Академический Документы
Профессиональный Документы
Культура Документы
Product Guide
Table of Contents
Table of Contents ������������������������������������������������������������������� 2 Chapter 4: Automated Cloud User Provisioning 26
Chapter 1: PingFederate Overview 4 Overview ������������������������������������������������������������������������������ 27
What is PingFederate? ������������������������������������������������������������ 5 Outbound Provisioning �������������������������������������������������������� 28
PingFederate 7 New Features ������������������������������������������������� 6 Inbound Provisioning ����������������������������������������������������������� 29
Identity & Security Capabilities ������������������������������������������������ 7 Just-in-Time Provisioning ������������������������������������������������������� 30
Enterprise Identity Bridge �������������������������������������������������������� 8 Just-in-Time and SaaS Provisioning Compared ����������������������� 31
Enabling Cloud SSO ���������������������������������������������������������������� 9 Chapter 5: API Security 32
Enterprise Federation Platform Portfolio Capabilities �������������� 10 Overview ������������������������������������������������������������������������������ 33
Chapter 2: Cloud Identity Use Cases 11 OAuth 2�0 Overview ������������������������������������������������������������� 34
Overview ������������������������������������������������������������������������������ 12 OAuth 2�0 – Mobile Application Access ��������������������������������� 35
1� Workforce to Cloud ���������������������������������������������������������� 13 OAuth 2�0 – Mobile Applications with Single Sign-On ����������� 36
PingFederate Works with these SaaS Apps and More ������������ 14 OAuth 2�0 – Server Clients ���������������������������������������������������� 37
2� Single Sign-On for Client-Facing Applications��������������������� 15 OpenID Connect������������������������������������������������������������������� 38
3� Single Sign-On for Consumer-Facing Applications �������������� 16 PingFederate STS Overview �������������������������������������������������� 39
4� Third-Party Service Aggregation ���������������������������������������� 17 PingFederate STS and SOAP Requests ����������������������������������� 40
5� Single Sign-On for External Business Partners �������������������� 18 PingFederate STS and SOAP Responses ��������������������������������� 41
6� Internal Single Sign-On ����������������������������������������������������� 19 PingFederate STS with Windows Identity Foundation (WIF) and
ADFS v2 ������������������������������������������������������������������������������� 42
Chapter 3: Integrations 20 PingFederate STS for Token Exchange ����������������������������������� 43
PingFederate Integrations ������������������������������������������������������ 21
Integration Kits ��������������������������������������������������������������������� 22
Cloud Identity Connectors ���������������������������������������������������� 23
SaaS Connectors ������������������������������������������������������������������ 24
Token Translators ������������������������������������������������������������������ 25
PingFederate is the leading enterprise identity bridge for standards-based federated identity management� By integrating
silos of identity and applications inside your enterprise, across partners and into the cloud, PingFederate enables
federated single sign-on and identity management, secure mobile access, API security, social identity integration and
automated user provisioning�
Integrates with your existing IT infrastructure easily
Supports hundreds of workforce, customer, partner and consumer identity & application integration use cases
Works with PingOne to streamline integration with hundreds of commercial SaaS applications
Cloud Single Sign-On and Federated Identity Using Partner Onboarding PingOne™ Application Provider
trusted standard identity protocols , PingFederate allows Services helps service providers (application owners) quickly,
employees, consumers, customers and partners to access easily and cost-effectively establish a SAML connection with
multiple cloud resources using a single username and a PingFederate identity provider�
password� PingFederate can also interact with multiple data
Your SaaS Providers, Partners,
Your Organization Suppliers and Customers
Secure Mobile Access PingFederate provides secure
access to cloud resourcesfrom tablets, smartphones and Em
ployees
API Security
developers to add identity information to their SOAP (WS-
Trust) or REST-based (OAuth) API calls�
Simple Cloud Access CloudDesktop provides a single
point of access to public and private cloud applications for
employees and partners�
Integration Kits
Cloud Single Sign-On
Cloud & Federated
Single Sign-On Identity
SaaS Connectors
Secure Mobile Access
Cloud Identity Connectors Runtime
Automated Cloud User Provisioning Services
Token Translators
PingFederate extends your existing identity investments� It integrates and interoperates with the directory servers, LDAP,
web access management (WAM) tools and other systems you already have in place� By providing quick connection
templates and supporting social identity integration, PingFederate speeds user onboarding and improves customer
engagement�
rkforce
Mobile Devices Wo Browsers
Service Provider
OPEN OPEN
STANDARDS STANDARDS
Application
PingFederate provides Cloud SSO by supporting the Both parties in a Cloud SSO transaction need software that
Security Assertion Markup Language (SAML) and WS- supports the same identity protocol� This software must
integrate with existing identity infrastructure at the IdP, and
it must integrate with the application environment at the
Both standards work by securely transmitting information
SP� With this connection established, it is possible for the
about the user from the organization that maintains an
IdP to send information about the user to the SP and gain
account for that user (called the Identity Provider, or IdP) to
access to the web application or resource�
the organization providing the desired web application or
resource (called the Service Provider, or SP)�
IN OUT
Whether you’re implementing cloud SSO to boost Six examples of identity use cases are:
employee productivity and partner collaboration or to
1� Workforce to the Cloud
enhance the customer experience, PingFederate supports
the most ambitious enterprise identity security initiatives� 2� Single Sign-On for Client-Facing Applications
Using standards-based protocols, PingFederate leverages 3� Single Sign-On for Consumer-Facing Applications
existing enterprise identities to access cloud-based
applications and accepts partner, customer and consumer 4� Third-Party Service Aggregation
identities to access both cloud-based and internal 5� Single Sign-On for External Business Partners
applications�
6� Internal Single Sign-On
Stronger security
Simpler password policy
maintenance
Centralized cloud access control
Streamlined identity
management
apps include:
A better user experience,
leading to improved
OPEN adoption,utilization and day-to-
STANDARDS
OPEN
STANDARDS include:
Makes it easier for consumers
to do business with you
Creates a more personalized
user experience
Reduces identity management
overhead
Browser
Streamline delivery
Mobile
Improve collaboration
OPEN Increase supply-chain visibility
STANDARDS
Browser
Mobile
Integration Kits SaaS Connectors Cloud Identity Token Translators PingOne CloudDesktop
These snap in components Quick Connection templates Connectors Token translators are PingOne is a native multi- CloudDesktop provides
provide identity integration simplify setup for common These allow users to register available for several tenant Identity as a Service a single point of access
into web access SaaS Applications with with consumer-facing common token types, enabling providing one to all federated cloud-
management products, pre-populated connection websites using their social including X�509, SiteMinder connection to access based applications for
strong authentication settings, account networking accounts� Cloud and Kerberos� Translator cloud apps� Administrators employees or partners�
systems, web servers, provisioning parameters Identity Connectors also SDKs allow users to build manage one connection Administrators can directly
application servers, legacy and SSO endpoint allow you to leverage third custom token translators� and get access to hundreds create and manage groups
and custom applications� parameters� These enable party authentication, via Client SDKs are provided of enterprise SaaS of applications to determine
Over 80 integration kits rapid integration with SaaS Salesforce (CRM, Customer for interaction with the applications� appropriate user visibility�
enable quick connection applications and onboarding and Partner Portals) or STS for Java or �NET
into existing infrastructure, of users� Google Apps, for partners applications� These help
and documented without the infrastructure integrate applications
APIs support custom to support cloud SSO� requiring native support in
requirements� This improves customer Microsoft Windows Identity
engagement by increasing Foundation�
registration rates and
Firewall
Leverage the identity investments you already have in place� Ping Identity offers integration kits to facilitate rapid
deployment into your existing enterprise infrastructure� In addition, PingFederate includes an SDK that can be used to
create custom adapters for systems that do not have an available integration kit�
STS Server
SCIM
SCIM
Private
apps Apps
User Identity
Directory CUSTOM Management
API
PingFederate offers automated cloud user provisioning to using identity information from the single sign-on token.
streamline identity management and centralize cloud access For Identity Providers, PingFederate provides outbound
control. PingFederate automatically creates, updates and provisioning using SCIM; and supports a number of
disables user accounts for cloud applications. proprietary provisioning methods for key Cloud services
such as Google Apps and Salesforce.com with out-of-the-
For Service Providers, PingFederate supports inbound
box integrations.
provisioning using SCIM, as well as just-in-time provisioning
Provides a standards-
based interface to your
identity provider customers
User
Directory
sointegration with your service
is quicker, easier and more
secure
Identity Store Eliminates expensive-to-
maintain and risky proprietary
interfaces
Eliminates manual intervention
in the user provisioning process
Enterprise
based SSO. There’s no need for additional
SINGLE
SIGN-ON
provisioning.
Add User 2
Identity
Management
Account Data IdP corporate directory SCIM messages from IdP Inbound SSO transaction
Source
Mobile App
2. The application opens a browser to the
Auth Service
3.
AS where it is exchanged for an access
OPEN
STANDARDS
token, which is then stored within the
Identity application.
Provider
4. The access token is used to request
information from the Resource Server
(RS).
5. A simple call from the RS back to the
PingFederate AS validates the access
token and returns the requested
resource.
3
USER ID
Resource Provider
4
2. The Web Service Client sends the
STS Server
3. The .Net Web Service Provider validates
the assertion with ADFS v2.
Firewall 4. ADFS v2 returns the embedded claims
to the Web Service Provider.
5. The Web Service Provider returns the
SOAP response.
STS Server
Users Applications
Mobile
Devices
OPEN
STANDARDS
Browser
Create complex authentication rules to provide stronger Out-of-the-box adapter selectors support routing based on
security for compliance-driven environments. With adapter IP Address (using classless inter-domain routing notation) or
selectors, administrators can logically route authentication by authentication context from the service provider.
requests to different authentication methods based on user
location or authentication context.
Users Applications
Mobile
Devices
OPEN
STANDARDS
Browser
PingFederate supports authentication method combinations The composite adapter supports logical joining,
with the composite adapter. Chaining of the authentication using “AND” and “OR” notation, when combining
methods (adapters) enables administrators to creating
complex scenarios such as multi-factor authentication authentication request based on the logical construction in
(MFA) or authentication failover. the composite adapter.
Databases
OPEN
STANDARDS
Directories
In large organizations, it’s common for identity attributes contracts, combining information from these disparate
to be dispersed across multiple repositories. For example, sources into a single token on demand. This provides much
core user information might reside in Active Directory,
eliminate the need for costly and time-consuming user
or custom data store. PingFederate can directly access data consolidation projects or solutions
Admin
Operational
Monitoring
SSO
Provisioning Activity
Logging
Security
Audit
Reporting
CEF
User Audit
Log
Using ArcSight ESM for Enterprise Threat and Risk Management (ETRM) with PingFederate for SaaS Single Sign-On gives
organizations visibility into user access of cloud-based applications across the entire enterprise.
Databases
SNMP
JMX
JMX Monitors
PingFederate includes an SNMP agent that will Additionally, PingFederate supports runtime monitoring
communicate with a network management system. The and reporting through the Java Management Extensions
network management system can monitor PingFederate (JMX). PingFederate’s JMX server reports SSO monitoring,
availability and both successful and failed transactions.
transactions.
dify Configu
/Mo ra
y
tio
p
Co
Runtime Runtime
n
Engines Engines
ConfigCopy
Script
PingFederate supports a range of clustering modes to provide resilient and scalable deployment architectures. To help you
PingFederate provides out-of-the-box integration with Thales nShield Connect Hardware Security Module (HSM).
Integration with nShield Connect helps address the Federal Information Processing Standard (FIPS) 140-2 mode
Ping Identity believes secure professional and personal identities underlie human progress in a
connected world. Our identity and access management platform gives enterprise customers
and employees one-click access to any application from any device. Over 900 companies,
including 45 of the Fortune 100, rely on our award-winning products to make the digital world
a better experience for hundreds of millions of people. For more information, dial U.S. toll-free
877.898.2905 or +1.303.468.2882, email sales@pingidentity.com or visit pingidentity.com.