Upload
craig-wu
View
1.480
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Learn about upcoming product features from Ping Identity product management, view demonstrations of new functionality direct from the engineering team, and participate in a lively discussion about the latest technology advancements and their business applications.
Citation preview
Copyright ©2012 Ping Identity Corporation. All rights reserved.1
PingFederate 7ChalkTalk Demo
Craig Wu
July 8, 2013
Copyright ©2012 Ping Identity Corporation. All rights reserved.2
• Director, Product Development• With Ping Identity since Feb 2007• Started with Integration Kits• PF STS integration• PingFederate Fall 2009 PF 6.2 – 6.10• 2013 - Expand Ping Product Portfolio
Craig Wu
Copyright ©2012 Ping Identity Corporation. All rights reserved.3
PingFederate Engineering Team January 2013
Denver, CO - Vancouver, BC - American Fork, UT Halifax, Nova Scotia - Moscow, Russia - Dublin, Ireland
Copyright ©2012 Ping Identity Corporation. All rights reserved.4
[PINGFEDERATE 7]
[Features]
Copyright ©2012 Ping Identity Corporation. All rights reserved.5
PingFederate 7 Highlights
• SCIM
– Outbound
– Inbound
• OpenID Connect
– Provider (OP)
• Password Management
• Adaptive Federation
– Selector Trees
– New selectors
• Localization
Copyright ©2012 Ping Identity Corporation. All rights reserved.6
Administration Console Enhancements
Admin UI Refresh
• Usability improvements
– Friendlier form fields
– Simpler presentation
• Customer requested improvements:
– Visual cues for cluster replication
– Configurable console title
– Configurable session timeout
Copyright ©2012 Ping Identity Corporation. All rights reserved.7
SCIM Provisioning – Why?
• Federation introduces a strong desire to solve user provisioning the right way.
• Accounts need to be synchronized across organizations to enable SSO.
• Today's provisioning approaches:– Manual– Just-In-Time Provisioning– Automated – based on a proprietary protocol
Copyright ©2012 Ping Identity Corporation. All rights reserved.8
Pro's Con's
Manual No additional configuration.
Simple when only a handful of users to a single app are involved.
Doesn't scale.
Tedious for administrators.
Error prone.
Just-In-Time Single protocol for both SSO and Provisioning
Doesn't handle de-provisioning use case.
Automated (proprietary)
Covers both provisioning and de-provisioning
Implemented differently for every partner.
SCIM (System for Cross-domain Identity Management) offers simple, standards based automated provisioning.
SCIM Provisioning – Why? (cont'd)
Copyright ©2012 Ping Identity Corporation. All rights reserved.9
SCIM – Outbound Provisioning (formerly SaaS Provisioning)
IdP Features
• User provisioning & de-provisioning to partners supporting SCIM 1.1
• Synchronize local corporate directory accounts with SCIM supporting partners
• Monitors directory for user account changes:
– Create
– Update
– Membership Update
– Delete / DisableIdentity Store
SCIM
Identity Provider
Create?Update?Delete?
SaaSProvider
Identity Store
Copyright ©2012 Ping Identity Corporation. All rights reserved.10
SCIM – Inbound Provisioning
SP Features
• Enables Service Providers with a standard SCIM protocol runtime
• Handle inbound user provisioning requests
• Commit operations to a local identity store (Active Directory)
• SCIM 1.1
– JSON
– HTTP Basic and TLS Client Authentication
Identity Store
SCIM
SaaSProvider
Identity Store
Identity Provider
Copyright ©2012 Ping Identity Corporation. All rights reserved.11
SCIM Provisioning Interop @ CIS 2013
• Technology Nexus• Cisco• PingIdentity• SailPoint• Salesforce• UnboundID• WSO2
Copyright ©2012 Ping Identity Corporation. All rights reserved.12
OpenID Connect
?
Copyright ©2012 Ping Identity Corporation. All rights reserved.13
OpenID Connect - Next Gen SSO
SAML• Separate protocols for SSO
and API security
• Build on top of XML-standards
• Profiles and bindings with lots of flexibility
• Manual trust bootstrapping & certificate management
OpenID Connect• SSO and API security in one
• REST based interactions ideal for mobile
• Fewer, more focused profiles
• Auto client registration and key management
Copyright ©2012 Ping Identity Corporation. All rights reserved.14
OpenID Connect
Features
• OpenID Connect Provider (IdP)
• Leverages built-in OAuth AS for API security
• User Info Endpoint serves as a REST-based directory service for identity data
• Proxy SAML IdP Connections via OIC
Benefits
• Consistent framework for identity enabling both Web and Mobile applications
• Lighter weight, simpler standard for Relying Parties to adopt compared to SAML
Mobile Apps
Web Apps
IDAPI
Access
Identity Provider
Copyright ©2012 Ping Identity Corporation. All rights reserved.15
OpenID Connect – OAuth Playground 3.0
Features
• Interactive utility for developers exploring OpenID Connect and OAuth
• Includes source code
– JSON Web Token library for ID Token validation (jose4j)
Supported Profiles
– Basic - mobile and traditional web apps
– Implicit - in-browser (JavaScript) apps
Copyright ©2012 Ping Identity Corporation. All rights reserved.16
Adaptive Federation Enhancements
Features
• Decision Trees to define complex Authn Method policies
• Additional criteria:
• HTTP Headers (e.g.: User-Agent)
• SP Connection
• Node Index
• OAuth Scope
• Prioritized default selection
Example Use Case
• IWA on/off network with supported browser
• Partner applications with varied authn req's
Inside the Firewall?
Browser speaks IWA?
ActiveDirectory
Ke
rbe
ros
HT
ML
Fo
rm
HT
ML
Fo
rm
SaaSApp
Au
thn
Po
licy
SSOAuthn
Copyright ©2012 Ping Identity Corporation. All rights reserved.17
Password Management
Features
• End user (LDAP) password management features for end users:
– Forced Password Update (at login)
– User Initiated Change Password
Example Use Case
• Medium sized Enterprise with Remote Users always off the domain
Authn
Directory
UpdatePassword
Copyright ©2012 Ping Identity Corporation. All rights reserved.18
[DEMO]
[PingFederate 7]
Copyright ©2012 Ping Identity Corporation. All rights reserved.19
• Provision user to AD using SCIM
• Password Management– HTML Form Adapter
• Adaptive Federation Enhancements– Selector Trees– HTTP Header Selector– Connection Selector
• Token Authorization– Control when tokens are issued during attribute fulfillment
• Localization
• OpenID Connect Basic Client Profile
Demo
Copyright ©2012 Ping Identity Corporation. All rights reserved.20
Q & A