PF ProductGuide June13

Platform
Product Guide
Table of Contents
Table of Contents �� 2 Chapter 4: Automated Cloud User Provisioning 26
Chapter 1: PingFederate Overview 4 Overview �� 27
What is PingFederate? �� 5 Outbound Provisioning �� 28
PingFederate 7 New Features �� 6 Inbound Provisioning �� 29
Identity & Security Capabilities �� 7 Just-in-Time Provisioning �� 30
Enterprise Identity Bridge �� 8 Just-in-Time and SaaS Provisioning Compared �� 31
Enabling Cloud SSO �� 9 Chapter 5: API Security 32
Enterprise Federation Platform Portfolio Capabilities �� 10 Overview �� 33
Chapter 2: Cloud Identity Use Cases 11 OAuth 2�0 Overview �� 34
Overview �� 12 OAuth 2�0 – Mobile Application Access �� 35
1� Workforce to Cloud �� 13 OAuth 2�0 – Mobile Applications with Single Sign-On �� 36
PingFederate Works with these SaaS Apps and More �� 14 OAuth 2�0 – Server Clients �� 37
2� Single Sign-On for Client-Facing Applications�� 15 OpenID Connect�� 38
3� Single Sign-On for Consumer-Facing Applications �� 16 PingFederate STS Overview �� 39
4� Third-Party Service Aggregation �� 17 PingFederate STS and SOAP Requests �� 40
5� Single Sign-On for External Business Partners �� 18 PingFederate STS and SOAP Responses �� 41
6� Internal Single Sign-On �� 19 PingFederate STS with Windows Identity Foundation (WIF) and
ADFS v2 �� 42
Chapter 3: Integrations 20 PingFederate STS for Token Exchange �� 43
PingFederate Integrations �� 21
Integration Kits �� 22
Cloud Identity Connectors �� 23
SaaS Connectors �� 24
Token Translators �� 25
Page Table of Contents 2

Table of Contents (cont’d)
Chapter 6: Adaptive Federation 44
Adaptive Federation�� 45
Authentication Rules �� 46
Authentication Chaining �� 47
Identity Attribute Aggregation �� 48
Token Authorization �� 49
Chapter 7: Logging and Monitoring 50
Overview �� 51
ArcSight CEF Integration �� 52
Logging to a Database �� 53
Runtime Monitoring with SNMP and JMX �� 54
Chapter 8: Advanced Capabilities 55
OAuth Authorization Server Integration�� 56
Enterprise Readiness �� 57
FIPS 140-2, HSM �� 58
About Ping Identity | The Identity Security Company 59

Chapter 1
PingFederate Overview

What is PingFederate?
PingFederate is the leading enterprise identity bridge for standards-based federated identity management� By integrating
silos of identity and applications inside your enterprise, across partners and into the cloud, PingFederate enables
federated single sign-on and identity management, secure mobile access, API security, social identity integration and
automated user provisioning�
Integrates with your existing IT infrastructure easily
Supports hundreds of workforce, customer, partner and consumer identity & application integration use cases
Works with PingOne to streamline integration with hundreds of commercial SaaS applications

Page TitleOverview
PingFederate
PingFederate 7 New Features
SCIM Support OpenID Connect

Enable the lightweight, automated OpenID Connect is an emerging
provisioning and deprovisioning of authentication and authorization standard
users� New support in PingFederate for from the OpenID Connect Foundation� It
SCIM (System for Cross-domain Identity consolidates access control for both web
Management) automates inbound and applications and APIs into one, making it
outbound user provisioning for corporate easier to secure web applications and their
directories and SaaS providers� User underlying API’s� It enables developers to
identities are synchronized with applications quickly develop identity-aware secure web
inside, outside and across the enterprise� and mobile applications leveraging their
SCIM automates and standardizes what used existing identity investments� PingFederate
to be either a manual or proprietary process� delivers a single platform handling OpenID
Connect as well as SAML, WS-Federation,
WS-Trust and OAuth�

Identity & Security Capabilities
Cloud Single Sign-On and Federated Identity Using Partner Onboarding PingOne™ Application Provider
trusted standard identity protocols , PingFederate allows Services helps service providers (application owners) quickly,
employees, consumers, customers and partners to access easily and cost-effectively establish a SAML connection with
multiple cloud resources using a single username and a PingFederate identity provider�
password� PingFederate can also interact with multiple data
Your SaaS Providers, Partners,
Your Organization Suppliers and Customers
Secure Mobile Access PingFederate provides secure
access to cloud resourcesfrom tablets, smartphones and Em
ployees
other mobile devices—whether via native mobile apps Apps

