMinder protected applications.
• You can provide internal SSO for
PingFederate and its SiteMinder Integration Kit can be used by SiteMinder the enterprise and its acquisitions,
shops acting in the Identity Provider role, Service Provider role or both. affiliates, subsidiaries and joint
ventures regardless of the version
of SiteMinder or identity and access
management system (IdM) each
organization has deployed.

27 Previous Next Table of Contents


Integration with Existing Systems
Oracle Access Manager
PingFederate, when used with its
Oracle Access Manager (OAM)
Integration Kit, provides a
comprehensive Internet SSO solution
that can be installed in as little as a
day: 
Identity Provider Service Provider • As an Identity Provider, you can
provide your users with SSO to
external services over the Internet
such as Software-as-a-service
(SaaS) and Business Process
Oracle Access Manager SAML Oracle Access Manager
Outsourcing (BPO) where they are
automatically authenticated by
PingFederate PingFederate OAM.
• As a service provider you can
provide your external partners and
customers Internet SSO to OAM
protected applications.
• You can provide internal SSO for
PingFederate and its Oracle Access Manager Integration Kit can be used by OAM the enterprise and its acquisitions,
shops acting in the Identity Provider role , Service Provider role or both. affiliates, subsidiaries and joint
ventures regardless of the version
of OAM or identity and access
management system (IdM) each
organization has deployed.

28 Previous Next Table of Contents


Integration with Existing Systems
IBM Tivoli Access Manager
Ping Identity offers a fixed price
integration service for deploying
PingFederate with Tivoli Access Manager.  
The TAM IdP integration kit leverages
Tivoli Access Manager WebSEAL as a
point of user authentication and requires
a secure deployment configuration.  
Identity Provider Service Provider • As an Identity Provider, you can
provide your users with SSO to
external services over the Internet such
as Software-as-a-service (SaaS) and
Business Process Outsourcing (BPO)
Tivoli Access Manager SAML Tivoli Access Manager
where they are automatically
authenticated by TAM.
PingFederate PingFederate • As a service provider you can provide
your external partners and customers
Internet SSO to TAM protected
applications.
• You can provide internal SSO for the
enterprise and its acquisitions,
affiliates, subsidiaries and joint
PingFederate can be integrated with Tivoli Access Manager via a fixed price service ventures regardless of the version of
engagement. When done so, TAM can act as an IdP, SP or both. TAM or identity and access
management system (IdM) each
organization has deployed.

29 Previous Next Table of Contents


Integration with Existing Systems
Microsoft IWA, Active Directory, X.509 and LDAP
Initial user authentication is normally
handled outside of the PingFederate
server using an authentication application
or service. PingFederate authentication
Identity Provider system integration kits leverage this local
authentication to access applications
outside the security domain.

These integration kits access


IWA/NTLM authentication credentials that are
validated against a Windows security
context, which could be NTLM or
Integrated Windows Authentication (IWA)
X.509 SAML working with Active Directory, and pass
them to the PingFederate IdP server.

The X.509 Certificate Integration Kit uses


PingFederate the PingFederate security infrastructure to
LDAP perform client X.509 certificate
authentication for SSO to SP applications.

PingFederate also packages an LDAP


Authentication Service Adapter and logon
form that can authenticate users directly
PingFederate authentication system integration kits gives users who have against an LDAP data store for SP-
authenticated locally SSO access to applications hosted by Service Providers. initiated SSO scenarios.

30 Previous Next Table of Contents


Integration with Existing Systems
Microsoft IIS, Apache, WebSphere and WebLogic
PingFederate Web and App server
Integration Kits allow SP enterprises to
Service Provider accept SAML assertions and provide SSO
to all applications running on their Web
and/or application server; there is no need
to integrate each application. Applications
IIS Server running on the Web/application server
must delegate authentication to the server;
if the application employs its own
The
Apache authentication mechanism, integration
Software Foundation
http://www.apache.org/
must occur at the application level.

SAML With these integration kits, PingFederate


sends the identity attributes from the
SAML assertion to the server agent, which
PingFederate WebSphere
is typically a Web filter or JAAS (Java
Authentication and Authorization Service)
Login Module. The server agent extracts
the identity attributes, which the server
WebLogic then uses to authenticate and create a
session for the user.

