Professional Documents
Culture Documents
Capabilities and
Use Cases
A Ping Identity ebook
Version 1.0a
October, 2009
Introduction - About this eBook
Version 1.0
October, 2009
PingFederate Overview
Internet User
Internet User Account Management
Account Management
User accounts at Internet applications
are automatically created, updated and
deleted throughout the user's life cycle
within the organization.
Universal Token Translation
Your Organization Universal Token Translation
Applications in different security
domains need to translate security
Your Suppliers, Customers, tokens in order to share user identity
Service Providers ... information. This capability is often
used in conjunction with Web services.
PingFederate provides three types of Internet Identity use cases: Internet Single Sign On
(SSO), Internet User Account Management and Universal Security Token Translation.
PingFederate
incorporates the core
functionality necessary
to implement Internet
PingFederate
SSO, Identity-enabled
Web Services and
Internet User Account
Management into a
single server and a
single administrative Integration Security Token SaaS PingFederate
console.
Kits Translators Connectors Express
SAML 1.0
SAML 1.1 WS-Trust LDAP
Now
SAML 2.0 SOAP/WSS JDBC
WS-Federation
OpenID
OAuth
Roadmap Facebook Connect SPML XACML
REST
Information Cards
Ping Identityʼs strategy for PingFederate is to provide support for all relevant Internet identity management standards that our
customers expect to deploy, whether they be de jure or de facto. Items in the Roadmap row are in our intermediate term product
plan, but have not yet been prioritized for development. We are always interested in speaking with any customers or prospects
interested in deploying roadmap functionality. If you are such a person, please send an email to our product management team
at marketing@pingidentity.com.
Ping Identity offers a wide variety of Integration Kits that provide “first
mile” integration at the Identity Provider.
PingFederate and its Citrix Integration Kit turn Citrix XenApp into a SAML Service This architecture is especially popular with
service providers that need to provide
Provider, making virtualized applications available to external users.
external access to legacy applications.
Internet User
Account Management
?
be populated and managed before users
Directory
can use those external applications.
?
account management:
User • Express Provisioning is a Service
Directory Provider-side solution that uses the
Enterprise attributes in incoming SAML assertions
Directory to create and update user accounts.
• SaaS Provisioning is an Identity
? User
Directory
Provider-side solution that integrates a
corporate directory with a SaaS
providerʼs provisioning API to
automatically create, update and delete
user accounts in the Service Providerʼs
directory for a selected set of users.
Service providers such as SaaS vendors often have their own user account directories
that are beyond the reach and control of enterprise provisioning solutions.
Other Party IdP must have SAML-based Service Provider must have a
Requirement Internet SSO solution provisioning API
Target Directory/
LDAP, JDBC Google Apps, Salesforce
Interface Supported
Endpoint Enablement
Under the PingFederate Endpoint Program, organizations seeking to Two products are available under the
Endpoint program to support different use
expedite the creation of Internet Identity connections can purchase
cases: PingFederate Express and
PingFederate and PingFederate Express licenses for their partners.
PingFederate licensed for a single
connection.
The concept of Universal Token Translation and As organizations rolled out the initial STS-based Web
Security Token Services (STSs) originated with Web Services deployment, two additional STS use cases
Services. The lack of a standard method for have emerged.
communicating user identities hindered early Web
Services applications from gaining widespread First, while WS-Trust envisions token processing as
business acceptance. Standards such as WS- occurring in two phases at the Web service client and
Security and WS-Trust emerged in the SOAP world provider, the underlying STS has no such restriction.
that enable Web Services to share user identities, but As a result, larger organizations with multiple security
initially they were complex and difficult to implement. domains have recognized the value of the STS as a
“universal token translator” that can convert any type
PingFederate provides a key component required to of security token into any other type of security token
identity-enable Web Services: a WS-Trust Security - even if there are no Web services being used.
Token Service (STS). On the Web service client side,
which can be a Web application or rich desktop Second, even though they were “born” in the world of
application, the STS converts whatever security token SOAP, security experts have realized the concept of
that is used locally into a standard SAML security embedded tokens and STSs could play key role in
token containing the user's identity that is shared with securing REST-style Web Services as well.
the Web Services provider. On the Web Service
provider side, the STS validates security tokens and
can generate a new local token for consumption by
other applications.
By making two calls to the PingFederate STS, it is a possible for a program to convert
virtually any security token into an equivalent token of another type.
Service Service
Provider In this scenario, PingFederate can play a
Client role at the IdP, SP or both. On the IdP
! % side, the application acting as the client for
" SOAP Message $ the Identity-enabled Web Service uses the
PingFederate STS to generate a portable,
Local Local
extensible and secure SAML assertion
Security Security
Token Token from the userʼs local security token. It
incorporates the SAML assertion into the
PingFederate PingFederate header of the SOAP message it sends to
the Web service provider.
AmberPointʼs WS-Trust client has been certified for use with the PingFederate STS.
Advanced Capabilities
During SSO • IdP includes its signing certificate in each SAML assertion it sends to the SP
Transactions • SP matches the Subject DN and the CA issuer against the values received at
connection setup
• SP validates the digital signature using the digital certificate included in the SAML
assertion
When IdP • When the IdPʼs certificate is about to expire, it can renew and start using the new
Certificate certificate to sign messages
Expires • As long as the IdP uses a new certificate with the same Subject DN and CA issuer,
the SAML connection keeps working
PingFederate 6.1 includes a new “anchored” trust model option that can eliminate annual partner certificate exchanges.
Used by default with PingFederate Express connections, the new anchored trust model can optionally be used wherever
PingFederate processes digital signatures.