Cloud Single Sign-On & Federated Identity
(OAuth) or a mobile browser� Apps
Automated Cloud User Provisioning PingFederate bile Users

Mo
automatically creates, updates and disables user accounts AP
Is
Secure Mobile Access Apps

for cloud applications� PingFederate supports just-in-
time, outbound and inbound provisioning, and the SCIM
standard� This enables the rapid provisioning and de-
provisioning of users to reduce administrative overhead� Automated Cloud User Provisioning
Directories
Directories
API Security Using industry standards, PingFederate’s
API
Security Token Service and Authorization Server allows API
API Security
developers to add identity information to their SOAP (WS-
Trust) or REST-based (OAuth) API calls�
Simple Cloud Access CloudDesktop provides a single
point of access to public and private cloud applications for
employees and partners�

Enterprise Identity Bridge
Administration Console Management Services
Integration Kits
Cloud Single Sign-On
Cloud & Federated
Single Sign-On Identity
SaaS Connectors
Secure Mobile Access
Cloud Identity Connectors Runtime
Automated Cloud User Provisioning Services
Token Translators
CloudDesktop API Security
Logging & Monitoring
PingFederate extends your existing identity investments� It integrates and interoperates with the directory servers, LDAP,
web access management (WAM) tools and other systems you already have in place� By providing quick connection
templates and supporting social identity integration, PingFederate speeds user onboarding and improves customer
engagement�

Enabling Cloud SSO
rkforce
Mobile Devices Wo Browsers
Service Provider
OPEN OPEN
STANDARDS STANDARDS
Application
SAML Open ID OAuth

WS-Trust WS-Federation
SCIM OpenID Connect
PingFederate provides Cloud SSO by supporting the Both parties in a Cloud SSO transaction need software that
Security Assertion Markup Language (SAML) and WS- supports the same identity protocol� This software must
integrate with existing identity infrastructure at the IdP, and
it must integrate with the application environment at the
Both standards work by securely transmitting information
SP� With this connection established, it is possible for the
about the user from the organization that maintains an
IdP to send information about the user to the SP and gain
account for that user (called the Identity Provider, or IdP) to
access to the web application or resource�
the organization providing the desired web application or
resource (called the Service Provider, or SP)�

Enterprise Federation Platform Portfolio Capabilities
Federation Standard SAML Bindings Logging, Monitoring & HA

Support HTTP Post File-based
SAML 1�0 HTTP Artifact Common Event Format (CEF)
SAML 1�1 HTTP Redirect Database
SAML 2�0 SOAP Published MIB
WS-Federation JMX Support
OpenID Key Capabilities N node Clustering
OpenIDConnect IdP-Initiated SSO Supporting Capabilities
OAuth 2�0 SP-Initiated SSO Metadata Exchange
SCIM Single Log-Out 80+ Integration Kits
WS-Security Attribute Query & XASP Integration with Thales nShield
WS-Trust IdP Discovery Password Management
WS-Federation Account Linking Integration with MDM products
Account Mapping Support for O365 (active and
Federation Roles Adaptive Authentication passive)
Identity Provider (IdP) LDAP
Service Provider (SP) JDBC Kantara/Liberty Alliance
Custom (via SDK)
Identity Bridge
Password Management
SAML Interop Certifications
IdP Discovery IdP Lite
Token Validation Service Browser-based Access Portal
SP Lite
Token Exchange Service iOS Access Portal
eGov
Authorization Server Multifactor Authentication
Policy Service
API Gateway Express Provisioning Deployment Options
Identity Bridge On-premise
Certificate Validation Cloud only
Trust Models CRL Hybrid (Integrated Cloud &
Unanchored OCSP On-premise)
Anchored

Chapter 2
Cloud Identity Use Cases

Overview
IN OUT
Whether you’re implementing cloud SSO to boost Six examples of identity use cases are:
employee productivity and partner collaboration or to
1� Workforce to the Cloud
enhance the customer experience, PingFederate supports
the most ambitious enterprise identity security initiatives� 2� Single Sign-On for Client-Facing Applications
Using standards-based protocols, PingFederate leverages 3� Single Sign-On for Consumer-Facing Applications
existing enterprise identities to access cloud-based
applications and accepts partner, customer and consumer 4� Third-Party Service Aggregation
identities to access both cloud-based and internal 5� Single Sign-On for External Business Partners
applications�
6� Internal Single Sign-On