These integration kits do not require any


PingFederate Web and Application Server Integration Kits allow Service development; integration with
PingFederate is accomplished entirely
Providers to provide SSO to applications running on those servers without
through the PingFederate administrative
having to integrate each application.
console.

31 Previous Next Table of Contents


Integration with Existing Systems
Microsoft SharePoint and SAP NetWeaver
The PingFederate NetWeaver
Integration Kit supplies both outgoing
(IdP-side) SSO support for NetWeaver
users, as well as incoming (SP-side)
Internet SSO support for NetWeaver
applications.
Identity Provider Service Provider
The PingFederate SharePoint
Integration Kit provides incoming (SP-
side) SSO support for SharePoint
NetWeaver applications. (For IdP-side support in
NetWeaver a Microsoft environment, use the
SAML
PingFederate IWA/NTML Integration
PingFederate PingFederate SharePoint Kit.)

These integration kits do not require


any development; integration with
PingFederate is accomplished entirely
PingFederate portal Integration Kits support two of the most popular commercially through the PingFederate
available portals - Microsoft SharePoint and SAP NetWeaver. administrative console.

32 Previous Next Table of Contents


Integration with Existing Systems
Citrix XenApp (formerly Presentation Server)
Giving external users such as customers,
contractors and partners SSO access to
virtualized applications used to require
Citrix XenApp (formerly Presentation
Server) administrators to manage
Service Provider passwords and user credentials for each
external user. The subsequent cost and
effort required to manage external user
Identity accounts is significantly higher than
Web
Provider Interface
managing internal users and employee
accounts through traditional Identity
Management systems.
SAML
PingFederate eliminates this burden by
XenApp tightly integrating with XenApp via the
PingFederate Citrix Web Interface. The combination
turns XenApp into a SAML or WS-
Federation Service Provider. External
users, whose identities are managed by
their Identity Provider, get SSO access to
any applications virtualized by XenApp.

PingFederate and its Citrix Integration Kit turn Citrix XenApp into a SAML Service This architecture is especially popular with
service providers that need to provide
Provider, making virtualized applications available to external users.
external access to legacy applications.

33 Previous Next Table of Contents


Chapter 4

Internet User
Account Management

34 Previous Next Table of Contents


Internet User Account Management
Background/Overview
While many organizations have struggled
to deploy a workable enterprise
Service Providers provisioning solution, Cloud computing
has created a new provisioning challenge:
Enterprise additional user directories often beyond
the reach and control of their enterprise
solution. These additional directories must
User

?
be populated and managed before users
Directory
can use those external applications.

To meet this challenge, PingFederate now


offers two different types of Internet user

?
account management:
User • Express Provisioning is a Service
Directory Provider-side solution that uses the
Enterprise attributes in incoming SAML assertions
Directory to create and update user accounts.
• SaaS Provisioning is an Identity

? User
Directory
Provider-side solution that integrates a
corporate directory with a SaaS
providerʼs provisioning API to
automatically create, update and delete
user accounts in the Service Providerʼs
directory for a selected set of users.
Service providers such as SaaS vendors often have their own user account directories
that are beyond the reach and control of enterprise provisioning solutions.

35 Previous Next Table of Contents


Internet User Account Management
Express Provisioning
PingFederate Express Provisioning
uses information passed via Internet
SSO inside the SAML assertion to
automatically and dynamically create
Service Provider user accounts in the destination
application directory if they do not
already exist.

" This enables the application provider


to create user accounts "on-the-fly,"
SAML adding convenience for users and
reducing staff overhead by automating
# Internet user account management.
!
Express Provisioning works for both
PingFederate LDAP
or
LDAP and JDBC user stores at the
Service Provider.
JDBC

It is useful for “arms length” use cases


where the userʼs identity does not
need to be known in advance by the
Service Provider such as supply chain
Express Provisioning uses the attributes contained within incoming SAML assertions to portals, collaborative projects and
create or update user accounts within the Service Providerʼs user store. many SaaS applications.

36 Previous Next Table of Contents


Internet User Account Management
SaaS Provisioning
SaaS Provisioning allows SaaS
applications to automatically create and
remove users by replicating user
account information from the SaaS
customers' enterprise directories.

