| Introduction to PingFederate | 51

Identity provider integration

Identity provider (IdP) integration involves retrieving user-identity attributes from the IdP domain and
sending them to the PingFederate server.
An IdP is a system entity that authenticates a user, or “SAML subject,” and transmits referential identity
attributes based on that authentication to PingFederate. Typically, the IdP retrieves the identity attributes
from an authenticated user session. Depending on the IdP deployment/implementation enviornment, a
number of attribute-retrieval approaches are used for IdP integration. Ping Identity offers a broad range of
commercial integration kits that address various IdP scenarios, such as custom-application integration,
integration with a commercial identity management (IdM) product, or integration with an authentication
system.

i Tip:
For IdPs implementing single sign-on (SSO) to selected software as a service (SaaS) providers such as
Google Apps and Salesforce, PingFederate also provides automated user provisioning.

Copyright ©2021
 | Introduction to PingFederate | 52

Custom applications
Many applications use their own authentication mechanisms, typically through a database or LDAP
repository, and are responsible for their own user-session management. Custom-application integration
is necessary when there is limited or no access to the web or application server hosting the application.
Integration with these custom applications is handled by application-level integration kits, which allow
software developers to integrate their applications with a PingFederate server acting as a service provider
(SP).
With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the
SP application, which then uses them for its own authentication and session management. As for the
IdP, application-specific integration kits include an SP agent, which resides with the SP application and
provides a simple programming interface to extract the identity attributes sent from the PingFederate server.
PingFederate cam use this information to start a session for the SP application.
Ping Identity provides custom-application integration kits for a variety of programming environments,
including:
▪ Java
▪ .NET
▪ PHP
Ping Identity provides an Agentless Integration Kit, which allows developers to use direct HTTP calls to the
PingFederate server to temporarily store and retrieve user attributes securely, eliminating the need for an
agent interface.

IdM systems
An IdP enterprise that uses an IdM system expands the reach of the IdM domain to external partner
applications through integration with PingFederate. IdM integration kits typically use the IdM agent API

Copyright ©2021
 | Introduction to PingFederate | 53

to access identity attributes in the IdM proprietary session cookie and transmit those attributes to the
PingFederate server.
IdM integration kits do not require any development; the PingFederate administrative console accomplishes
all integrations.
Ping Identity provides integration kits for many of the leading IdM systems, such as Oracle Access Manager.

Authentication systems
An authentication application or service normally handles initial user authentication outside of the
PingFederate server. To access applications outside the security domain, PingFederate authentication-
system integration kits leverage this local authentication.
Authentication integration kits do not require any development; the PingFederate administrative console
accomplishes all integrations with PingFederate. Ping Identity offers integration kits for authentication
systems including:
▪ X.509 Certificate
▪ RSA SecurID Integration Kit
▪ Symantec VIP Integration Kit
PingFederate also packages two IdP adapters, an HTML Form Adapter and an HTTP Basic Adapter, which
delegate user authentication to plugin password credential validators (PCVs). Supplied validators use either
an LDAP directory, RADIUS server, or a simple username/password verification system maintained by
PingFederate. Customized validators can also be developed. When the PingFederate IdP server receives an
authentication request for SP-initiated SSO or a user clicks a link for IdP-initiated SSO, PingFederate invokes
the implemented adapter and prompts the user for credentials, if the user is not already logged on.

Service provider integration

Service provider (SP) integration involves passing the identity attributes from PingFederate to the target SP
application.
An SP is the consumer of identity attributes provided by the identity provider (IdP) through a SAML assertion.
The SP application uses this information to set a valid session or other security context for the user,
represented by the identity attributes. Session creation involves a number of approaches. For the IdP, Ping
Identity offers commercial integration kits that address the various SP scenarios. Most SP scenarios involve
custom-application integration, server-agent integration, integration with an identity management (IdM)
product, or integration with a commercial application.