1. Workforce to Cloud
Public Apps Employees and partners use their
rkforce corporate credentials to access service
Mobile Devices Wo Browsers
providers, such as SaaS, BPOs and partner
applications� Virtually every major SaaS
provider now supports standards-based
cloud SSO� Connecting with a SaaS
OPEN
STANDARDS
Stronger security
Simpler password policy
maintenance
Centralized cloud access control
Streamlined identity
management
Private Apps For a complete list of our SaaS partners,

please see https://www�pingidentity�com/
PartnerDirectory

PingFederate Works with these SaaS Apps and More
Business
Communications, Compliance, Risk,
Analytics/ Collaboration CRM HRM/HCM
Marketing, Media Management
Intelligence

2. Single Sign-On for Client-Facing Applications
Give customers secure access to your
Your Customers Your Cloud applications with cloud SSO using their
Applications own corporate credentials�
apps include:
A better user experience,
leading to improved
OPEN adoption,utilization and day-to-
STANDARDS
Reduced risk of password theft

Less risk of unauthorized access
to critical business applications
and data

3. Single Sign-On for Consumer-Facing Applications
Instead of registering new user names and
Cloud Identity Providers passwords, consumers gain instant access
to your applications using their Facebook,
Your Cloud Yahoo, LinkedIn, Twitter or other cloud
Applications identity provider accounts� That’s one less
password for them to remember and one
less user account for you to create��
OPEN
STANDARDS include:
Makes it easier for consumers
to do business with you
Creates a more personalized
user experience
Reduces identity management
overhead

4. Third-Party Service Aggregation
Customers, Partners Third-party Affiliates Third-party service aggregation allows
& Suppliers
you to transparently augment your own
applications with third-party services�
Your Cloud Take, for example, a business providing
Applications access to a third party loyalty program
OPEN
STANDARDS
services such as online bill pay or property

valuation� Whatever the business case,
PingFederate makes it possible to deliver
external services as if they’re your own�
Take advantage of to:
Improve the user experience
and increase customer loyalty
Protect customer identities
throughout the entire
transaction process
Improve utilization of third
party applications
Gain a competitive advantage
with value-added services

5. Single Sign-On for External Business Partners
Your Partners Allow suppliers, dealers, distributors,
Your Cloud
Applications own corporate credentials to access your
applications�
Browser
Streamline delivery
Mobile
Improve collaboration
OPEN Increase supply-chain visibility
STANDARDS
Browser
Mobile

6. Internal Single Sign-On
Provide application access across multiple
organizations within your enterprise� For
rkforce rkforce
Mobile Devices Wo Browsers Browsers Wo Mobile Devices example, if a company acquisition occurs,
PingFederate can leverage the existing
identity investments to provide a rapid
integration rather than rebuilding the
Dir
ectories
Dir
ectories entire IT infrastructure of both companies�
Staff in both original organizations can be
granted access to applications and data
across the single entity without migrating
identity information or consolidating the
Ap
p lic a ti o n
s Ap
p li c a ti o n
s two security domains�

Chapter 3
Integrations

Integrations
PingFederate Integrations
Integration Kits SaaS Connectors Cloud Identity Token Translators PingOne CloudDesktop
These snap in components Quick Connection templates Connectors Token translators are PingOne is a native multi- CloudDesktop provides
provide identity integration simplify setup for common These allow users to register available for several tenant Identity as a Service a single point of access
into web access SaaS Applications with with consumer-facing common token types, enabling providing one to all federated cloud-
management products, pre-populated connection websites using their social including X�509, SiteMinder connection to access based applications for
strong authentication settings, account networking accounts� Cloud and Kerberos� Translator cloud apps� Administrators employees or partners�
systems, web servers, provisioning parameters Identity Connectors also SDKs allow users to build manage one connection Administrators can directly
application servers, legacy and SSO endpoint allow you to leverage third custom token translators� and get access to hundreds create and manage groups
and custom applications� parameters� These enable party authentication, via Client SDKs are provided of enterprise SaaS of applications to determine
Over 80 integration kits rapid integration with SaaS Salesforce (CRM, Customer for interaction with the applications� appropriate user visibility�
enable quick connection applications and onboarding and Partner Portals) or STS for Java or �NET
into existing infrastructure, of users� Google Apps, for partners applications� These help
and documented without the infrastructure integrate applications
APIs support custom to support cloud SSO� requiring native support in
requirements� This improves customer Microsoft Windows Identity
engagement by increasing Foundation�
registration rates and

Integrations
Integration Kits
First Mile The Cloud Last Mile
Identity Provider Service Provider
Identity Mgmt. Systems 2

Oracle OAM, IBM TAM,
Active Directory, LDAP,
Windows IWA OPEN OPEN Custom Apps
STANDARDS STANDARDS
Strong Auth Java, .NET, PHP, Agentless
Symantec VIP, RSA SecureID, 3 Web & App Servers
RSA Adaptive Authentication, Apache, Microsoft IIS,
PhoneFactor, X.509 1 SAP NetWeaver,
Custom Apps WebLogic, WebSphere
Java, .NET, PHP, Agentless Identity Mgmt. Systems
Oracle OAM
IBM TAM
ployees
Em Commercial Apps
SAML Open ID OAuth
Citrix
Browser WS-Trust WS-Federation SharePoint
SCIM OpenID Connect
Firewall
Leverage the identity investments you already have in place� Ping Identity offers integration kits to facilitate rapid
deployment into your existing enterprise infrastructure� In addition, PingFederate includes an SDK that can be used to
create custom adapters for systems that do not have an available integration kit�

Integrations
Cloud Identity Connectors
Cloud Identity Providers Cloud Identity Connectors allow consumers or
contractors to register and access your cloud-
Your Cloud based applications using their social media
Applications accounts� PingFederate offers out-of-the-box
support for Google, Yahoo, Windows Live,
LinkedIn and others via OpenID 2�0 and related
protocols�
OPEN
STANDARDS
Increase registration rates
Reduce identity management
overhead
Improve cloud services adoption
Provide a more personalized user
experience
partners and consumers

Reduce the hassles and risks of user
password management

Integrations
SaaS Connectors
SaaS Connectors install within PingFederate,
Identity Provider The Cloud
enabling Cloud SSO and automated cloud user
provisioning to leading SaaS providers�
SaaS Connectors offer a Quick Connection
template as well as support for:
Directory
OPEN
STANDARDS
Automated cloud user provisioning
Native mobile apps
apps
Proprietary SSO APIs
ployees Provisioning
Em Plugin
Browser capabilities and requirements of the target SaaS
applications� SaaS Connectors are currently
Firewall
available for Salesforce, Google Apps, Webex,
Workday and Ultimate Software�

Integrations
Token Translators
Token Translators are plugins that allow the
Application
PingFederate Security Token Server (STS) to
process and/or generate particular types of
security tokens. Use Token Translators to secure
Token Types
SOAP API calls or to provide an easy mechanism
OAuth 2 Token Types for security token exchange. Ping Identity
Kerberos offers Token Translators for several common
OAM Token OAuth
OpenToken SAML 1.x token types. You can also build custom Token
Username/LDAP SAML 2
1
X.509 Certificate OpenToken Translators using the Token Translator SDK.
WAM Session
STS Server

Chapter 4
Automated Cloud User
Provisioning

Automated Cloud User Provisioning
Overview
SCIM
Identity Provider Service Provider
SCIM
Private
apps Apps
User Identity
Directory CUSTOM Management
API
PingFederate offers automated cloud user provisioning to using identity information from the single sign-on token.
streamline identity management and centralize cloud access For Identity Providers, PingFederate provides outbound
control. PingFederate automatically creates, updates and provisioning using SCIM; and supports a number of
disables user accounts for cloud applications. proprietary provisioning methods for key Cloud services
such as Google Apps and Salesforce.com with out-of-the-
For Service Providers, PingFederate supports inbound
box integrations.
provisioning using SCIM, as well as just-in-time provisioning