Enterprise SaaS Provider A group or filter in the SaaS customer's


enterprise directory contains all of the
users that are authorized to use the
SaaS application. When administrators
LDAP
or add, remove or update users in the
Active enterprise directory, PingFederate
Directory automatically "replicates" those changes
Provisioning to the SaaS application's remote
PingFederate API directory.

SaaS Provisioning eliminates the need


to manually maintain SaaS user
directories. It also eliminates zombie
PingFederate SaaS Provisioning watches a directory group or filter for user accounts by quickly and automatically
changes. When they occur, it automatically pushes them to the SaaS provider. disabling accounts when users are
removed from the corporate directory.
This reduces the risk of data loss and
compliance audit failures.

37 Previous Next Table of Contents


Internet User Account Management
Express and SaaS Provisioning Compared

Requirement Express Provisioning SaaS Provisioning

SP provides just-in-time access IdP establishes user accounts at


Use Case
to applications SP before enabling SSO

Account Data Source SSO transaction IdP corporate directory

Other Party IdP must have SAML-based Service Provider must have a
Requirement Internet SSO solution provisioning API

Target Directory/
LDAP, JDBC Google Apps, Salesforce
Interface Supported

38 Previous Next Table of Contents


Internet User Account Management
Identity Management for Salesforce CRM
With the growth of SaaS,
PingFederate offers SaaS Connectors
for leading SaaS providers including
Salesforce CRM.
PingFederate
The Salesforce Connector includes a
Provisioner Salesforce Driver SSO Quick Connection template to simplify
Endpoint connection setup with pre-populated
connection settings, user/account
provisioning parameters, and SSO
endpoint parameters. It also
Provisioning implements SaaS Provisioning to
API Accounts
Corporate eliminate manual account setup for
Directory these applications.

Finally, they allow PingFederate to


SSO-enable the numerous means
SaaS Provisioning, one of the capabilities included in the PingFederate SaaS your users employ to access
Connector for Salesforce, works by passing changes made in your corporate Salesforce CRM: desktop browsers,
directory to the Salesforce Account store via Salesforceʼs provisioning API. mobile device browsers, and even rich
client applications such as the
Salesforce Outlook email plug-ins.

39 Previous Next Table of Contents


Internet User Account Management
Identity Management for Google Apps
With the growth of SaaS,
PingFederate offers SaaS Connectors
for leading SaaS providers including
Google Apps that works with Google
PingFederate Docs and Gmail.

Provisioner Google Driver SSO The Google Apps Connector includes


Endpoint a Quick Connection template to
simplify connection setup with pre-
populated connection settings, user/
account provisioning parameters, and
Provisioning SSO endpoint parameters.
API Accounts
Corporate
Directory It also implements SaaS Provisioning
to eliminate manual account setup for
these applications. Automated user
account provisioning is particularly
SaaS Provisioning, one of the capabilities included in the PingFederate SaaS Connector important for applications like Gmail
for Google Apps, works by passing changes made in your corporate directory to the that tend to be used by every
Google Apps account store via Googleʼs provisioning API. employee in the organization.

40 Previous Next Table of Contents


Internet User Account Management
Identity Management for Workday
With the growth of SaaS,
PingFederate offers SaaS Connectors
for leading SaaS providers. Ping
PingFederate Identity is currently developing a SaaS
Connector for Workday.

Provisioner Workday Driver SSO The Workday Connector will include a


Endpoint Quick Connection template to simplify
connection setup with pre-populated
connection settings, user/account
provisioning parameters, and SSO
Provisioning endpoint parameters.
API Accounts
Corporate
Directory It also implements SaaS Provisioning
to eliminate manual account setup for
Workday. Automated user account
provisioning is particularly important
Ping Identity is currently developing a SaaS Connector for Workday. If you for applications like Workday that tend
would like to be notified when this product becomes available, send an to be used by every employee in the
email to marketing@pingidentity.com. organization.

41 Previous Next Table of Contents


Chapter 5

Endpoint Enablement

42 Previous Next Table of Contents


Endpoint Enablement
PingFederate Express
PingFederate Express™ is an Internet
SSO "endpoint" solution for Service
Providers who need to quickly, easily and
Service Providers cost-effectively establish a SAML
connection with a PingFederate Identity
Provider.  It delivers enterprise-class
performance, reliability and security, yet it
PingFederate
Identity Provider E X P R E S S
requires no additional hardware, federated
identity expertise or ongoing maintenance.

Many PingFederate customers have


smaller Service Provider partners with
limited IT resources, time and expertise. 
PingFederate Express gives these
partners an Internet SSO solution that is
PingFederate PingFederate
quick, easy, and cost effective to deploy
en masse, without requiring additional
E X P R E S S
hardware purchases or significant time
and effort on either side of the connection.

PingFederate Express can be purchased


by the IdP under Ping Identityʼs Endpoint
Program, or by the SP. In either case,
service providers receive their license key
PingFederate Express is an Internet SSO "endpoint" solution for Service Providers who need to
and technical support directly from Ping.
quickly, easily and cost-effectively establish a SAML connection with a PingFederate Identity
Provider.

43 Previous Next Table of Contents


Endpoint Enablement
Endpoint Program
Every Internet Identity connection requires
two parties. One party is generally highly
motivated to establish connections and
may need to deploy dozens or even
hundreds of connections as quickly as
possible. The other side of the connection,
PingFederate which we refer to as an “Endpoint”, is
Endpoint E X P R E S S generally less motivated and may be a
neophyte to Internet Identity technologies
Program and best practices.
Member It is in the initiating party's best interests to
provide their Endpoint partners with an
easy way to complete an Internet Identity
connection without initiating a lengthy and
PingFederate PingFederate costly evaluation cycle. Ping Identity's
Endpoint Program allows customers to
purchase a cost-effective block of
Endpoint licenses, services and support
for their customers, enabling them to
quickly and easily deploy Internet Identity
connections.

Under the PingFederate Endpoint Program, organizations seeking to Two products are available under the
Endpoint program to support different use
expedite the creation of Internet Identity connections can purchase
cases: PingFederate Express and
PingFederate and PingFederate Express licenses for their partners.
PingFederate licensed for a single
connection.

44 Previous Next Table of Contents


Chapter 6

Universal Token Translation


and the STS

45 Previous Next Table of Contents


Universal Token Translation and the STS
Background/Overview

The concept of Universal Token Translation and As organizations rolled out the initial STS-based Web
Security Token Services (STSs) originated with Web Services deployment, two additional STS use cases
Services. The lack of a standard method for have emerged.
communicating user identities hindered early Web
Services applications from gaining widespread First, while WS-Trust envisions token processing as
business acceptance. Standards such as WS- occurring in two phases at the Web service client and
Security and WS-Trust emerged in the SOAP world provider, the underlying STS has no such restriction.
that enable Web Services to share user identities, but As a result, larger organizations with multiple security
initially they were complex and difficult to implement. domains have recognized the value of the STS as a
“universal token translator” that can convert any type
PingFederate provides a key component required to of security token into any other type of security token
identity-enable Web Services: a WS-Trust Security - even if there are no Web services being used.
Token Service (STS). On the Web service client side,
which can be a Web application or rich desktop Second, even though they were “born” in the world of
application, the STS converts whatever security token SOAP, security experts have realized the concept of
that is used locally into a standard SAML security embedded tokens and STSs could play key role in
token containing the user's identity that is shared with securing REST-style Web Services as well.
the Web Services provider. On the Web Service
provider side, the STS validates security tokens and
can generate a new local token for consumption by
other applications.

46 Previous Next Table of Contents


Universal Token Translation and the STS
Components of the the PingFederate STS

PingFederate PingFederate Software


Security Token Service Security Token Translators Development Kits

WS-Trust STS OpenToken STS Client SDK


for Java
SiteMinder
Token Translator(s) STS Client SDK
Kerberos for .NET
As of version 6.0, X.509
PingFederate includes a WS- Token
Trust compliant Security Token ... Translator SDK
Service (STS) that accepts one
type of security token as input
and produces an equivalent Token Translators are plug-ins The .NET and Java Client
security token of a different that allow the STS to process SDKs act as WS-Trust clients
type as output. It uses a plug- (i.e. consume) and/or generate and allow programs written
in architecture to support the particular types of security in .NET and Java to interact
processing and generation of tokens. Token Translators for with the PingFederate STS.
different token types. It is several common token types PingFederate can also work
accessed programmatically are available from Ping with third party WS-Trust
via STS Client SDKs. Identity. Users can also build clients such as AmberPoint.
custom Token Translators
using the the Token Translator The Token Translator SDK
SDK if needed. allows users to create their
own token processor and
generator plug-ins.

