SSO Integration Overview

Similar documents
Quick Connection Guide

CoreBlox Integration Kit. Version 2.2. User Guide

Quick Connection Guide

CoreBlox Token Translator. Version 1.0. User Guide

Zendesk Connector. Version 2.0. User Guide

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

OAM Integration Kit. Version 3.0. User Guide

Box Connector. Version 2.0. User Guide

Dropbox Connector. Version 2.0. User Guide

Slack Connector. Version 2.0. User Guide

WebSphere Integration Kit. Version User Guide

Web Access Management Token Translator. Version 2.0. User Guide

Quick Connection Guide

WebEx Connector. Version 2.0. User Guide

Upgrade Utility. Version 7.3. User Guide

.NET Integration Kit. Version User Guide

Quick Connection Guide

Version 7.x. Quick-Start Guide

IWA Integration Kit. Version 3.1. User Guide

SDK Developer s Guide

PingFederate 6.6. Upgrade Utility. User Guide

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

PingFederate Upgrade Utility. User Guide

Google Apps Connector. Version User Guide

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

SDK Developer s Guide

Cloud Access Manager Overview

Partner Center: Secure application model

Dell One Identity Cloud Access Manager 8.0. Overview

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

April Understanding Federated Single Sign-On (SSO) Process

SAP Single Sign-On 2.0 Overview Presentation

PingFederate 6.3. Upgrade Utility. User Guide

SafeNet Authentication Service

Google Apps Connector

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Server 8.3. PingFederate CORS Support

CA SiteMinder. Federation in Your Enterprise 12.51

Warm Up to Identity Protocol Soup

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

CSP PARTNER APPLICATION OVERVIEW Multi-tenant application model

McAfee Cloud Identity Manager

Novell Access Manager 3.1

PingFederate 6. Getting Started

SafeNet Authentication Service

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

SafeNet Authentication Service

SAP Security in a Hybrid World. Kiran Kola

October J. Polycom Cloud Services Portal

SAML-Based SSO Solution

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

SafeNet Authentication Service

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

SafeNet Authentication Client

CA Adapter. CA Adapter Installation Guide for Windows 8.0

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

OpenIAM Identity and Access Manager Technical Architecture Overview

SAML SSO Okta Identity Provider 2

McAfee Cloud Identity Manager

Quick Start Guide for SAML SSO Access

Copyright. Copyright Ping Identity Corporation. All rights reserved. PingAccess Server documentation Version 4.

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

SAML-Based SSO Solution

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

CA SiteMinder Federation

SafeNet Authentication Service

CA CloudMinder. SSO Partnership Federation Guide 1.51

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

Challenges in Authenticationand Identity Management

Oracle Access Manager Configuration Guide

SafeNet Authentication Service

Five9 Plus Adapter for Agent Desktop Toolkit

CA SiteMinder Federation

McAfee Cloud Identity Manager

Release 3.0. Delegated Admin Application Guide

Identity-Enabled Web Services

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

Dell One Identity Cloud Access Manager 7.1.0

Configuring Confluence

SafeNet Authentication Service

Cloud Access Manager Configuration Guide

SafeNet Authentication Service (SAS) SAML Authentication Quick Start Guide

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

CA SiteMinder. Federation Manager Guide: Partnership Federation. r12.5

One Identity Defender 5.9. Product Overview

CA SiteMinder Federation Security Services

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager

Transcription:

SSO Integration Overview

2006-2014 Ping Identity Corporation. All rights reserved. PingFederate SSO Integration Overview Version 7.2 June, 2014 Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com Trademarks Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners. Disclaimer The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Document Lifetime Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to documentation.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: June 21, 2014. PingFederate 2 SSO Integration Overview

Contents Integration Introduction... 4 SSO Integration Concepts... 4 Identity Provider Integration... 5 Custom Applications... 6 Identity Management Systems... 6 Authentication Systems... 7 Service Provider Integration... 8 Custom Applications... 8 Server Agents... 9 Identity Management Systems... 9 Commercial Applications... 10 Summary... 10 PingFederate 3 SSO Integration Overview