Outbound Provisioning
Service Provider Outbound Provisioning monitors the
enterprise directory for changes in
designated groups and pushes user
SCIM
account creation, changes and deletions
Identity Provider
intervals, ensuring permission-based
access. Standards-based provisioning
using SCIM is available where supported
by the target Service Provider; outbound
User direct-to-API user provisioning is also
Directory CUSTOM
API Identity Store available for Google, Salesforce, Webex,
Box.net, Concur and Workday.
Eliminates manual SaaS

directory maintenance
Speeds employee on- and off-
boarding
Automatically disables accounts
Reduces the risk of data loss or
theft
Mitigates compliance issues

Inbound Provisioning
Service Provider Inbound provisioning leverages the SCIM
standard to automatically create, update
Identity Provider or delete/disable users in the directory for
SCIM a service provider application.
Provides a standards-
based interface to your
identity provider customers
User
Directory
sointegration with your service
is quicker, easier and more
secure
Identity Store Eliminates expensive-to-
maintain and risky proprietary
interfaces
Eliminates manual intervention
in the user provisioning process

Just-in-Time Provisioning
The Cloud Service Provider Just-in-time Provisioning creates accounts
Enterprise
based SSO. There’s no need for additional
SINGLE
SIGN-ON
provisioning.
3 Just-in-time Provisioning works for both

eBusiness
Properties
Provider.
Add User 2
Identity
Management

Just-in-Time and SaaS Provisioning Compared
Outbound Inbound Just-in-Time
Use Case IdP established user SP accepts standards-based SP creates/updates new

accounts as SP before provisioning to create user
enabling SSO accounts before enabling request time
SSO
Account Data IdP corporate directory SCIM messages from IdP Inbound SSO transaction
Source
Other Party SP must support SCIM, IdP must support SCIM

Requirement or must be one of the standard SSO
supported proprietary
provisioning APIs
Directory/Interface SCIM (standard) or SCIM 1.1

supported Google, Webex,
Workday, Salesforce, Box.
net, Concur (API)

Chapter 5
API Security

API Security
Overview
PingFederate secures online application
programming interfaces (API’s) through
the OAuth Authorization Server and the
SOAP Security Token Service. PingFederate also
APIs centralizes the creation and issuance
of tokens, speeding time to market
without the need for additional security
infrastructure.
Service
Clients OAuth Authorization Server
Provider PingFederate secures mobile browser
access, native mobile application access,
and client access of HTTP API calls. With
RESTful the PingFederate OAuth 2.0 Authorization
Browser Server, tokens are created and validated
APIs
for secure access to HTTP and RESTful web
services. Access to web services can be
centrally managed and revoked.
Security Token Service (STS)
PingFederate secures SOAP API calls.
As a WS-Trust-compliant Security Token
Service, PingFederate exchanges one type
of security token for a different type of
security token.

API Security
OAuth 2.0 Overview
PingFederate OAuth 2.0 Authorization Server
secures access to HTTP and RESTful Application
Programming Interfaces (APIs) by mobile browser
applications, native mobile applications and web-
service clients.
2
Participants There are three primary participants
Resource Server
Clients application requesting information; a Resource

Server (RS), which is the application supplying the
requested information; and the Authorization Server
1 3
Auth Service (AS), which facilitates the client authorization.
Browser
Process The OAuth process starts with the client
sending a request to an RS. The RS checks the
request for an access token. If the access token
is missing or invalid, the client is redirected to the
AS. The AS facilitates the client authorization and
returns a token to the client that can be included in
future requests to the RS. The request is re-sent to
the RS with the access token. The RS validates the
token and returns the requested information.
The access token can be revoked at the AS to
prevent future RS access from the client.

API Security
OAuth 2.0 – Mobile Application Access
The PingFederate Authorization Server
(AS) secures cloud services for mobile
access. PingFederate works with an
identity provider to authenticate and
create tokens for mobile applications.
2 Process
Username
Password Resource Server
1. The mobile application collects user
credentials and exchanges them for an
access token at the PingFederate AS.
2. The mobile application discards the
user credentials and stores the access
1 3
Mobile App Auth Service token. The access token is used to
request information from the Resource
Server (RS).
3. A simple call from the RS back to the
PingFederate AS validates the access
token.

API Security
OAuth 2.0 – Mobile Applications with Single Sign-On
(AS) secures cloud services for mobile
access. PingFederate combines federated
identities with OAuth 2.0 to authenticate
and create tokens for mobile applications.
Username
Resource Server Process
Password
1. The mobile application connects to the
PingFederate AS for the authentication
Mobile App
2. The application opens a browser to the
Auth Service
3.
AS where it is exchanged for an access
OPEN
STANDARDS
token, which is then stored within the
Identity application.
Provider
4. The access token is used to request
information from the Resource Server
(RS).
token and returns the requested
resource.

API Security
OAuth 2.0 – Server Clients
(AS) secures cloud services for delegated
e
ourc Owne
server access. PingFederate works with
es
an identity provider to authenticate and
R
create tokens for server clients.

Process
Browser 2
Browser 1. The user, through the delegated
client, connects to the PingFederate
1 5 The
3 Auth Service
delegated client sends the user to the
authentication endpoint.
2. Once authentication is complete, the AS
sends an access token to the delegated
client to act on behalf of the user.
Client
4 3. The delegated client stores the access
token.
Resource Server 4. The client requests information from
the Resource Server (RS) with the
access token.
token and returns the requested
resource.

API Security
OpenID Connect
OpenID Connect is a new standard,
which adds to oAuth the ability also
to pass an Identity Token as part of
1 the transaction. This allows for proper
Authorization
Users
Server
client application making the request,
1 but also of the individual user on whose
TOKENS behalf the request is being made. With
this information, personalised data can be
Browser Client 2 returned; and proper reporting and audit
USER ID
are enabled.
Devices
Browser PingFederate is an OAuth Authorization
TOKENS API Server, supporting both the basic and
3
USER ID
Resource Provider

API Security
PingFederate STS Overview
STS Token Software

Translators Dev Kits
The PingFederate Secure Token Service (STS) secures SOAP Security Token Translators
endpoints and enables SOAP clients to securely identify Token Translators are plugins that allow the STS to process
themselves to the SOAP endpoints. The PingFederate STS (i.e. consume) and/or generate particular types of security
can work on the client side, the web service side, or both tokens. Token Translators for several common token types
together. The STS supports the processes described in the are available from Ping Identity. Users can also build custom
Token Translators using the Token Translator SDK.
Security Token Service Software Development Kits
PingFederate includes a WS-Trust compliant Security Token The .NET and Java Client SDKs act as WS-Trust clients and
Service (STS) that accepts one type of security token as allow programs written in .NET and Java to interact with
input and produces an equivalent security token of a the PingFederate STS. PingFederate can also work with
third party WS-Trust clients such as AmberPoint. The Token
support the processing and generation of different token Translator SDK allows users to create their own token
types. It is accessed programatically via STS Client Software processor and generator plugins.
Development Kits (SDKs).

API Security
PingFederate STS and SOAP Requests
The Cloud The PingFederate STS supports the
SOAP Web Service Client by exchanging
assertion. The Web Service Client embeds

SOAP
SAML 3 Process
Payload
1. The Web Service Client generates a
Web Service Client
Token Types
SOAP request. The Web Service Client
2
OAuth
Kerberos
calls PingFederate STS to exchange
OAM Token
OpenToken
Username/LDAP SAML
X509 Certificate 1 assertion.
4
2.
based on the local security token and
STS Server
returned to the Web Service Client.
3.
Firewall
in the SOAP request and sent to the
Web Service Client.

API Security
PingFederate STS and SOAP Responses
The PingFederate STS secures the SOAP
Service Provider
The Cloud
assertion in the SOAP request and
SOAP exchanging it for a local security token.
SAML 1 3
Payload
1. The Web Service Provider receives a
Web Service
SOAP request.
2
Token Types
2. The Web Service Provider extracts
OPEN
STANDARDS OAuth
Kerberos
OAM Token the token to the PingFederate STS for
OpenToken
1 Username/LDAP validation.
X509 Certificate
3. A local security token is returned to the

Web Service Provider, where a SOAP
STS Server response is generated and returned.

API Security
PingFederate STS with Windows Identity Foundation (WIF) and ADFS v2
PingFederate STS extends your existing

security infrastructure to simplify
SOAP connecting with WIF and ADFS v2-secured
SAML Microsoft .Net web services.
3
Payload
Web Service Client

Process
Token Types
2
1. The Web Service Client exchanges
OAuth
Kerberos
OAM Token
5
OpenToken
Username/LDAP
OPEN
STANDARDS
OPEN
assertion.
X509 Certificate STANDARDS
1
4
2. The Web Service Client sends the
STS Server
3. The .Net Web Service Provider validates
the assertion with ADFS v2.
Firewall 4. ADFS v2 returns the embedded claims
to the Web Service Provider.
5. The Web Service Provider returns the
SOAP response.

API Security
PingFederate STS for Token Exchange
For access to services across different
Application
security domains, PingFederate STS can
exchange one type of security token for
another. Applications and clients use the
new security token to access services with
different security infrastructures.
Token Types 1. An application sends a security token
2
into the STS.
OAuth
Kerberos 2. The STS processes the token and
OAM Token returns a different security token type.
OpenToken
Username/LDAP 1
X509 Certificate
STS Server

Chapter 6
Adaptive Federation

PingFederate Overview
Adaptive Federation
Adaptive Federation
Authentication Authentication Identity Attribute Token

Rules Chaining Aggregation Authorization
Authentication Rules Authentication Chaining Identity Attribute Token Authorization

PingFederate supports Enhance Single Sign-On Aggregation
complex authentication security by combining Manage complex attribute solution for enforcing
rules for location-based methods for multi-factor contracts with identity authorization policies
identity and authentication authentication, step-up attribute aggregation by within the single token
context. This in turn helps authentication or other retrieving user attributes creation process for all
maintain stronger security advanced scenarios from multiple user data cloud applications. Access
for compliance-driven requiring complex sources. stores and identity
environments. management systems. Select identity attributes, groups
user attributes contained
in multiple repositories target resource, and request
context.
Web Access Management
systems and databases.

Adaptive Federation
Authentication Rules
Users Applications
Mobile
Devices
OPEN
STANDARDS
Browser
Create complex authentication rules to provide stronger Out-of-the-box adapter selectors support routing based on
security for compliance-driven environments. With adapter IP Address (using classless inter-domain routing notation) or
selectors, administrators can logically route authentication by authentication context from the service provider.
requests to different authentication methods based on user
location or authentication context.

Adaptive Federation
Authentication Chaining
Users Applications
Mobile
Devices
OPEN
STANDARDS
Browser
PingFederate supports authentication method combinations The composite adapter supports logical joining,
with the composite adapter. Chaining of the authentication using “AND” and “OR” notation, when combining
methods (adapters) enables administrators to creating
complex scenarios such as multi-factor authentication authentication request based on the logical construction in
(MFA) or authentication failover. the composite adapter.

Adaptive Federation
Identity Attribute Aggregation
Databases
OPEN
STANDARDS
Directories
In large organizations, it’s common for identity attributes contracts, combining information from these disparate
to be dispersed across multiple repositories. For example, sources into a single token on demand. This provides much
core user information might reside in Active Directory,
eliminate the need for costly and time-consuming user
or custom data store. PingFederate can directly access data consolidation projects or solutions

Adaptive Federation
Token Authorization
simple solution for enforcing authorization

policies within the single sign-on or
token generation process for all cloud
based on user identity attributes, groups

Token Authorization
and request context.
If your organization has invested in a
central Policy Server (Policy Decision
Point) to enforce authorization decisions
across many different applications - you
Role-based Attribute-based 3rd-party Policy
can easily integrate these capabilities
Access Control Access Control Decision Point within PingFederate. In this type of
the role of Policy Enforcement Point.

These Token Authorization capabilities
allow access decisions to be made
intelligently and centrally at the identity
perimeter, rather than on a per application
auditability and reduces risk.

Chapter 7
Logging and Monitoring

Overview
Admin
Operational
Monitoring
SSO
Provisioning Activity
Logging
Security
Audit
Reporting
PingFederate can be monitored by network management

systems through Simple Network Management Protocol
(SNMP) and Java Management Extensions (JMX). For
activity logging and reporting, Ping Identity provides a
Splunk Application.For compliance reporting, a pre-built
integration is available for HP ArcSite. Other monitoring
and reporting applications are supported via the fully

ArcSight CEF Integration
CEF
User Audit
Log
Using ArcSight ESM for Enterprise Threat and Risk Management (ETRM) with PingFederate for SaaS Single Sign-On gives
organizations visibility into user access of cloud-based applications across the entire enterprise.

Logging to a Database
Databases
PingFederate can log server, identity transaction, and

provisioning events directly to a database instead of log
Better troubleshooting and compliance reporting

via third-party reporting tools
Extensive analysis and reporting

Runtime Monitoring with SNMP and JMX
SNMP
JMX
JMX Monitors
PingFederate includes an SNMP agent that will Additionally, PingFederate supports runtime monitoring
communicate with a network management system. The and reporting through the Java Management Extensions
network management system can monitor PingFederate (JMX). PingFederate’s JMX server reports SSO monitoring,
availability and both successful and failed transactions.
transactions.

