Professional Documents
Culture Documents
Identity Provider Integration
Identity Provider Integration
i Tip:
For IdPs implementing single sign-on (SSO) to selected software as a service (SaaS) providers such as
Google Apps and Salesforce, PingFederate also provides automated user provisioning.
Copyright ©2021
| Introduction to PingFederate | 52
Custom applications
Many applications use their own authentication mechanisms, typically through a database or LDAP
repository, and are responsible for their own user-session management. Custom-application integration
is necessary when there is limited or no access to the web or application server hosting the application.
Integration with these custom applications is handled by application-level integration kits, which allow
software developers to integrate their applications with a PingFederate server acting as a service provider
(SP).
With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the
SP application, which then uses them for its own authentication and session management. As for the
IdP, application-specific integration kits include an SP agent, which resides with the SP application and
provides a simple programming interface to extract the identity attributes sent from the PingFederate server.
PingFederate cam use this information to start a session for the SP application.
Ping Identity provides custom-application integration kits for a variety of programming environments,
including:
▪ Java
▪ .NET
▪ PHP
Ping Identity provides an Agentless Integration Kit, which allows developers to use direct HTTP calls to the
PingFederate server to temporarily store and retrieve user attributes securely, eliminating the need for an
agent interface.
IdM systems
An IdP enterprise that uses an IdM system expands the reach of the IdM domain to external partner
applications through integration with PingFederate. IdM integration kits typically use the IdM agent API
Copyright ©2021
| Introduction to PingFederate | 53
to access identity attributes in the IdM proprietary session cookie and transmit those attributes to the
PingFederate server.
IdM integration kits do not require any development; the PingFederate administrative console accomplishes
all integrations.
Ping Identity provides integration kits for many of the leading IdM systems, such as Oracle Access Manager.
Authentication systems
An authentication application or service normally handles initial user authentication outside of the
PingFederate server. To access applications outside the security domain, PingFederate authentication-
system integration kits leverage this local authentication.
Authentication integration kits do not require any development; the PingFederate administrative console
accomplishes all integrations with PingFederate. Ping Identity offers integration kits for authentication
systems including:
▪ X.509 Certificate
▪ RSA SecurID Integration Kit
▪ Symantec VIP Integration Kit
PingFederate also packages two IdP adapters, an HTML Form Adapter and an HTTP Basic Adapter, which
delegate user authentication to plugin password credential validators (PCVs). Supplied validators use either
an LDAP directory, RADIUS server, or a simple username/password verification system maintained by
PingFederate. Customized validators can also be developed. When the PingFederate IdP server receives an
authentication request for SP-initiated SSO or a user clicks a link for IdP-initiated SSO, PingFederate invokes
the implemented adapter and prompts the user for credentials, if the user is not already logged on.
Copyright ©2021
| Introduction to PingFederate | 54
Custom applications
Many applications use their own authentication mechanisms, typically through a database or LDAP
repository, and are responsible for their own user-session management. Custom-application integration
is necessary when there is limited or no access to the web or application server hosting the application.
Application-level integration kits handle integration with these custom applications and allow software
developers to integrate their applications with a PingFederate server acting as an SP.
With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the SP
application, which can then use them for its own authentication and session management. As for the
IdP, application-specific integration kits include an SP agent, which resides with the SP application and
provides a simple programming interface to extract the identity attributes sent from the PingFederate server.
PingFederate cam use this information to start a session for the SP application.
Ping Identity provides custom-application integration kits for a variety of programming environments,
including:
▪ Java
▪ .NET
▪ PHP
In addition, Ping Identity provides an Agentless Integration Kit, which allows developers to use direct HTTP
calls to the PingFederate server to temporarily store and retrieve user attributes securely, eliminating the
need for an agent interface.
Server agents
Server-agent integration with PingFederate allows SP enterprises to accept SAML assertions and provide
single sign-on (SSO) to all applications running on that web or application server; there is no need to
integrate each application. Since integration occurs at the server level, server-agent integration maximizes
Copyright ©2021
| Introduction to PingFederate | 55
ease of deployment and scalability. Applications running on the web or application server must delegate
authentication to the server. If the application employs its own authentication mechanism, integration must
occur at the application level.
With server-agent integration kits, PingFederate sends the identity attributes from the SAML assertion to the
server agent, which is typically a web filter or Java Authentication and Authorization Service ( JAAS) Login
Module. The server agent extracts the identity attributes, which the server then uses to authenticate and
create a session for the user.
SP server-integration kits do not require any development work: the PingFederate administrative console
accomplishes all integrations with PingFederate.
Ping Identity provides integration kits for many web and application servers, including:
▪ Internet Information Services (IIS)
▪ Apache (Red Hat)
▪ Apache (Windows)
▪ NetWeaver
▪ WebSphere
IdM systems
IdM integration with PingFederate allows an SP enterprise to accept SAML assertions and provide SSO to
applications protected by the IdM domain. IdM integration kits typically use the IdM agent API to create an
IdM proprietary session token based on the identity attributes received from PingFederate.
IdM integration kits do not require any development; the PingFederate administrative console and the IdM
administration tool accomplish integration with PingFederate.
Ping Identity provides integration kits for leading IdM systems, such as Oracle Access Manager.
Identity management
Identity management integrations allow PingFederate to extend the domain of identity systems to
include the partner applications that you integrate with PingFederate.
Copyright ©2021
| Introduction to PingFederate | 56
Authentication systems
Authentication systems allow users to authenticate with PingFederate through a variety of methods,
such as web forms and certificates.
Custom applications
Custom application integrations allow PingFederate to extend single sign-on capabilities to
applications that may not have access to a web or application server. They support a variety of
programming languages, including Java, .NET, and PHP.
Server agents
Server agents allow PingFederate to extend single sign-on abilities to applications running on a
variety of web servers.
Multi-factor authentication (MFA)
MFA integrations allow PingFederate to include third-party MFA providers as part of the sign-on flow.
Mobile device management (MDM)
Mobile device management integrations allow PingFederate to adjust the sign-on flow based on
device information.
Risk/Intelligence
Risk intelligence integrations allows PingFederate to retrieve a security risk assessment when a user
signs on. You can use this information to dynamically adjust authentication requirements based on
the risk level for each sign-on event.
Provisioning
Provisioning connectors allow PingFederate to propagate users and groups from a user directory to a
SaaS service. Connectors also include single sign-on integration with the service.
Social login
Cloud identity connectors allow PingFederate to use third-party identity provider services for single
sign-on. This allows users to sign on to PingFederate partner applications with popular social
platforms such as LinkedIn, Google, or Facebook.
Copyright ©2021
| Introduction to PingFederate | 57
Note: OAuth AS capabilities might require additional licenses. For more information, contact
i
sales@pingidentity.com.
Copyright ©2021
| Introduction to PingFederate | 58
i Tip:
For identity providers (IdPs), PingFederate provides connection templates to automatically configure many
steps in the administrative console for several use cases, including setting up SSO connections to selected
SaaS vendors. For more information, see Outbound provisioning for IdPs on page 87.
Additional features
PingFederate’s lightweight, standalone architecture allows its server to integrate and coexist with existing
home-grown and commercial identity management (IdM) systems and applications to provide the benefits
of standards-based single sign-on (SSO) and API security integration without the cost and complexity of
deploying a complete IdM system.
Copyright ©2021
| Introduction to PingFederate | 59
Integration kits
PingFederate provides a suite of quick-install integration kits configured from within the PingFederate
administrative console to complete the first- and last-mile integration with your existing IdM systems and
web applications. Download PingFederate integration kits from the Ping Identity Downloads website.
Integration kits enable rapid session integration with both existing authentication services and target
applications. PingFederate also includes a Software Development Kit (SDK) for creating custom integrations.
For more information, see SSO integration kits and adapters on page 73.
Token translators
Ping Identity offers special token processors for an IdP and token generators for an SP to enable the WS-
Trust security token service (STS) to validate and issue a variety of token types. These plug-ins supplement
built-in SAML token processing and generation and handle the local identity tokens required in many
security contexts. For more information, see Token processors and generators on page 62.
SaaS connectors
SaaS connectors offer a streamlined approach for browser-based SSO to selected SaaS providers, including
automatic user provisioning and deprovisioning. The connector packages include quick-connection
templates, which automatically configure endpoints and other connection information for each provider. For
more information, see Outbound provisioning for IdPs on page 87.
About PingOne
PingOne for Enterprise is a cloud-based identity as a service (IDaaS) framework for secure identity access
management. Integrating PingOne for Enterprise with provides a powerful solution combining the benefits
of an on-premise deployment with the flexibility of a cloud solution.
For more information on PingOne, see PingOne for Enterprise.
Key concepts
This section provides background information and preparation to help administrators understand and use
PingFederate.
Connection Types
PingFederate features an integrated administrative console for configuring connections to identity-
federation partners. The four connection types include:
Copyright ©2021
| Introduction to PingFederate | 60
▪ e, this term r standards-based secure SSO, which generally depends on a user's browser to transport
identity assertions and other messaging between partner endpoints. For more information, see
Supported standards on page 19.
▪ WS-Trust security token service (STS) – Employs the PingFederate STS, which enables web service
clients (WSCs) and web service providers (WSPs) to extend SSO to identity-enabled web services at
provider sites. For more information, see the WS-Trust STS on page 61. These standards, including
WS-Trust, do not rely on the user's browser for message transport.
▪ OAuth Assertion Grant – Exchanges a SAML assertion or a JSON Web Token for an OAuth access token
with the PingFederate authorization server (AS). For more information, see About OAuth on page 64.
▪ Provisioning – Provides automated cross-domain inbound and outbound user management. For more
information, see User provisioning on page 87.
WS-Trust STS
PingFederate WS-Trust STS allows organizations to extend SSO identity management (IdM) to web
services. For more information see, About WS-Trust STS.
OAuth
You can configure PingFederate to act as an OAuth authorization server (AS), allowing a resource owner to
grant authorization to an OAuth client requesting access to resources hosted by a resource server (RS). For
more information, see About OAuth.
Security infrastructure
PingFederate security infrastructure supports encrypted messaging, certificates, and digital signing. For
more information, see Security infrastructure.
Identity mapping
PingFederate enables identity mapping between domains for For more information, see Identity mapping.
User attributes
Federation transactions require the transmission of a unique piece of information that identifies the user for
identity mapping between security domains. For more information, see User attributes.
User provisioning
PingFederate provides cross-domain user provisioning and account management. For more information,
see User provisioning.
Copyright ©2021