47 Previous Next Table of Contents


Universal Token Translation and the STS
Generating SAML Assertions from Existing Tokens
A common use of the PingFederate
Java or .NET
Application STS is to generate a SAML assertion
equivalent to a token used in a local
STS Client SDK security domain. Once generated, the
SAML assertion can the used to
Existing New
Security
transfer identity attributes to another
SAML
Token Assertion security domain. SAML is an ideal
format for transportation across
STS security domains due to its inherent
portability and security.
Token Processor for
Existing Token Type
To do this, a program passes the local
token to a PingFederate STS that has
To generate a SAML the proper Token Processor plug-in
Token Processors
assertion equivalent installed. The STS then creates an
Available from Ping Identity to other token types, use equivalent SAML assertion and
Username/LDAP CA SiteMinder the Token Translator
SDK to build the
returns it to the calling program.
SAML 1.1 Oracle Access Manager
SAML 2.0 Microsoft Kerberos required STS plug-in.
OpenToken X.509 Certificate This technique can be used for any
token type for which Ping Identity
offers a Token Processor. It can also
be used for other token types by using
Using the PingFederate STS, an Identity Provider can generate SAML assertions the Token Processor SDK to create a
equivalent to existing security tokens used in local security domains. custom token processor.

48 Previous Next Table of Contents


Universal Token Translation and the STS
Generating SAML from Claims and Attributes
In some cases, the application calling
Java or .NET the STS does not have an existing
Application
security token with the same set of
attributes that need to be in the
STS Client SDK
generated SAML assertion. In these
cases, the STS can accept claims
New
Claims (attributes) submitted via the RST call
SAML
Assertion
from the Java or .NET client.

In addition, whether the input to the


STS is claims or an existing security
STS token, the STS has the ability to look
up additional attributes to be included
in the SAML assertion it generates.

To do this, the STS uses


PingFederateʼs attribute lookup
LDAP service, which supports LDAP and
JDBC JDBC data sources out of the box.
Custom The lookup service can be extended
to support custom data source via the
PingFederate SDK.
In addition to being able to generate SAML assertions from incoming tokens, the
PingFederate STS can also create assertions from claims and attributes.

49 Previous Next Table of Contents


Identity-Enabled Web Services
Generating New Security Tokens from SAML
Another use of the PingFederate STS
Java or .NET
Application
is to generate a new security token
from a SAML assertion that was
STS Client SDK transported over from another security
domain. Once generated, the new
Existing token can be used to represent the
New
SAML original identity in the local security
Security
Assertion domain.
Token

STS To do this, a program passes the


Token Generator for SAML assertion to a PingFederate
New Token Type STS that has the proper Token
Generator plug-in installed. The STS
then validates the SAML assertion,
To generate other creates an equivalent security token
Token Generators
types of tokens, use and returns it to the calling program.
Available from Ping Identity the Token Translator
SAML 1.1 SDK to build the This technique can be used for any
SAML 2.0 required STS plug-in. token type for which Ping Identity
OpenToken offers a Token Generator. It can also
be used for other token types by using
the Token Translator SDK to create a
A Service Provider can use an incoming SAML assertion as the basis for the custom token generator.
creation of a new, equivalent security token that works in the local security domain.

50 Previous Next Table of Contents


Universal Token Translation and the STS
Using the STS for Token Exchange
By combining the two previous
scenarios, it is possible to use the
PingFederate STS to exchange
Java or .NET virtually any security token type for
Application and equivalent token of any other
type.
STS Client SDK
New PingFederate uses SAML as an
Existing
Security intermediary to perform this operation.
Security The calling program needs only make
Token Token
two calls to perform this complex
operation: one to generate the
intermediary SAML assertion from the
New existing security token, and a second
SAML to generate the new token from the
Assertion SAML assertion.
STS STS

By making two calls to the PingFederate STS, it is a possible for a program to convert
virtually any security token into an equivalent token of another type.

51 Previous Next Table of Contents


Universal Token Translation and the STS
Identity-Enabled Web Services
This is the use case for which Security
Token Services were originally created. In
this scenario, a Web Service Provider
needs to know the identity of the maker of
requests to determine whether and how to
Identity Provider Service Provider
respond to the request. (Identity in this
context can mean person, application,
SAML
Web
# Web
system or any combination of the three.)

Service Service
Provider In this scenario, PingFederate can play a
Client role at the IdP, SP or both. On the IdP
! % side, the application acting as the client for
" SOAP Message $ the Identity-enabled Web Service uses the
PingFederate STS to generate a portable,
Local Local
extensible and secure SAML assertion
Security Security
Token Token from the userʼs local security token. It
incorporates the SAML assertion into the
PingFederate PingFederate header of the SOAP message it sends to
the Web service provider.

On the SP side, the application acting as


In this use case, the IdP use the STS to convert a local security token into a SAML the Web service provider role submits the
assertion for inclusion in a SOAP message. The SP who receives the message then incoming SAML assertion to the
uses the STS to create a token that works in its local security context. PingFederate STS to validate the
assertion and/or to generate an
equivalent local security token.

52 Previous Next Table of Contents


Universal Token Translation and the STS
Using the AmberPoint WS-Trust client
AmberPoint is the leading provider of
management solutions for composite
applications such as SOA-based

PingFederate systems. Utilizing a policy-based


approach, AmberPoint solutions
ensure system health by providing
STS visibility into and control of composite
applications, their constituent
components and the transactions
flowing across them.

Ping Identity and AmberPoint have


established a partnership under which
the companies have certified
AmberPointʼs WS-Trust client for use
with the PingFederate STS. Ping
Identity expects to certify additional
third party WS-Trust clients in the
WS-Trust Client future.

AmberPointʼs WS-Trust client has been certified for use with the PingFederate STS.

53 Previous Next Table of Contents


Universal Token Translation and the STS
Proprietary Token Exchange
A common use for Universal Token
Translation is a large company with
multiple security domains that encounters
Java or .Net situations where users whose identities
Application are managed in one domain need
programmatic access to applications
SiteMinder
! # IBM managed in another domain.
LTPA
Cookie Token In this scenario, PingFederate creates an
" IBM LTPA (Lightweight Third Party
Authentication) security token based on
attributes obtained from a SiteMinder
cookie. This gives the user access to the
target application without requiring the
IBM domain to maintain redundant
information about the user. It is not
SiteMinder Domain IBM Domain necessary to use any Web Services or
SOA technology to make this scenario
work.

This scenario can work for any token


types supported by PingFederate Token
PingFederate Translators, as well as custom token
translators created with the Token
In this example of local token translation, a user whose identity is managed by Translator SDK.
SiteMinder needs to gain access to an application protected by IBM.

54 Previous Next Table of Contents


Universal Token Translation and the STS
Securing REST with OAuth
At a recent Google Campfire event, Ping
Identity demonstrated a prototype of its
PingFederate software extended to use
the OAuth open source secure
authentication standard to identity-enable
REST-based Web Service requests. This
Google Sites My Datacenter allows an administrator to specify any
number of domains that are authorized to
! Web Service
Provider
submit requests.

$ " When a Web Service request comes in,


PingFederate uses OAuth to determine
Gadget Acts as
Web Service Client
Google Secure
Data Connector
# whether or not the request came from an
approved domain. The demonstration also
(REST/OAuth) showed how PingFederate could
centralize all necessary OAuth key
cryptography processing, eliminating the
PingFederate
need to perform key cryptography at every
application that accepts identity-enabled
Web Service calls.

REST and OAuth support are currently on


At a recent Google Campfire event, Ping Identity demonstrated a prototype of its the PingFederate development roadmap.
PingFederate software extended to use the OAuth open source secure If you are interested in these features,
authentication standard to identity-enable REST-based Web Service requests. please drop a line to
marketing@pingidentity.com.

55 Previous Next Table of Contents


Chapter 7

Advanced Capabilities

56 Previous Next Table of Contents


Advanced Capabilities
PingFederate Architecture

The PingFederate architecture


consists of three Internet Identity
PingFederate services: Identity Federation, SaaS
Provisioning and Security Token
Service.
Internet Identity Services
These three identity services share a
Identity Federation Service SaaS Provisioning Service Security Token Service common management environment
consisting of a management console,
management API and a set of SDKs
Management Services Runtime Services for extending functionality of the
Admin Key
system. They also share a set of
SDKs Logging Monitoring Clustering
Console Management runtime services including key
management, logging, monitoring,
License Express Account Attribute Data Store
Admin API
Keys Provisioning Linking Mapping Access clustering, attribute mapping, data
store access and several others.
Add-On Modules
A set of optional add-on modules
Integration Security Token
SaaS Connectors PingFederate Express extend PingFederate functionality to
Kits Translators
support specific use cases and
external systems.
The PingFederate architecture consists of three Internet Identity services
supported by a common set of management and runtime services.

57 Previous Next Table of Contents


Advanced Capabilities
Self-Contained Server Clustering
PingFederate provides built-in
clustering features that allow a group
of PingFederate servers to appear to
browsers and partner federation
servers as a single system.

In this configuration, all client traffic


normally goes though a load balancer,
which routes requests to the
PingFederate servers in the cluster.
User-session states and configuration
data are shared among the servers,
enabling them to process requests as
a single entity.

When deployed appropriately, server


clustering can facilitate high
availability of critical services.
Clustering can also increase
performance and overall system
throughput. Several configuration
options are available so users can
PingFederate includes the capability for multiple servers in multiple locations to be obtain the desired combination of
configured to act as a single entity to improve throughput and/or availability. availability and performance.

58 Previous Next Table of Contents


Advanced Capabilities
Programmatic Configuration Migration
PingFederate provides a configuration-
migration tool called ConfigCopy that
can be used for scripting the transfer of
administrative-console configurations
from one PingFederate server to
another—for example, from a test
environment to production.

This tool performs three processing


Dev/Test Server Production Server steps:
1. Retrieves configuration data from a
source PingFederate server
ConfigCopy
! Tool # 2. Modifies the configuration with any
changes required for the target
environment
"
3. Imports the updated configuration
into the target PingFederate server
Modify Configuration
Parameters (optional)
ConfigCopy can perform these
functions in real time, from server to
server, or by using an intermediate file.
ConfigCopy is a scriptable command-line tool that can translate part of all of a
PingFederate configuration from one server to another, such as from test to production.

59 Previous Next Table of Contents


Advanced Capabilities
Runtime Monitoring with SNMP and JMX
PingFederate supports runtime monitoring
and reporting through the Simple Network
Management Protocol (SNMP), a standard
used by network management consoles to
PingFederate monitor network and server activity across
an enterprise. Embedded within each
PingFederate server is an SNMP agent
that brokers the communication between
SNMP Agent JMX Server the management console and
PingFederate. PingFederate responds to
Get requests for total and failed
transactions. It also generates a
“heartbeat” Trap at regular intervals.
SNMP JMX
In addition, PingFederate supports runtime
monitoring and reporting through Java
Management Extensions (JMX). Similar to
Network SNMP, JMX technology represents a
Management JConsole Java-centric approach to application
or other JMX Client management and monitoring.
Console PingFederateʼs JMX server reports
monitoring data for SSO and SLO
transactions as well as for SaaS
Provisioning.
PingFederate supports runtime monitoring via both SNMP and JMX.

60 Previous Next Table of Contents


Advanced Capabilities
Logging, Compliance and ArcSight Partnership
PingFederate generates log files that
document the systemʼs activities including
actions performed by administrative
PingFederate console users, individual identity-
federation runtime transactions at
specified levels of detail,
PingFederate runtime and administrative
server activity, SaaS Provisioning activity
and HTTP requests.

Ping Identity has recently announced a


partnership with ArcSight, a leading
provider of security information and event
IdentityView management (SIEM) products. ArcSight
IdentityView, a specialized application built
on the ArcSight SIEM Platform, can
analyze logs created by PingFederate. It
Other SIEM can report on unauthorized user access
and monitor internal controls, providing
Products comprehensive collection and analysis of
Log Files user activity across an enterprise. In
partnership, these technologies will
provide a user monitoring solution that
extends from the enterprise to the Cloud.
PingFederate log files can be used as the basis for a Cloud compliance strategy using
ArcSight or another security information and event management (SIEM) product.

61 Previous Next Table of Contents


Advanced Capabilities
Auto-Connect
PingFederate allows organizations to
provide secure Internet SSO on the fly—
that is, without the need for configuring
partner-specific, browser-based SSO
Service Provider Identity Provider connection parameters. This feature—
Auto-Connect™—extends SAML 2.0 SP-
initiated SSO or SLO and metadata
PingFederate PingFederate specifications to enable deployments to
retrieve partner connection information
* $ securely on an as-needed basis.
App Engine Engine App
# Engine ' & The feature is especially useful to an SP
who wants to provide SSO capability to
more than one partner. A Software-as-a-
IdP White List SP White List Service (SaaS) provider, for example, can
provide SSO to innumerable clients
! % ) ( without specifying redundant connection
" information for each one. Auto-Connect
can also help an enterprise acting as an
IdP, to provide easily scalable SSO for
Browser multiple outsourced services.

For either an IdP or SP PingFederate


server, you can implement Auto-Connect
PingFederateʼs Auto-Connect allows organizations to provide Internet SSO on the fly, for any number of partners by configuring
without the need to pre-configure partner-specific SAML connections. a common initial setup and a list of
allowed domain names in white lists.

62 Previous Next Table of Contents


Advanced Capabilities
Anchored Trust Model Eliminates Cert Exchanges

During Setup • IdP Obtains Signing Certificate from a Trusted CA


of SAML • IdP Sends Signing Certificate and Subject Distinguished Name (DN) to SP (For
Connection PingFederate Express, this arrives as part of the configuration file)

During SSO • IdP includes its signing certificate in each SAML assertion it sends to the SP
Transactions • SP matches the Subject DN and the CA issuer against the values received at
connection setup
• SP validates the digital signature using the digital certificate included in the SAML
assertion

When IdP • When the IdPʼs certificate is about to expire, it can renew and start using the new
Certificate certificate to sign messages
Expires • As long as the IdP uses a new certificate with the same Subject DN and CA issuer,
the SAML connection keeps working

PingFederate 6.1 includes a new “anchored” trust model option that can eliminate annual partner certificate exchanges.
Used by default with PingFederate Express connections, the new anchored trust model can optionally be used wherever
PingFederate processes digital signatures.

63 Previous Next Table of Contents


Advanced Capabilities
FIPS 140-2, HSM and SafeNet LUNA Partnership
SafeNet provides complete security
utilizing its encryption technologies to
protect communications, intellectual
PingFederate property and digital identities, and
offers a full spectrum of products
including hardware, software, and
chips.

PingFederate provides out of box


integration with the SafeNet's Luna SA
Hardware Security Module (HSM). The
combination of these technologies
helps address the Federal Information
Processing Standard (FIPS) 140-2
regulation which requires storage and
processing of all keys and certificates
LUNA SA on a certified cryptographic module.
Hardware Security
Module (HSM) The FIPs requirement is broadly
adopted within the government,
financial, and healthcare industries.

PingFederate includes out-of-the-box integration with SafeNetʼs LUNA SA hardware


security module (HSM) for customers needing to comply with FIPS 140-2.

64 Previous Next Table of Contents


Who We Are

We are Ping Identity. We provide Internet We believe in open standards and in


Identity Security and Single Sign-On solutions that deploy without dependencies.
solutions to hundreds of enterprises Too many identity management solutions
worldwide. Our identity solutions enable are a nightmare to implement, or they force
secure access to Internet applications companies to install more than they need.
without the need to re-login again and Many identity management products donʼt
again. work without heavy lifting or expensive
customization.  We believe you should not
At Ping, we deliver products with have to compromise security, timelines, or
uncompromising quality and elegance, on success when attempting to connect to
time, every time. We make complex security SaaS providers, partners or customers, so
and integration challenges look simple, and weʼre taking Internet security in a new
we believe in the value of speed to success. direction - a simpler direction.
Our solutions deploy in hours or days, not
weeks or months.

65 Previous Next Table of Contents


© 2009 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingConnect, PingEnable, Auto-
Connect, PingFederate Express and the Ping Identity logo are trademarks, service marks or registered trademarks of
Ping Identity Corporation. All other trademarks or registered trademarks are the properties of their respective owners.
1a091015.