Chapter 8
Advanced Capabilities

OAuth Authorization Server Integration
Resource Server Validation Interface
PingFederate includes a REST-based API
to validate access tokens on behalf of any
application or resource server.
Token Authorization
OAuth Authorization Server Apply access rules for OAuth token
Validation Interface user identity attributes, groups and roles

Token Authorization
context. See page 49 for more information
Client Management Service Client Management Services
Identity Store PingFederate includes a REST-based Web
Token Plug-ins
Service for OAuth client management.
Programmatically manage OAuth clients
through a developer portal instead of the
PingFederate administrative console.
Developer Portal Token Plugins
Token plugins allow the OAuth
Authorization Server to process and
generate custom access tokens to support
complex use cases. Users can build custom
token plugins using the Token Plugin
SDK. Additionally, users can work with
the PingEnable client services team to
implements solutions.

Enterprise Readiness
Load Balancer Load Balancer
dify Configu
/Mo ra
y
tio
p
Co
Runtime Runtime
n
Engines Engines
ConfigCopy
Script
State Servers State Servers
Staging/Testing/Environments Production Environment
PingFederate supports a range of clustering modes to provide resilient and scalable deployment architectures. To help you

FIPS 140-2, HSM
PingFederate provides out-of-the-box integration with Thales nShield Connect Hardware Security Module (HSM).
Integration with nShield Connect helps address the Federal Information Processing Standard (FIPS) 140-2 mode

6/13 v3
About Ping Identity | The Identity Security Company
Ping Identity believes secure professional and personal identities underlie human progress in a
connected world. Our identity and access management platform gives enterprise customers
and employees one-click access to any application from any device. Over 900 companies,
including 45 of the Fortune 100, rely on our award-winning products to make the digital world
a better experience for hundreds of millions of people. For more information, dial U.S. toll-free
877.898.2905 or +1.303.468.2882, email sales@pingidentity.com or visit pingidentity.com.

PF ProductGuide June13

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

PF ProductGuide June13

Загружено:

Авторское право:

Доступные форматы

Platform

Page Table of Contents 2

Page Table of Contents 3

Page Table of Contents 4

Page Table of Contents 5

SCIM Support OpenID Connect

Page Table of Contents 6

other mobile devices—whether via native mobile apps Apps

Automated Cloud User Provisioning PingFederate bile Users

Secure Mobile Access Apps

Page Table of Contents 7

Administration Console Management Services

CloudDesktop API Security

Logging & Monitoring

Page Table of Contents 8

SAML Open ID OAuth

Page Table of Contents 9

Federation Standard SAML Bindings Logging, Monitoring & HA

Page Table of Contents 10

Page Table of Contents 11

Page Table of Contents 12

Private Apps For a complete list of our SaaS partners,

Page Table of Contents 13

Page Table of Contents 14

Reduced risk of password theft

Page Table of Contents 15

Page Table of Contents 16

services such as online bill pay or property

Page Table of Contents 17

Page Table of Contents 18

Page Table of Contents 19

Page Table of Contents 20

Page Table of Contents 21

Identity Provider Service Provider

Identity Mgmt. Systems 2

Page Table of Contents 22

partners and consumers

Page Table of Contents 23

Page Table of Contents 24

Page Table of Contents 25

Page Table of Contents 26

Identity Provider Service Provider

Page Table of Contents 27

Eliminates manual SaaS

Page Table of Contents 28

Page Table of Contents 29

3 Just-in-time Provisioning works for both

Page Table of Contents 30

Outbound Inbound Just-in-Time

Use Case IdP established user SP accepts standards-based SP creates/updates new

Other Party SP must support SCIM, IdP must support SCIM

Directory/Interface SCIM (standard) or SCIM 1.1

Page Table of Contents 31

Page Table of Contents 32

Page Table of Contents 33

Clients application requesting information; a Resource

Page Table of Contents 34

Page Table of Contents 35

Page Table of Contents 36

create tokens for server clients.

Page Table of Contents 37

Page Table of Contents 38

STS Token Software

Page Table of Contents 39