Integration Introduction As a stand-alone server, PingFederate must be integrated programmatically with end-user applications and identity management (IdM) systems to complete the first- and last-mile implementation of a federated-identity network. The purpose of this document is to provide an overview of the various approaches to integrating systems and applications with PingFederate for browser-based single sign-on (SSO). To enable both the Identity Provider (IdP) and Service Provider (SP) sides of this integration, PingFederate provides commercial integration kits, which include adapters that plug into the PingFederate server and agents that interface with local IdM systems or applications. Tip: Integration kits are available for download at pingidentity.com (pingidentity.com/support-and-downloads). Find User Guides and other documentation for the kits under Product Documentation on the Web site (documentation.pingidentity.com/display/lp/product+documentation). This document covers the integration kits available from Ping Identity for PingFederate. PingFederate also includes a robust software development kit (SDK), which software developers can use to write their own custom interfaces for specific systems. Please refer to the PingFederate SDK Developer's Guide for more information, available in the PingFederate distribution sdk directory. Note: Ping Identity offers separate integration solutions for secure SSO to Software-as-a- Service (SaaS) providers SaaS Connectors, which include automatic user provisioning at the provider site. In addition, for integration with the PingFederate WS-Trust Security Token Service (STS), we provide a range of Token Translators. These plug-in Token Processors (for an IdP) and Generators (for an SP) connect the STS with Web Service Providers and Clients for access to identity-enabled Web Services. For more information about SaaS Connectors and Token Translators, refer to Key Concepts in the PingFederate Administrator s Manual. For lists of available Connectors and Translators, go to Support and Downloads on the Ping Identity Web site (pingidentity.com/support-and-downloads). SSO Integration Concepts For an IdP, the first step in the integration process involves sending identity attributes from an authentication service or application to PingFederate. PingFederate uses those identity attributes to generate a SAML assertion. (For information about SAML Security Assertion Markup Language refer to Supported Standards in Getting Started.) IdP integration typically provides a mechanism through which PingFederate can look up a user s current authenticated session data (for example, a cookie) or authenticate a user without such a session. For an SP, the last step of the integration process involves sending identity attributes from PingFederate to the target application. PingFederate extracts the identity attributes from the incoming SAML assertion and sends them to the target application to set a valid session cookie or other applicationspecific security context for the user. PingFederate 4 SSO Integration Overview

The following diagram illustrates the basic concepts of integration with PingFederate: Identity Provider Integration An IdP is a system entity that authenticates a user, or SAML subject, and transmits referential identity attributes based on that authentication to PingFederate. The IdP integration involves retrieving useridentity attributes from the IdP domain and sending them to the PingFederate server. Typically, the identity attributes are retrieved from an authenticated user session. For IdP integration, a number of attribute-retrieval approaches can be used, depending upon the IdP deployment/implementation environment. Ping Identity offers a broad range of commercial integration kits that address various IdP scenarios, most of which involve either custom-application integration, integration with a commercial IdM product, or integration with an authentication system. Tip: For IdPs implementing SSO to selected Software-as-a-Service (SaaS) providers for example, Google Apps and Salesforce PingFederate also provides for automated user provisioning. See details under Workforce to the Cloud at the Ping Identity Web site. PingFederate 5 SSO Integration Overview

Custom Applications A federation partner can use a custom authentication service or application to serve as the IdP role in that federation partnership. Integration with a custom application is handled through application-level integration kits, which allow software developers to integrate their custom applications with a PingFederate server acting as an IdP. Each application-level integration kit includes an agent, which resides with the IdP application and provides a simple programming interface to transfer session and attribute information from the application to the PingFederate IdP server. Ping Identity provides custom-application integration kits for several programming environments, including: Java.NET PHP In addition, Ping Identity provides an Agentless Integration Kit, which allows developers to use direct HTTP calls to the PingFederate server to temporarily store and retrieve user attributes securely, eliminating the need for an agent interface. Identity Management Systems An IdP enterprise that uses an IdM system can expand the reach of the IdM domain to external partner applications through integration with PingFederate. IdM integration kits typically use the IdM agent PingFederate 6 SSO Integration Overview

API (if available) to access identity attributes in the IdM proprietary session cookie and transmit those attributes to the PingFederate server. IdM integration kits do not require any development; integration with PingFederate is accomplished entirely through the PingFederate administrative console. Ping Identity provides integration kits for many of the leading IdM systems including: Oracle Access Manager (COREid) Authentication Systems Initial user authentication is normally handled outside of the PingFederate server using an authentication application or service. PingFederate authentication-system integration kits leverage this local authentication to access applications outside the security domain. For example, an integration kit might access authenticated sessions that are validated against a Windows NTLM or Integrated Windows Authentication (IWA) environment, and then pass session attributes to the PingFederate IdP server. Authentication integration kits do not require any development; integration with PingFederate is accomplished entirely through the PingFederate administrative console. Ping Identity offers integration kits for authentication systems including: IWA/NTLM X.509 Certificate RSA SecurID Integration Kit VeriSign Identity Protection Integration Kit PingFederate also packages two IdP adapters, an HTML Form Adapter and an HTTP Basic Adapter, which delegate user authentication to plug-in Password Credential Validators. Supplied Validators can use either an LDAP directory, RADIUS server, or a simple username/password verification system maintained by PingFederate. (Customized Validators may also be developed.) When the PingFederate IdP server receives an authentication request for SP-initiated SSO or a user clicks a link for IdP-initiated SSO, PingFederate invokes the implemented adapter and prompts the user for credentials, if the user is not already logged on. PingFederate 7 SSO Integration Overview

Service Provider Integration An SP is the consumer of identity attributes provided by the IdP through a SAML assertion. SP integration involves passing the identity attributes from PingFederate to the target SP application. The SP application uses this information to set a valid session or other security context for the user represented by the identity attributes. Session creation can involve a number of approaches, and as for the IdP, Ping Identity offers commercial integration kits that address the various SP scenarios. Most SP scenarios involve custom-application integration, server-agent integration, integration with an IdM product, or integration with a commercial application. Custom Applications Many applications use their own authentication mechanisms, typically through a database or LDAP repository, and are responsible for their own user-session management. Custom-application integration is necessary when there is limited or no access to the Web or application server hosting the application. Integration with these custom applications is handled through application-level integration kits, which allow software developers to integrate their applications with a PingFederate server acting as an SP. With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the SP application, which can then use them for its own authentication and session management. As for the IdP, application-specific integration kits include an SP agent, which resides with the SP application and provides a simple programming interface to extract the identity attributes sent from the PingFederate server. The information can be used to start a session for the SP application. PingFederate 8 SSO Integration Overview

Ping Identity provides custom-application integration kits for a variety of programming environments, including: Java.NET PHP In addition, Ping Identity provides an Agentless Integration Kit, which allows developers to use direct HTTP calls to the PingFederate server to temporarily store and retrieve user attributes securely, eliminating the need for an agent interface. Server Agents Server-agent integration with PingFederate allows SP enterprises to accept SAML assertions and provide SSO to all applications running on that Web and/or application server; there is no need to integrate each application. Since integration occurs at the server level, ease of deployment and scalability are maximized. Applications running on the Web/application server must delegate authentication to the server; if the application employs its own authentication mechanism, integration must occur at the application level. With server-agent integration kits, PingFederate sends the identity attributes from the SAML assertion to the server agent, which is typically a Web filter or JAAS Login Module. The server agent extracts the identity attributes, which the server then uses to authenticate and create a session for the user. SP server-agent integration kits do not require any development; integration with PingFederate is accomplished entirely through the PingFederate administrative console. Ping Identity provides integration kits for many Web and application servers, including: Internet Information Services (IIS) Apache (Red Hat) Apache (Windows) WebSphere SAP NetWeaver Identity Management Systems IdM integration with PingFederate allows an SP enterprise to accept SAML assertions and provide SSO to applications protected by the IdM domain. IdM integration kits typically use the IdM agent API (if available) to create an IdM proprietary session token based on the identity attributes received from PingFederate. IdM integration kits do not require any development; integration with PingFederate is accomplished through the PingFederate administrative console and the IdM administration tool. PingFederate 9 SSO Integration Overview

Ping Identity provides integration kits for leading IdM systems including: Oracle Access Manager (formerly COREid) Commercial Applications Commercial-application integration with PingFederate allows an SP enterprise to accept SAML assertions and provide SSO to those commercial applications. These integration kits do not require any development; integration with PingFederate is accomplished entirely through the PingFederate administrative console. Ping Identity offers integration kits for these commercial applications: Citrix SharePoint Salesforce.com Note: For PingFederate 5.2 and later versions, the Salesforce.com Integration Kit is called the PingFederate Salesforce Connector. Connectors feature complete user provisioning for SaaS providers, as well as SSO quick-connection templates. Summary The following table summarizes IdP- and SP-integration deployment scenarios and the Ping Identity bundled adapters and integration kits that suit each scenario. Ping Identity continues to develop new bundled adapters (included with PingFederate) and integration kits; check the Ping Identity download site (www.pingidentity.com/support-and-downloads) for the most up-to-date list of kits. Please find User Guides and other documentation for current integration kits under Product Documentation on the Web site (documentation.pingidentity.com/display/lp/product+documentation). Type IdP SP Custom Application Identity Management System (IdM) Java Integration Kit.NET Integration Kit PHP Integration Kit Agentless Integration Kit Web Access Management (WAM) Integration Kit Java Integration Kit.NET Integration Kit PHP Integration Kit Agentless Integration Kit WAM Integration Kit PingFederate 10 SSO Integration Overview

Type IdP SP Authentication System Server Agent Commercial Application Windows IWA/NTLM Integration Kit X.509 Certificate Integration Kit HTML Form Adapter (Bundled with PingFederate) HTTP Basic Adapter (Bundled with PingFederate) RSA SecurID Integration Kit VeriSign Identity Protection Integration Kit Integration Kit for SAP NetWeaver N/A N/A IIS Integration Kit Apache Integration Kit (Red Hat) Apache Integration Kit (Windows) WebSphere Integration Kit Integration Kit for SAP NetWeaver Salesforce Connector Citrix Integration Kit SharePoint Integration Kit PingFederate 11 SSO Integration Overview

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback