Вы находитесь на странице: 1из 59


Product Guide
Table of Contents
Table of Contents ������������������������������������������������������������������� 2 Chapter 4: Automated Cloud User Provisioning 26
Chapter 1: PingFederate Overview 4 Overview ������������������������������������������������������������������������������ 27
What is PingFederate? ������������������������������������������������������������ 5 Outbound Provisioning �������������������������������������������������������� 28
PingFederate 7 New Features ������������������������������������������������� 6 Inbound Provisioning ����������������������������������������������������������� 29
Identity & Security Capabilities ������������������������������������������������ 7 Just-in-Time Provisioning ������������������������������������������������������� 30
Enterprise Identity Bridge �������������������������������������������������������� 8 Just-in-Time and SaaS Provisioning Compared ����������������������� 31
Enabling Cloud SSO ���������������������������������������������������������������� 9 Chapter 5: API Security 32
Enterprise Federation Platform Portfolio Capabilities �������������� 10 Overview ������������������������������������������������������������������������������ 33
Chapter 2: Cloud Identity Use Cases 11 OAuth 2�0 Overview ������������������������������������������������������������� 34
Overview ������������������������������������������������������������������������������ 12 OAuth 2�0 – Mobile Application Access ��������������������������������� 35
1� Workforce to Cloud ���������������������������������������������������������� 13 OAuth 2�0 – Mobile Applications with Single Sign-On ����������� 36
PingFederate Works with these SaaS Apps and More ������������ 14 OAuth 2�0 – Server Clients ���������������������������������������������������� 37
2� Single Sign-On for Client-Facing Applications��������������������� 15 OpenID Connect������������������������������������������������������������������� 38
3� Single Sign-On for Consumer-Facing Applications �������������� 16 PingFederate STS Overview �������������������������������������������������� 39
4� Third-Party Service Aggregation ���������������������������������������� 17 PingFederate STS and SOAP Requests ����������������������������������� 40
5� Single Sign-On for External Business Partners �������������������� 18 PingFederate STS and SOAP Responses ��������������������������������� 41
6� Internal Single Sign-On ����������������������������������������������������� 19 PingFederate STS with Windows Identity Foundation (WIF) and
ADFS v2 ������������������������������������������������������������������������������� 42
Chapter 3: Integrations 20 PingFederate STS for Token Exchange ����������������������������������� 43
PingFederate Integrations ������������������������������������������������������ 21
Integration Kits ��������������������������������������������������������������������� 22
Cloud Identity Connectors ���������������������������������������������������� 23
SaaS Connectors ������������������������������������������������������������������ 24
Token Translators ������������������������������������������������������������������ 25

Page Table of Contents 2

Table of Contents (cont’d)
Chapter 6: Adaptive Federation 44
Adaptive Federation�������������������������������������������������������������� 45
Authentication Rules ������������������������������������������������������������� 46
Authentication Chaining ������������������������������������������������������� 47
Identity Attribute Aggregation ���������������������������������������������� 48
Token Authorization ������������������������������������������������������������� 49
Chapter 7: Logging and Monitoring 50
Overview ������������������������������������������������������������������������������ 51
ArcSight CEF Integration ������������������������������������������������������� 52
Logging to a Database ���������������������������������������������������������� 53
Runtime Monitoring with SNMP and JMX ����������������������������� 54
Chapter 8: Advanced Capabilities 55
OAuth Authorization Server Integration��������������������������������� 56
Enterprise Readiness ������������������������������������������������������������� 57
FIPS 140-2, HSM ������������������������������������������������������������������� 58
About Ping Identity | The Identity Security Company 59

Page Table of Contents 3

Chapter 1
PingFederate Overview

Page Table of Contents 4

What is PingFederate?