Copyright ©2021
 | Introduction to PingFederate | 54

Custom applications
Many applications use their own authentication mechanisms, typically through a database or LDAP
repository, and are responsible for their own user-session management. Custom-application integration
is necessary when there is limited or no access to the web or application server hosting the application.
Application-level integration kits handle integration with these custom applications and allow software
developers to integrate their applications with a PingFederate server acting as an SP.
With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the SP
application, which can then use them for its own authentication and session management. As for the
IdP, application-specific integration kits include an SP agent, which resides with the SP application and
provides a simple programming interface to extract the identity attributes sent from the PingFederate server.
PingFederate cam use this information to start a session for the SP application.
Ping Identity provides custom-application integration kits for a variety of programming environments,
including:
▪ Java
▪ .NET
▪ PHP
In addition, Ping Identity provides an Agentless Integration Kit, which allows developers to use direct HTTP
calls to the PingFederate server to temporarily store and retrieve user attributes securely, eliminating the
need for an agent interface.

Server agents
Server-agent integration with PingFederate allows SP enterprises to accept SAML assertions and provide
single sign-on (SSO) to all applications running on that web or application server; there is no need to
integrate each application. Since integration occurs at the server level, server-agent integration maximizes

Copyright ©2021
 | Introduction to PingFederate | 55

ease of deployment and scalability. Applications running on the web or application server must delegate
authentication to the server. If the application employs its own authentication mechanism, integration must
occur at the application level.
With server-agent integration kits, PingFederate sends the identity attributes from the SAML assertion to the
server agent, which is typically a web filter or Java Authentication and Authorization Service ( JAAS) Login
Module. The server agent extracts the identity attributes, which the server then uses to authenticate and
create a session for the user.
SP server-integration kits do not require any development work: the PingFederate administrative console
accomplishes all integrations with PingFederate.
Ping Identity provides integration kits for many web and application servers, including:
▪ Internet Information Services (IIS)
▪ Apache (Red Hat)
▪ Apache (Windows)
▪ NetWeaver
▪ WebSphere

IdM systems
IdM integration with PingFederate allows an SP enterprise to accept SAML assertions and provide SSO to
applications protected by the IdM domain. IdM integration kits typically use the IdM agent API to create an
IdM proprietary session token based on the identity attributes received from PingFederate.
IdM integration kits do not require any development; the PingFederate administrative console and the IdM
administration tool accomplish integration with PingFederate.
Ping Identity provides integration kits for leading IdM systems, such as Oracle Access Manager.

Commercial applications and SaaS

Commercial-application integration with PingFederate allows an SP enterprise to accept SAML assertions
and provide SSO to those commercial applications.
These integration kits do not require any development; the PingFederate administrative console
accomplishes all integrations.
Ping Identity offers integration kits to many commercial applications and SaaS vendors, including:
▪ Citrix
▪ SharePoint
▪ Box
▪ Google
▪ Office 365
▪ Salesforce
▪ Slack
▪ Workday
▪ Zendesk

Integrations and deployment scenarios

Ping Identity provides integrations that support many PingFederate deployment scenarios.
Here are some of the deployment scenarios that the integrations support:

Identity management
Identity management integrations allow PingFederate to extend the domain of identity systems to
include the partner applications that you integrate with PingFederate.

Copyright ©2021
 | Introduction to PingFederate | 56

Authentication systems
Authentication systems allow users to authenticate with PingFederate through a variety of methods,
such as web forms and certificates.
Custom applications
Custom application integrations allow PingFederate to extend single sign-on capabilities to
applications that may not have access to a web or application server. They support a variety of
programming languages, including Java, .NET, and PHP.
Server agents
Server agents allow PingFederate to extend single sign-on abilities to applications running on a
variety of web servers.
Multi-factor authentication (MFA)
MFA integrations allow PingFederate to include third-party MFA providers as part of the sign-on flow.
Mobile device management (MDM)
Mobile device management integrations allow PingFederate to adjust the sign-on flow based on
device information.
Risk/Intelligence
Risk intelligence integrations allows PingFederate to retrieve a security risk assessment when a user
signs on. You can use this information to dynamically adjust authentication requirements based on
the risk level for each sign-on event.
Provisioning
Provisioning connectors allow PingFederate to propagate users and groups from a user directory to a
SaaS service. Connectors also include single sign-on integration with the service.
Social login
Cloud identity connectors allow PingFederate to use third-party identity provider services for single
sign-on. This allows users to sign on to PingFederate partner applications with popular social
platforms such as LinkedIn, Google, or Facebook.

For a current list of integrations, go to the Ping Identity Integration Directory.

For integrations documentation, go to Integrations Overview.

Security token service

The PingFederate WS-Trust Security Token Service (STS) allows organizations to extend single sign-on
(SSO) identity management (IdM) to web services.
The STS shares the core functionality of PingFederate, including console administration, identity and
attribute mapping, and certificate security management. With PingFederate, web services identify the end
user who has initiated a transaction across domains, providing enhanced service while simultaneously
ensuring appropriate information access and regulatory accountability. For information about WS-Trust and
the role of an STS, see Web services standards on page 37.
You can use PingFederate in many different scenarios to address different identity and security problems
as they relate to web services, service-oriented architecture (SOA), and Enterprise Service Buses. All of
these scenarios share a recommended architectural approach that uses a SAML assertion as the standard
security token shared between security domains. For more information, see WS-Trust STS on page 61.

Copyright ©2021
 | Introduction to PingFederate | 57

MY TITLE WS-Trust Security Token Service SSO

OAuth authorization server

PingFederate can act as an OAuth authorization server (AS), allowing a resource owner to grant
authorization to a client requesting access to resources protected by a resource server (RS).
The OAuth AS issues tokens to clients on behalf of a resource for use in authenticating a subsequent API
call—typically, but not exclusively a REST API. The PingFederate OAuth AS issues tokens to clients in several
different scenarios, including:
▪ A web application wants access to a protected resource associated with a user and needs the user's
consent.
▪ A native application client on a mobile device or tablet wants to connect to a user's online account and
needs the user's consent.
▪ An enterprise application client wants to access a protected resource hosted by a business partner,
customer, or software as a service (SaaS) provider.
For information about OAuth and the role of an AS, see OAuth 2.0 and PingFederate AS.
You can configure the PingFederate OAuth AS independently or in conjunction with security token service
(STS) and browser-based single sign-on (SSO) for either an identity provider (IdP) or a service provider (SP)
deployment. For more information, see About OAuth on page 64.

Note: OAuth AS capabilities might require additional licenses. For more information, contact
i
sales@pingidentity.com.

Copyright ©2021
 | Introduction to PingFederate | 58

User account management

Typically, the identity provider (IdP) repository maintains user accounts in an identity federation. However,
a service provider (SP) often has its own set of user accounts, which might not always correspond to IdP
users.
The SP might need to establish and maintain parallel accounts for remote single sign-on (SSO) users to
enforce authorization policy, customize user experience, comply with regulations, or a combination of such
purposes.
PingFederate provides two kinds of user provisioning for browser-based SSO to facilitate cross-domain
account management, one designed for an IdP, and one for an SP:
▪ At an IdP site, an administrator automatically provisions and maintains user accounts for partner SPs
who have implement the System for Cross-domain Identity Management (SCIM) or, when using optional
plugin software as a service (SaaS) connectors, for selected hosted-software providers..
▪ At an SP site, an administrator provisions accounts within the organization automatically from SCIM-
enabled IdPs or usesinformation from SAML assertions received during SSO events.
For more information, see User provisioning on page 87.

Enterprise deployment architecture

PingFederate's enterprise-deployment architecture manages all protocol definitions, public key
infrastructure (PKI) keys, policies, profiles, and so forth in a single location, eliminating the need to maintain
redundant copies of these configurations and trust relationships.
When you need to add new protocols, profiles, or use cases, you configure them once to make them
available to your entire organization.
PingFederate improves security by creating a single “doorway” through which all identity information must
travel regardless of who the users are or in which direction they travel. Internal users accessing external
applications and external users accessing internal systems both use the same doorway.
The single-doorway approach provides 100% visibility for all federation activities. PingFederate's extensive
auditing and logging capabilities enable you to satisfy all of your logging-related compliance and service-
level requirements from a single location, instead of needing to acquire and consolidate disparate logs from
throughout your organization.
PingFederate reduces complexity and learning curves by providing a single configuration model supporting
different protocols. The administrative console minimizes the potential for errors by guiding administrators
through configuration steps applicable only to the business use cases they need to support.

i Tip:
For identity providers (IdPs), PingFederate provides connection templates to automatically configure many
steps in the administrative console for several use cases, including setting up SSO connections to selected
SaaS vendors. For more information, see Outbound provisioning for IdPs on page 87.

Additional features
PingFederate’s lightweight, standalone architecture allows its server to integrate and coexist with existing
home-grown and commercial identity management (IdM) systems and applications to provide the benefits
of standards-based single sign-on (SSO) and API security integration without the cost and complexity of
deploying a complete IdM system.

Copyright ©2021
 | Introduction to PingFederate | 59

Integration kits
PingFederate provides a suite of quick-install integration kits configured from within the PingFederate
administrative console to complete the first- and last-mile integration with your existing IdM systems and
web applications. Download PingFederate integration kits from the Ping Identity Downloads website.

MY TITLE Multiple security-domain, multi-protocol federation

Integration kits enable rapid session integration with both existing authentication services and target
applications. PingFederate also includes a Software Development Kit (SDK) for creating custom integrations.
For more information, see SSO integration kits and adapters on page 73.

Token translators
Ping Identity offers special token processors for an IdP and token generators for an SP to enable the WS-
Trust security token service (STS) to validate and issue a variety of token types. These plug-ins supplement
built-in SAML token processing and generation and handle the local identity tokens required in many
security contexts. For more information, see Token processors and generators on page 62.

SaaS connectors
SaaS connectors offer a streamlined approach for browser-based SSO to selected SaaS providers, including
automatic user provisioning and deprovisioning. The connector packages include quick-connection
templates, which automatically configure endpoints and other connection information for each provider. For
more information, see Outbound provisioning for IdPs on page 87.

Cloud identity connectors

Ping Identity offers social identity integration with social networking sites, including Google, Yahoo!, Twitter,
LinkedIn, and Facebook. Connectors leverage OpenID 2.0 or user logins for registration and access to cloud-
based applications.

About PingOne
PingOne for Enterprise is a cloud-based identity as a service (IDaaS) framework for secure identity access
management. Integrating PingOne for Enterprise with provides a powerful solution combining the benefits
of an on-premise deployment with the flexibility of a cloud solution.
For more information on PingOne, see PingOne for Enterprise.

Key concepts
This section provides background information and preparation to help administrators understand and use
PingFederate.

Connection Types
PingFederate features an integrated administrative console for configuring connections to identity-
federation partners. The four connection types include:

Copyright ©2021
 | Introduction to PingFederate | 60

▪ e, this term r standards-based secure SSO, which generally depends on a user's browser to transport
identity assertions and other messaging between partner endpoints. For more information, see
Supported standards on page 19.
▪ WS-Trust security token service (STS) – Employs the PingFederate STS, which enables web service
clients (WSCs) and web service providers (WSPs) to extend SSO to identity-enabled web services at
provider sites. For more information, see the WS-Trust STS on page 61. These standards, including
WS-Trust, do not rely on the user's browser for message transport.
▪ OAuth Assertion Grant – Exchanges a SAML assertion or a JSON Web Token for an OAuth access token
with the PingFederate authorization server (AS). For more information, see About OAuth on page 64.
▪ Provisioning – Provides automated cross-domain inbound and outbound user management. For more
information, see User provisioning on page 87.

WS-Trust STS
PingFederate WS-Trust STS allows organizations to extend SSO identity management (IdM) to web
services. For more information see, About WS-Trust STS.

OAuth
You can configure PingFederate to act as an OAuth authorization server (AS), allowing a resource owner to
grant authorization to an OAuth client requesting access to resources hosted by a resource server (RS). For
more information, see About OAuth.

SSO integration kits and adapters

PingFederate provides bundled and separate integration kits that include adapters that plug into the
PingFederate server and agent toolkits that interface with local IdM systems or applications as needed. For
more information, see SSO integration kits and adapters.

Security infrastructure
PingFederate security infrastructure supports encrypted messaging, certificates, and digital signing. For
more information, see Security infrastructure.

Hierarchical plugin configuration

PingFederate allows you to use a configuration of an adapter,, as a parent instance from which you can
create child instances. For more information, see Hierarchical plugin configurations.

Identity mapping
PingFederate enables identity mapping between domains for For more information, see Identity mapping.

User attributes
Federation transactions require the transmission of a unique piece of information that identifies the user for
identity mapping between security domains. For more information, see User attributes.

User provisioning
PingFederate provides cross-domain user provisioning and account management. For more information,
see User provisioning.

Customer identity and access management

PingFederate empowers administrators to deliver a secure and easy-to-use customer authentication,
registration, and profile management solution. For more information, see Customer identity and access
management.

Copyright ©2021