CoreBlox Token Translator. Version 1.0. User Guide

Similar documents
CoreBlox Integration Kit. Version 2.2. User Guide

Web Access Management Token Translator. Version 2.0. User Guide

WebSphere Integration Kit. Version User Guide

Quick Connection Guide

Zendesk Connector. Version 2.0. User Guide

Dropbox Connector. Version 2.0. User Guide

OAM Integration Kit. Version 3.0. User Guide

Quick Connection Guide

Slack Connector. Version 2.0. User Guide

Quick Connection Guide

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Box Connector. Version 2.0. User Guide

WebEx Connector. Version 2.0. User Guide

.NET Integration Kit. Version User Guide

SSO Integration Overview

Quick Connection Guide

IWA Integration Kit. Version 3.1. User Guide

Upgrade Utility. Version 7.3. User Guide

Version 7.x. Quick-Start Guide

Server 8.3. PingFederate CORS Support

Google Apps Connector. Version User Guide

SDK Developer s Guide

Release 3.0. Delegated Admin Application Guide

PingFederate 6.6. Upgrade Utility. User Guide

X.509 Certificate Integration Kit 1.2

PingFederate Upgrade Utility. User Guide

Google Apps Connector

PingFederate 6.3. Upgrade Utility. User Guide

SafeNet Authentication Service

SafeNet Authentication Service

SAML SSO Okta Identity Provider 2

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

SafeNet Authentication Service

Tanium Network Quarantine User Guide

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

Partner Center: Secure application model

SDK Developer s Guide

CSP PARTNER APPLICATION OVERVIEW Multi-tenant application model

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

One Identity Starling Two-Factor AD FS Adapter 6.0. Administrator Guide

SafeNet Authentication Service

SafeNet Authentication Service

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

SafeNet Authentication Manager

SafeNet Authentication Service

Office 365 Connector 2.1

Copyright. Copyright Ping Identity Corporation. All rights reserved. PingAccess Server documentation Version 4.

SonicWall Mobile Connect for Chrome OS

Security Removable Media Manager

Server Clustering Guide

April Understanding Federated Single Sign-On (SSO) Process

Security Removable Media Manager

Cloud Access Manager Overview

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Cloud Access Manager How to Deploy Cloud Access Manager in a Virtual Private Cloud

Dell Secure Mobile Access Connect Tunnel Service User Guide

How to Change Firmware in WT1000 Terminals. A Technote by Systems Engineering

Informatica Cloud Spring REST API Connector Guide

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

PingFederate 5.0. Release Notes

Dell One Identity Cloud Access Manager 8.0. Overview

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

One Identity Quick Connect Express

Stonesoft User Agent. Release Notes for Version 1.1.3

SafeNet Authentication Manager

Integration Guide. BlackBerry Workspaces. Version 1.0

Quest Collaboration Services 3.6. Installation Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Cloud Access Manager SonicWALL Integration Overview

One Identity Management Console for Unix 2.5.1

Cisco Jabber for Android 10.5 Quick Start Guide

PDF SHARE FORMS. Online, Offline, OnDemand. PDF forms and SharePoint are better together. PDF Share Forms Enterprise 3.0.

SafeNet Authentication Service

Upgrading MYOB BankLink Notes (desktop)

Cisco Terminal Services (TS) Agent Guide, Version 1.1

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

CA SiteMinder Federation Security Services

SonicWall Mobile Connect for Android

VMware vcenter Log Insight Manager. Deployment Guide

Dell Change Auditor 6.5. Event Reference Guide

SNP Launchpad. Version: December SNP Schneider-Neureither & Partner AG

SonicWALL CDP 2.1 Agent Tool User's Guide

Nokia Client Release Notes. Version 2.0

Mobile On the Go (OTG) Server

SAML-Based SSO Configuration

SafeNet Authentication Client

Direct Upgrade Procedure for Cisco Unified Communications Manager Releases 6.1(2) 9.0(1) to 9.1(x)

Quest Migration Manager for Exchange Resource Kit User Guide

Cisco Meeting Management

Terms of Use. Changes. General Use.

Copyright. Copyright Ping Identity Corporation. All rights reserved. PingAccess Server documentation Version 5.