PingFederate is the leading enterprise identity bridge for standards-based federated identity management� By integrating
silos of identity and applications inside your enterprise, across partners and into the cloud, PingFederate enables
federated single sign-on and identity management, secure mobile access, API security, social identity integration and
automated user provisioning�
Integrates with your existing IT infrastructure easily
Supports hundreds of workforce, customer, partner and consumer identity & application integration use cases

Works with PingOne to streamline integration with hundreds of commercial SaaS applications

Page Table of Contents 5

Page TitleOverview
PingFederate 7 New Features

SCIM Support OpenID Connect

Enable the lightweight, automated OpenID Connect is an emerging
provisioning and deprovisioning of authentication and authorization standard
users� New support in PingFederate for from the OpenID Connect Foundation� It
SCIM (System for Cross-domain Identity consolidates access control for both web
Management) automates inbound and applications and APIs into one, making it
outbound user provisioning for corporate easier to secure web applications and their
directories and SaaS providers� User underlying API’s� It enables developers to
identities are synchronized with applications quickly develop identity-aware secure web
inside, outside and across the enterprise� and mobile applications leveraging their
SCIM automates and standardizes what used existing identity investments� PingFederate
to be either a manual or proprietary process� delivers a single platform handling OpenID
Connect as well as SAML, WS-Federation,
WS-Trust and OAuth�

Page Table of Contents 6

Identity & Security Capabilities

Cloud Single Sign-On and Federated Identity Using Partner Onboarding PingOne™ Application Provider
trusted standard identity protocols , PingFederate allows Services helps service providers (application owners) quickly,
employees, consumers, customers and partners to access easily and cost-effectively establish a SAML connection with
multiple cloud resources using a single username and a PingFederate identity provider�
password� PingFederate can also interact with multiple data
Your SaaS Providers, Partners,
Your Organization Suppliers and Customers
Secure Mobile Access PingFederate provides secure
access to cloud resourcesfrom tablets, smartphones and Em

other mobile devices—whether via native mobile apps Apps

Cloud Single Sign-On & Federated Identity
(OAuth) or a mobile browser� Apps

Automated Cloud User Provisioning PingFederate bile Users

automatically creates, updates and disables user accounts AP

Secure Mobile Access Apps

for cloud applications� PingFederate supports just-in-
time, outbound and inbound provisioning, and the SCIM
standard� This enables the rapid provisioning and de-
provisioning of users to reduce administrative overhead� Automated Cloud User Provisioning
API Security Using industry standards, PingFederate’s
Security Token Service and Authorization Server allows API

API Security
developers to add identity information to their SOAP (WS-
Trust) or REST-based (OAuth) API calls�
Simple Cloud Access CloudDesktop provides a single
point of access to public and private cloud applications for
employees and partners�

Page Table of Contents 7

Enterprise Identity Bridge

Administration Console Management Services

Integration Kits
Cloud Single Sign-On
Cloud & Federated
Single Sign-On Identity
SaaS Connectors
Secure Mobile Access
Cloud Identity Connectors Runtime
Automated Cloud User Provisioning Services
Token Translators

CloudDesktop API Security

Logging & Monitoring

PingFederate extends your existing identity investments� It integrates and interoperates with the directory servers, LDAP,
web access management (WAM) tools and other systems you already have in place� By providing quick connection
templates and supporting social identity integration, PingFederate speeds user onboarding and improves customer

Page Table of Contents 8

Enabling Cloud SSO

Mobile Devices Wo Browsers
Service Provider



SAML Open ID OAuth

WS-Trust WS-Federation
SCIM OpenID Connect

PingFederate provides Cloud SSO by supporting the Both parties in a Cloud SSO transaction need software that
Security Assertion Markup Language (SAML) and WS- supports the same identity protocol� This software must
integrate with existing identity infrastructure at the IdP, and
it must integrate with the application environment at the
Both standards work by securely transmitting information
SP� With this connection established, it is possible for the
about the user from the organization that maintains an
IdP to send information about the user to the SP and gain
account for that user (called the Identity Provider, or IdP) to
access to the web application or resource�
the organization providing the desired web application or
resource (called the Service Provider, or SP)�

Page Table of Contents 9

Enterprise Federation Platform Portfolio Capabilities

Federation Standard SAML Bindings Logging, Monitoring & HA

Support HTTP Post File-based
SAML 1�0 HTTP Artifact Common Event Format (CEF)
SAML 1�1 HTTP Redirect Database
SAML 2�0 SOAP Published MIB
WS-Federation JMX Support
OpenID Key Capabilities N node Clustering
OpenIDConnect IdP-Initiated SSO Supporting Capabilities
OAuth 2�0 SP-Initiated SSO Metadata Exchange
SCIM Single Log-Out 80+ Integration Kits
WS-Security Attribute Query & XASP Integration with Thales nShield
WS-Trust IdP Discovery Password Management
WS-Federation Account Linking Integration with MDM products
Account Mapping Support for O365 (active and
Federation Roles Adaptive Authentication passive)
Identity Provider (IdP) LDAP
Service Provider (SP) JDBC Kantara/Liberty Alliance
Custom (via SDK)
Identity Bridge
Password Management
SAML Interop Certifications
IdP Discovery IdP Lite
Token Validation Service Browser-based Access Portal
SP Lite
Token Exchange Service iOS Access Portal
Authorization Server Multifactor Authentication
Policy Service
API Gateway Express Provisioning Deployment Options
Identity Bridge On-premise
Certificate Validation Cloud only
Trust Models CRL Hybrid (Integrated Cloud &
Unanchored OCSP On-premise)

Page Table of Contents 10

Chapter 2
Cloud Identity Use Cases

Page Table of Contents 11



Whether you’re implementing cloud SSO to boost Six examples of identity use cases are:
employee productivity and partner collaboration or to
1� Workforce to the Cloud
enhance the customer experience, PingFederate supports
the most ambitious enterprise identity security initiatives� 2� Single Sign-On for Client-Facing Applications
Using standards-based protocols, PingFederate leverages 3� Single Sign-On for Consumer-Facing Applications
existing enterprise identities to access cloud-based
applications and accepts partner, customer and consumer 4� Third-Party Service Aggregation
identities to access both cloud-based and internal 5� Single Sign-On for External Business Partners
6� Internal Single Sign-On

Page Table of Contents 12

Cloud Identity Use Cases
1. Workforce to Cloud
Public Apps Employees and partners use their
rkforce corporate credentials to access service
Mobile Devices Wo Browsers
providers, such as SaaS, BPOs and partner
applications� Virtually every major SaaS
provider now supports standards-based
cloud SSO� Connecting with a SaaS

Stronger security
Simpler password policy
Centralized cloud access control
Streamlined identity

Private Apps For a complete list of our SaaS partners,

please see https://www�pingidentity�com/

Page Table of Contents 13

Cloud Identity Use Cases
PingFederate Works with these SaaS Apps and More
Communications, Compliance, Risk,
Analytics/ Collaboration CRM HRM/HCM
Marketing, Media Management

Page Table of Contents 14

Cloud Identity Use Cases
2. Single Sign-On for Client-Facing Applications
Give customers secure access to your
Your Customers Your Cloud applications with cloud SSO using their
Applications own corporate credentials�

apps include:
A better user experience,
leading to improved
OPEN adoption,utilization and day-to-

Reduced risk of password theft

Less risk of unauthorized access
to critical business applications
and data

Page Table of Contents 15

Cloud Identity Use Cases
3. Single Sign-On for Consumer-Facing Applications
Instead of registering new user names and
Cloud Identity Providers passwords, consumers gain instant access
to your applications using their Facebook,
Your Cloud Yahoo, LinkedIn, Twitter or other cloud
Applications identity provider accounts� That’s one less
password for them to remember and one
less user account for you to create��

STANDARDS include:
Makes it easier for consumers
to do business with you
Creates a more personalized
user experience
Reduces identity management

Page Table of Contents 16

Cloud Identity Use Cases
4. Third-Party Service Aggregation
Customers, Partners Third-party Affiliates Third-party service aggregation allows
& Suppliers
you to transparently augment your own
applications with third-party services�
Your Cloud Take, for example, a business providing
Applications access to a third party loyalty program

services such as online bill pay or property

valuation� Whatever the business case,
PingFederate makes it possible to deliver
external services as if they’re your own�
Take advantage of to:
Improve the user experience
and increase customer loyalty
Protect customer identities
throughout the entire
transaction process
Improve utilization of third
party applications
Gain a competitive advantage
with value-added services

Page Table of Contents 17

Cloud Identity Use Cases
5. Single Sign-On for External Business Partners
Your Partners Allow suppliers, dealers, distributors,
Your Cloud
Applications own corporate credentials to access your

Streamline delivery

Improve collaboration
OPEN Increase supply-chain visibility



Page Table of Contents 18

Cloud Identity Use Cases
6. Internal Single Sign-On
Provide application access across multiple
organizations within your enterprise� For
rkforce rkforce
Mobile Devices Wo Browsers Browsers Wo Mobile Devices example, if a company acquisition occurs,
PingFederate can leverage the existing
identity investments to provide a rapid
integration rather than rebuilding the
ectories entire IT infrastructure of both companies�
Staff in both original organizations can be
granted access to applications and data
across the single entity without migrating
identity information or consolidating the
p lic a ti o n
s Ap
p li c a ti o n
s two security domains�

Page Table of Contents 19

Chapter 3

Page Table of Contents 20

PingFederate Integrations

Integration Kits SaaS Connectors Cloud Identity Token Translators PingOne CloudDesktop
These snap in components Quick Connection templates Connectors Token translators are PingOne is a native multi- CloudDesktop provides
provide identity integration simplify setup for common These allow users to register available for several tenant Identity as a Service a single point of access
into web access SaaS Applications with with consumer-facing common token types, enabling providing one to all federated cloud-
management products, pre-populated connection websites using their social including X�509, SiteMinder connection to access based applications for
strong authentication settings, account networking accounts� Cloud and Kerberos� Translator cloud apps� Administrators employees or partners�
systems, web servers, provisioning parameters Identity Connectors also SDKs allow users to build manage one connection Administrators can directly
application servers, legacy and SSO endpoint allow you to leverage third custom token translators� and get access to hundreds create and manage groups
and custom applications� parameters� These enable party authentication, via Client SDKs are provided of enterprise SaaS of applications to determine
Over 80 integration kits rapid integration with SaaS Salesforce (CRM, Customer for interaction with the applications� appropriate user visibility�
enable quick connection applications and onboarding and Partner Portals) or STS for Java or �NET
into existing infrastructure, of users� Google Apps, for partners applications� These help
and documented without the infrastructure integrate applications
APIs support custom to support cloud SSO� requiring native support in
requirements� This improves customer Microsoft Windows Identity
engagement by increasing Foundation�
registration rates and

Page Table of Contents 21

Integration Kits
First Mile The Cloud Last Mile

Identity Provider Service Provider

Identity Mgmt. Systems 2

Oracle OAM, IBM TAM,
Active Directory, LDAP,
Windows IWA OPEN OPEN Custom Apps
Strong Auth Java, .NET, PHP, Agentless
Symantec VIP, RSA SecureID, 3 Web & App Servers
RSA Adaptive Authentication, Apache, Microsoft IIS,
PhoneFactor, X.509 1 SAP NetWeaver,
Custom Apps WebLogic, WebSphere
Java, .NET, PHP, Agentless Identity Mgmt. Systems
Oracle OAM
Em Commercial Apps
SAML Open ID OAuth
Browser WS-Trust WS-Federation SharePoint
SCIM OpenID Connect


Leverage the identity investments you already have in place� Ping Identity offers integration kits to facilitate rapid
deployment into your existing enterprise infrastructure� In addition, PingFederate includes an SDK that can be used to
create custom adapters for systems that do not have an available integration kit�

Page Table of Contents 22

Cloud Identity Connectors
Cloud Identity Providers Cloud Identity Connectors allow consumers or
contractors to register and access your cloud-
Your Cloud based applications using their social media
Applications accounts� PingFederate offers out-of-the-box
support for Google, Yahoo, Windows Live,
LinkedIn and others via OpenID 2�0 and related
Increase registration rates
Reduce identity management
Improve cloud services adoption
Provide a more personalized user

partners and consumers

Reduce the hassles and risks of user
password management

Page Table of Contents 23

SaaS Connectors
SaaS Connectors install within PingFederate,
Identity Provider The Cloud
enabling Cloud SSO and automated cloud user
provisioning to leading SaaS providers�
SaaS Connectors offer a Quick Connection
template as well as support for:
Automated cloud user provisioning
Native mobile apps
Proprietary SSO APIs
ployees Provisioning
Em Plugin
Browser capabilities and requirements of the target SaaS
applications� SaaS Connectors are currently
available for Salesforce, Google Apps, Webex,
Workday and Ultimate Software�

Page Table of Contents 24

Token Translators
Token Translators are plugins that allow the
PingFederate Security Token Server (STS) to
process and/or generate particular types of
security tokens. Use Token Translators to secure
Token Types
SOAP API calls or to provide an easy mechanism
OAuth 2 Token Types for security token exchange. Ping Identity
Kerberos offers Token Translators for several common
OAM Token OAuth
OpenToken SAML 1.x token types. You can also build custom Token
Username/LDAP SAML 2
X.509 Certificate OpenToken Translators using the Token Translator SDK.
WAM Session

STS Server

Page Table of Contents 25

Chapter 4
Automated Cloud User

Page Table of Contents 26

Automated Cloud User Provisioning


Identity Provider Service Provider


apps Apps
User Identity
Directory CUSTOM Management

PingFederate offers automated cloud user provisioning to using identity information from the single sign-on token.
streamline identity management and centralize cloud access For Identity Providers, PingFederate provides outbound
control. PingFederate automatically creates, updates and provisioning using SCIM; and supports a number of
disables user accounts for cloud applications. proprietary provisioning methods for key Cloud services
such as Google Apps and Salesforce.com with out-of-the-
For Service Providers, PingFederate supports inbound
box integrations.
provisioning using SCIM, as well as just-in-time provisioning

Page Table of Contents 27

Automated Cloud User Provisioning
Outbound Provisioning
Service Provider Outbound Provisioning monitors the
enterprise directory for changes in
designated groups and pushes user
account creation, changes and deletions
Identity Provider
intervals, ensuring permission-based
access. Standards-based provisioning
using SCIM is available where supported
by the target Service Provider; outbound
User direct-to-API user provisioning is also
Directory CUSTOM
API Identity Store available for Google, Salesforce, Webex,
Box.net, Concur and Workday.

Eliminates manual SaaS

directory maintenance
Speeds employee on- and off-
Automatically disables accounts
Reduces the risk of data loss or
Mitigates compliance issues

Page Table of Contents 28

Automated Cloud User Provisioning
Inbound Provisioning
Service Provider Inbound provisioning leverages the SCIM
standard to automatically create, update
Identity Provider or delete/disable users in the directory for
SCIM a service provider application.

Provides a standards-
based interface to your
identity provider customers
sointegration with your service
is quicker, easier and more
Identity Store Eliminates expensive-to-
maintain and risky proprietary
Eliminates manual intervention
in the user provisioning process

Page Table of Contents 29

Automated Cloud User Provisioning
Just-in-Time Provisioning
The Cloud Service Provider Just-in-time Provisioning creates accounts

based SSO. There’s no need for additional

3 Just-in-time Provisioning works for both


Add User 2


Page Table of Contents 30

Automated Cloud User Provisioning
Just-in-Time and SaaS Provisioning Compared

Outbound Inbound Just-in-Time

Use Case IdP established user SP accepts standards-based SP creates/updates new

accounts as SP before provisioning to create user
enabling SSO accounts before enabling request time

Account Data IdP corporate directory SCIM messages from IdP Inbound SSO transaction

Other Party SP must support SCIM, IdP must support SCIM

Requirement or must be one of the standard SSO
supported proprietary
provisioning APIs

Directory/Interface SCIM (standard) or SCIM 1.1

supported Google, Webex,
Workday, Salesforce, Box.
net, Concur (API)

Page Table of Contents 31

Chapter 5
API Security

Page Table of Contents 32

API Security
PingFederate secures online application
programming interfaces (API’s) through
the OAuth Authorization Server and the
SOAP Security Token Service. PingFederate also
APIs centralizes the creation and issuance
of tokens, speeding time to market
without the need for additional security
Clients OAuth Authorization Server
Provider PingFederate secures mobile browser
access, native mobile application access,
and client access of HTTP API calls. With
RESTful the PingFederate OAuth 2.0 Authorization
Browser Server, tokens are created and validated
for secure access to HTTP and RESTful web
services. Access to web services can be
centrally managed and revoked.
Security Token Service (STS)
PingFederate secures SOAP API calls.
As a WS-Trust-compliant Security Token
Service, PingFederate exchanges one type
of security token for a different type of
security token.

Page Table of Contents 33

API Security
OAuth 2.0 Overview
PingFederate OAuth 2.0 Authorization Server
secures access to HTTP and RESTful Application
Programming Interfaces (APIs) by mobile browser
applications, native mobile applications and web-
service clients.
Participants There are three primary participants
Resource Server

Clients application requesting information; a Resource

Server (RS), which is the application supplying the
requested information; and the Authorization Server
1 3
Auth Service (AS), which facilitates the client authorization.
Process The OAuth process starts with the client
sending a request to an RS. The RS checks the
request for an access token. If the access token
is missing or invalid, the client is redirected to the
AS. The AS facilitates the client authorization and
returns a token to the client that can be included in
future requests to the RS. The request is re-sent to
the RS with the access token. The RS validates the
token and returns the requested information.
The access token can be revoked at the AS to
prevent future RS access from the client.

Page Table of Contents 34

API Security
OAuth 2.0 – Mobile Application Access
The PingFederate Authorization Server
(AS) secures cloud services for mobile
access. PingFederate works with an
identity provider to authenticate and
create tokens for mobile applications.
2 Process
Password Resource Server
1. The mobile application collects user
credentials and exchanges them for an
access token at the PingFederate AS.
2. The mobile application discards the
user credentials and stores the access
1 3
Mobile App Auth Service token. The access token is used to
request information from the Resource
Server (RS).
3. A simple call from the RS back to the
PingFederate AS validates the access

Page Table of Contents 35

API Security
OAuth 2.0 – Mobile Applications with Single Sign-On
The PingFederate Authorization Server
(AS) secures cloud services for mobile
access. PingFederate combines federated
identities with OAuth 2.0 to authenticate
and create tokens for mobile applications.
Resource Server Process
1. The mobile application connects to the
PingFederate AS for the authentication

Mobile App
2. The application opens a browser to the
Auth Service

AS where it is exchanged for an access
token, which is then stored within the
Identity application.
4. The access token is used to request
information from the Resource Server
5. A simple call from the RS back to the
PingFederate AS validates the access
token and returns the requested

Page Table of Contents 36

API Security
OAuth 2.0 – Server Clients
The PingFederate Authorization Server
(AS) secures cloud services for delegated
ourc Owne
server access. PingFederate works with
an identity provider to authenticate and

create tokens for server clients.

Browser 2
Browser 1. The user, through the delegated
client, connects to the PingFederate
1 5 The
3 Auth Service
delegated client sends the user to the
authentication endpoint.
2. Once authentication is complete, the AS
sends an access token to the delegated
client to act on behalf of the user.
4 3. The delegated client stores the access
Resource Server 4. The client requests information from
the Resource Server (RS) with the
access token.
5. A simple call from the RS back to the
PingFederate AS validates the access
token and returns the requested

Page Table of Contents 37

API Security
OpenID Connect
OpenID Connect is a new standard,
which adds to oAuth the ability also
to pass an Identity Token as part of
1 the transaction. This allows for proper
client application making the request,
1 but also of the individual user on whose
TOKENS behalf the request is being made. With
this information, personalised data can be
Browser Client 2 returned; and proper reporting and audit
are enabled.
Browser PingFederate is an OAuth Authorization
TOKENS API Server, supporting both the basic and

Resource Provider

Page Table of Contents 38

API Security
PingFederate STS Overview

STS Token Software

Translators Dev Kits
The PingFederate Secure Token Service (STS) secures SOAP Security Token Translators
endpoints and enables SOAP clients to securely identify Token Translators are plugins that allow the STS to process
themselves to the SOAP endpoints. The PingFederate STS (i.e. consume) and/or generate particular types of security
can work on the client side, the web service side, or both tokens. Token Translators for several common token types
together. The STS supports the processes described in the are available from Ping Identity. Users can also build custom
Token Translators using the Token Translator SDK.
Security Token Service Software Development Kits
PingFederate includes a WS-Trust compliant Security Token The .NET and Java Client SDKs act as WS-Trust clients and
Service (STS) that accepts one type of security token as allow programs written in .NET and Java to interact with
input and produces an equivalent security token of a the PingFederate STS. PingFederate can also work with
third party WS-Trust clients such as AmberPoint. The Token
support the processing and generation of different token Translator SDK allows users to create their own token
types. It is accessed programatically via STS Client Software processor and generator plugins.
Development Kits (SDKs).

Page Table of Contents 39

API Security
PingFederate STS and SOAP Requests
The Cloud The PingFederate STS supports the
SOAP Web Service Client by exchanging

assertion. The Web Service Client embeds

SAML 3 Process
1. The Web Service Client generates a
Web Service Client
Token Types
SOAP request. The Web Service Client
calls PingFederate STS to exchange
OAM Token
Username/LDAP SAML
X509 Certificate 1 assertion.
based on the local security token and
STS Server
returned to the Web Service Client.
in the SOAP request and sent to the
Web Service Client.

Page Table of Contents 40

API Security
PingFederate STS and SOAP Responses
The PingFederate STS secures the SOAP
Service Provider
The Cloud
assertion in the SOAP request and
SOAP exchanging it for a local security token.
SAML 1 3
1. The Web Service Provider receives a
Web Service
SOAP request.
Token Types
2. The Web Service Provider extracts
OAM Token the token to the PingFederate STS for
1 Username/LDAP validation.
X509 Certificate

3. A local security token is returned to the

Web Service Provider, where a SOAP
STS Server response is generated and returned.

Page Table of Contents 41

API Security
PingFederate STS with Windows Identity Foundation (WIF) and ADFS v2

PingFederate STS extends your existing

security infrastructure to simplify
SOAP connecting with WIF and ADFS v2-secured
SAML Microsoft .Net web services.

Web Service Client

Token Types
1. The Web Service Client exchanges
OAM Token
X509 Certificate STANDARDS

2. The Web Service Client sends the

STS Server
3. The .Net Web Service Provider validates
the assertion with ADFS v2.
Firewall 4. ADFS v2 returns the embedded claims
to the Web Service Provider.
5. The Web Service Provider returns the
SOAP response.

Page Table of Contents 42

API Security
PingFederate STS for Token Exchange
For access to services across different
security domains, PingFederate STS can
exchange one type of security token for
another. Applications and clients use the
new security token to access services with
different security infrastructures.
Token Types 1. An application sends a security token
into the STS.
Kerberos 2. The STS processes the token and
OAM Token returns a different security token type.
Username/LDAP 1
X509 Certificate

STS Server

Page Table of Contents 43

Chapter 6
Adaptive Federation

Page Table of Contents 44

PingFederate Overview
Adaptive Federation
Adaptive Federation

Authentication Authentication Identity Attribute Token

Rules Chaining Aggregation Authorization

Authentication Rules Authentication Chaining Identity Attribute Token Authorization

PingFederate supports Enhance Single Sign-On Aggregation
complex authentication security by combining Manage complex attribute solution for enforcing
rules for location-based methods for multi-factor contracts with identity authorization policies
identity and authentication authentication, step-up attribute aggregation by within the single token
context. This in turn helps authentication or other retrieving user attributes creation process for all
maintain stronger security advanced scenarios from multiple user data cloud applications. Access
for compliance-driven requiring complex sources. stores and identity
environments. management systems. Select identity attributes, groups
user attributes contained
in multiple repositories target resource, and request
Web Access Management
systems and databases.

Page Table of Contents 45

Adaptive Federation
Authentication Rules

Users Applications


Create complex authentication rules to provide stronger Out-of-the-box adapter selectors support routing based on
security for compliance-driven environments. With adapter IP Address (using classless inter-domain routing notation) or
selectors, administrators can logically route authentication by authentication context from the service provider.
requests to different authentication methods based on user
location or authentication context.

Page Table of Contents 46

Adaptive Federation
Authentication Chaining

Users Applications


PingFederate supports authentication method combinations The composite adapter supports logical joining,
with the composite adapter. Chaining of the authentication using “AND” and “OR” notation, when combining
methods (adapters) enables administrators to creating
complex scenarios such as multi-factor authentication authentication request based on the logical construction in
(MFA) or authentication failover. the composite adapter.

Page Table of Contents 47

Adaptive Federation
Identity Attribute Aggregation



In large organizations, it’s common for identity attributes contracts, combining information from these disparate
to be dispersed across multiple repositories. For example, sources into a single token on demand. This provides much
core user information might reside in Active Directory,
eliminate the need for costly and time-consuming user
or custom data store. PingFederate can directly access data consolidation projects or solutions

Page Table of Contents 48

Adaptive Federation
Token Authorization

simple solution for enforcing authorization

policies within the single sign-on or
token generation process for all cloud

based on user identity attributes, groups

Token Authorization
and request context.
If your organization has invested in a
central Policy Server (Policy Decision
Point) to enforce authorization decisions
across many different applications - you
Role-based Attribute-based 3rd-party Policy
can easily integrate these capabilities
Access Control Access Control Decision Point within PingFederate. In this type of

the role of Policy Enforcement Point.

These Token Authorization capabilities
allow access decisions to be made
intelligently and centrally at the identity
perimeter, rather than on a per application

auditability and reduces risk.

Page Table of Contents 49

Chapter 7
Logging and Monitoring

Page Table of Contents 50

Logging and Monitoring




Provisioning Activity


PingFederate can be monitored by network management

systems through Simple Network Management Protocol
(SNMP) and Java Management Extensions (JMX). For
activity logging and reporting, Ping Identity provides a
Splunk Application.For compliance reporting, a pre-built
integration is available for HP ArcSite. Other monitoring
and reporting applications are supported via the fully

Page Table of Contents 51

Logging and Monitoring
ArcSight CEF Integration

User Audit

Using ArcSight ESM for Enterprise Threat and Risk Management (ETRM) with PingFederate for SaaS Single Sign-On gives
organizations visibility into user access of cloud-based applications across the entire enterprise.

Page Table of Contents 52

Logging and Monitoring
Logging to a Database


PingFederate can log server, identity transaction, and

provisioning events directly to a database instead of log

Better troubleshooting and compliance reporting

via third-party reporting tools
Extensive analysis and reporting

Page Table of Contents 53

Logging and Monitoring
Runtime Monitoring with SNMP and JMX


JMX Monitors

PingFederate includes an SNMP agent that will Additionally, PingFederate supports runtime monitoring
communicate with a network management system. The and reporting through the Java Management Extensions
network management system can monitor PingFederate (JMX). PingFederate’s JMX server reports SSO monitoring,
availability and both successful and failed transactions.

Page Table of Contents 54

Chapter 8
Advanced Capabilities

Page Table of Contents 55

Advanced Capabilities
OAuth Authorization Server Integration
Resource Server Validation Interface
PingFederate includes a REST-based API
to validate access tokens on behalf of any
application or resource server.
Token Authorization
OAuth Authorization Server Apply access rules for OAuth token

Validation Interface user identity attributes, groups and roles

Token Authorization
context. See page 49 for more information
Client Management Service Client Management Services
Identity Store PingFederate includes a REST-based Web
Token Plug-ins
Service for OAuth client management.
Programmatically manage OAuth clients
through a developer portal instead of the
PingFederate administrative console.
Developer Portal Token Plugins
Token plugins allow the OAuth
Authorization Server to process and
generate custom access tokens to support
complex use cases. Users can build custom
token plugins using the Token Plugin
SDK. Additionally, users can work with
the PingEnable client services team to
implements solutions.

Page Table of Contents 56

Advanced Capabilities
Enterprise Readiness

Load Balancer Load Balancer

dify Configu
/Mo ra

Runtime Runtime

Engines Engines

State Servers State Servers

Staging/Testing/Environments Production Environment

PingFederate supports a range of clustering modes to provide resilient and scalable deployment architectures. To help you

Page Table of Contents 57

Advanced Capabilities
FIPS 140-2, HSM

PingFederate provides out-of-the-box integration with Thales nShield Connect Hardware Security Module (HSM).
Integration with nShield Connect helps address the Federal Information Processing Standard (FIPS) 140-2 mode

Page Table of Contents 58

6/13 v3

About Ping Identity | The Identity Security Company

Ping Identity believes secure professional and personal identities underlie human progress in a
connected world. Our identity and access management platform gives enterprise customers
and employees one-click access to any application from any device. Over 900 companies,
including 45 of the Fortune 100, rely on our award-winning products to make the digital world
a better experience for hundreds of millions of people. For more information, dial U.S. toll-free
877.898.2905 or +1.303.468.2882, email sales@pingidentity.com or visit pingidentity.com.

Page Table of Contents 59

Вам также может понравиться