Symantec Protection Center Getting Started Guide. Version 2.0

Add OKTA as an Identity Provider in EAA

Tisio CE Release Notes

Cisco Terminal Services (TS) Agent Guide, Version 1.0

Polycom RealPresence Media Manager

Token Guide for KT-4 for

SolarWinds Management Pack Version 2.1

Installation and Configuration Guide for Visual Voic Release 8.5

Transcription:

CoreBlox Token Translator Version 1.0 User Guide

2014 Ping Identity Corporation. All rights reserved. PingFederate CoreBlox Token Translator User Guide Version 1.0 April, 2014 Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com Trademarks Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners. Disclaimer The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Document Lifetime Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to documentation.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: April 25, 2014 PingFederate CoreBlox Token Translator 2 User Guide

Contents Introduction... 4 Intended Audience... 4 ZIP Manifest... 4 System Requirements... 4 Installation and Setup... 4 Installing the CoreBlox Token Translator in PingFederate... 4 Token Processor (IdP) Processing Overview... 5 Configuring the IdP Token Processor... 6 Token Generator (SP) Processing Overview... 7 Configuring the SP Token Generator... 8 Deployment Notes... 9 PingFederate CoreBlox Token Translator 3 User Guide

Introduction The PingFederate CoreBlox Token Translator provides a Token Processor and Token Generator for use with the PingFederate s WS-Trust Security Token Service (STS). The Token Processor allows an Identity Provider (IdP) STS to validate and authorize a CoreBlox session token from a Web Service Client (WSC) and then map user attributes into a SAML token to a Web Service Provider (WSP). The Token Generator allows a Service Provider (SP) STS to issue a CoreBlox session token for a WSP, including mapped attributes from an incoming SAML token. Intended Audience This document is intended for system administrators with experience in the configuration and maintenance of PingFederate Token Translators and have an understanding about the CoreBlox Token Service (CTS). Please consult the CoreBlox Token Service Install and Configuration Guide for additional information regarding the CTS. We recommend that you review the PingFederate Administrator s Manual, specifically the section on STS, for further information. ZIP Manifest The distribution ZIP file for the CoreBlox Integration Kit contains the following: ReadMeFirst.pdf contains links to this online documentation /legal contains the legal information: Legal.pdf copyright and license information /dist contains libraries needed to run the adapter: coreblox-token-translator-1.0.jar CoreBlox Token Translator JAR file System Requirements The following software must be installed in order to implement the CoreBlox Token Translator: PingFederate 7.x (or higher) An installation either locally or remotely of a CTS Installation and Setup The following section describes how to install and configure the CoreBlox Token Processor and Token Generator for an IdP and an SP, respectively. Installing the CoreBlox Token Translator in PingFederate 1. Stop the PingFederate server if it is running. PingFederate CoreBlox Token Translator 4 User Guide

2. Remove any existing CoreBlox Token Translator files (coreblox-token-translator-*.jar) from the directory: <PF_install>\pingfederate\server\default\deploy 3. Unzip the distribution file and copy coreblox-token-translator-1.0.jar from the /dist directory to the PingFederate directory: <PF_install>\pingfederate\server\default\deploy 4. Start or restart the PingFederate server. Token Processor (IdP) Processing Overview The following figure illustrates how PingFederate and the Token Processor interacts with the CTS: Processing Steps 1. A WSC sends a Request Security Token (RST) message containing a CoreBlox session token to the PingFederate STS IdP endpoint. 2. The CoreBlox Token Processor validates and authorizes the token from the WSC with the CTS and returns a valid token back to the Token Processor. 3. PingFederate STS embeds the mapped attributes in a SAML assertion wrapped in a Request Security Token Response (RSTR) back to the WSC. 4. The SAML assertion is sent to the WSP. PingFederate CoreBlox Token Translator 5 User Guide

Configuring the IdP Token Processor This section describes how to configure the CoreBlox Token Processor. 1. Log-on to the PingFederate administrative console and click Token Processors under IdP Configuration on the Main Menu. Note: If you do not see Token Processors on the Main Menu, enable WS-Trust under Server Settings on the Roles and Protocols screen by selecting WS-Trust for the IdP role. 2. On the Manage Token Processor Instances screen, click Create New Instance. 3. On the Type screen, enter an Instance Name and Instance Id. The Instance Name is any name you choose for identifying this Token Processor instance. Note: The Instance Id is used internally and may not contain any spaces or non-alphanumeric characters and must be uniquely named. 4. Select CoreBlox Token Processor as the Type and click Next. 5. Provide entries on the Instance Configuration screen as described below: Field Description CoreBlox URL Validate CoreBlox Certificate Hostname Client Certificate CoreBlox Tokentype The base URL for CTS requests. If checked, the hostname of the server certificate presented by the CTS must match the hostname of the CoreBlox URL. The certificate used for authentication calls to the CTS. The tokentype to be returned from the CTS. Note: At time of writing, the only permissible and default value is SMSESSION. 6. (Optional) Click Show Advanced Fields to specify the Token Processor s authorization configuration settings. Field Description Perform Authorize Request Resource Instance Action If checked, the Token Processor will make an authorize request to the CTS before accessing the protected resource. Note: The following three fields are required for the adapter to make the authorize request. The resource that is protected by the agent. Refers to the name of the agent instance. The action to take when evaluating requests against the policy server. 7. Click Next. PingFederate CoreBlox Token Translator 6 User Guide

8. (Optional) On the Extended Contract screen, configure additional attributes for the adapter (See Key Concepts in the PingFederate Administrator s Manual). 9. Click Next. 10. On the Token Attributes screen, select the Pseudonym checkbox for the userid attribute. You may select any extended attribute specified on the previous screen. For more information about this screen, see Setting Pseudonym Values and Masking in the PingFederate Administrator s Manual. 11. Click Next. 12. On the Summary screen, verify that the information is correct and click Done. 13. On the Manage Token Processor Instances screen, click Save to complete the Token Generator configuration. Token Generator (SP) Processing Overview The following figure illustrates how PingFederate and the Token Generator interact with the CTS: Processing Steps 1. The WSP accepts an incoming SAML assertion. 2. The WSP makes a RST to PingFederate STS. 3. The Token Generator parses the attributes in the SAML and queries the CTS for a valid token. PingFederate CoreBlox Token Translator 7 User Guide

4. The CoreBlox session token and mapped SAML attributes are embedded in a RSTR that is sent back to the WSP. Configuring the SP Token Generator This section describes how to configure the CoreBlox SP Token Generator. 1. Log on to the PingFederate administrative console and click Token Generators under SP Configuration on the Main Menu. 2. On the Manage Token Generator Instances screen, click Create New Instance. 3. On the Type screen, enter an Instance Name and Instance Id. The Instance Name is any name you choose for identifying this Token Generator Instance. Note: The Instance Id is used internally and may not contain any spaces or non-alphanumeric characters and must be uniquely named. 4. Select CoreBlox Token Generator X.0 as the Type and click Next. 5. Provide entries on the Instance Configuration screen, as described in the table below: Field Description CoreBlox URL Validate CoreBlox Certificate Hostname Client Certificate CoreBlox Tokentype The URL for the CTS. If checked, the hostname of the server certificate presented by the CTS must match the hostname of the CoreBlox URL. The certificate used for authentication calls to the CTS. The tokentype to be returned from the CTS. Note: At time of writing, the only permissible value is SMSESSION. 6. (Optional) Click Show Advanced Fields to specify the Token Processor s authorization configuration settings. Field Description Perform Authorize Request Resource Instance Action If checked, the adapter will make an authorize request to the CTS before accessing the protected resource. Note: The following three fields, Resource, Instance, and Action are required for the adapter to make the authorize request. The resource that is protected by the agent. Refers to the name of the agent instance. The action to take when evaluating requests against the policy server. 7. Click Next. PingFederate CoreBlox Token Translator 8 User Guide

8. (Optional) On the Extended Contract screen for a connection, configure additional attributes for the Token Generator. Any attributes configured in this step are added to the request header. 9. Click Next. 10. On the Summary screen, verify that the information is correct and click Done. On the Manage Token Generator Instances screen, click Save to complete the Token Generator configuration. Deployment Notes When configuring STS clients with PingFederate versions 6 or higher, a common issue with libraries parsing XML has been documented here with recommended steps to resolve it. PingFederate CoreBlox Token Translator 9 User Guide

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback