CIS 2013 Ping Identity Chalktalk

Copyright ©2012 Ping Identity Corporation. All rights reserved.1

PingFederate 7ChalkTalk Demo

Craig Wu

July 8, 2013


• Director, Product Development• With Ping Identity since Feb 2007• Started with Integration Kits• PF STS integration• PingFederate Fall 2009 PF 6.2 – 6.10• 2013 - Expand Ping Product Portfolio

Craig Wu


PingFederate Engineering Team January 2013

Denver, CO - Vancouver, BC - American Fork, UT Halifax, Nova Scotia - Moscow, Russia - Dublin, Ireland


[PINGFEDERATE 7]

[Features]


PingFederate 7 Highlights

• SCIM

– Outbound

– Inbound

• OpenID Connect

– Provider (OP)

• Password Management

• Adaptive Federation

– Selector Trees

– New selectors

• Localization


Administration Console Enhancements

Admin UI Refresh

• Usability improvements

– Friendlier form fields

– Simpler presentation

• Customer requested improvements:

– Visual cues for cluster replication

– Configurable console title

– Configurable session timeout


SCIM Provisioning – Why?

• Federation introduces a strong desire to solve user provisioning the right way.

• Accounts need to be synchronized across organizations to enable SSO.

• Today's provisioning approaches:– Manual– Just-In-Time Provisioning– Automated – based on a proprietary protocol


Pro's Con's

Manual No additional configuration.

Simple when only a handful of users to a single app are involved.

Doesn't scale.

Tedious for administrators.

Error prone.

Just-In-Time Single protocol for both SSO and Provisioning

Doesn't handle de-provisioning use case.

Automated (proprietary)

Covers both provisioning and de-provisioning

Implemented differently for every partner.

SCIM (System for Cross-domain Identity Management) offers simple, standards based automated provisioning.

SCIM Provisioning – Why? (cont'd)


SCIM – Outbound Provisioning (formerly SaaS Provisioning)

IdP Features

• User provisioning & de-provisioning to partners supporting SCIM 1.1

• Synchronize local corporate directory accounts with SCIM supporting partners

• Monitors directory for user account changes:

– Create

– Update

– Membership Update

– Delete / DisableIdentity Store

SCIM

Identity Provider

Create?Update?Delete?

SaaSProvider

Identity Store


SCIM – Inbound Provisioning

SP Features

• Enables Service Providers with a standard SCIM protocol runtime

• Handle inbound user provisioning requests

• Commit operations to a local identity store (Active Directory)

• SCIM 1.1

– JSON

– HTTP Basic and TLS Client Authentication

Identity Store

SCIM

SaaSProvider

Identity Store

Identity Provider


SCIM Provisioning Interop @ CIS 2013

• Technology Nexus• Cisco• PingIdentity• SailPoint• Salesforce• UnboundID• WSO2


OpenID Connect

?


OpenID Connect - Next Gen SSO

SAML• Separate protocols for SSO

and API security

• Build on top of XML-standards

• Profiles and bindings with lots of flexibility

• Manual trust bootstrapping & certificate management

OpenID Connect• SSO and API security in one

• REST based interactions ideal for mobile

• Fewer, more focused profiles

• Auto client registration and key management


OpenID Connect

Features

• OpenID Connect Provider (IdP)

• Leverages built-in OAuth AS for API security

• User Info Endpoint serves as a REST-based directory service for identity data

• Proxy SAML IdP Connections via OIC

Benefits

• Consistent framework for identity enabling both Web and Mobile applications

• Lighter weight, simpler standard for Relying Parties to adopt compared to SAML

Mobile Apps

Web Apps

IDAPI

Access

Identity Provider


OpenID Connect – OAuth Playground 3.0

Features

• Interactive utility for developers exploring OpenID Connect and OAuth

• Includes source code

– JSON Web Token library for ID Token validation (jose4j)

Supported Profiles

– Basic - mobile and traditional web apps

– Implicit - in-browser (JavaScript) apps


Adaptive Federation Enhancements

Features

• Decision Trees to define complex Authn Method policies

• Additional criteria:

• HTTP Headers (e.g.: User-Agent)

• SP Connection

• Node Index

• OAuth Scope

• Prioritized default selection

Example Use Case

• IWA on/off network with supported browser

• Partner applications with varied authn req's

Inside the Firewall?

Browser speaks IWA?

ActiveDirectory

Ke

rbe

ros

HT

ML

Fo

rm

HT

ML

Fo

rm

SaaSApp

Au

thn

Po

licy

SSOAuthn


Password Management

Features

• End user (LDAP) password management features for end users:

– Forced Password Update (at login)

– User Initiated Change Password

Example Use Case

• Medium sized Enterprise with Remote Users always off the domain

Authn

Directory

UpdatePassword


[DEMO]

[PingFederate 7]


• Provision user to AD using SCIM

• Password Management– HTML Form Adapter

• Adaptive Federation Enhancements– Selector Trees– HTTP Header Selector– Connection Selector

• Token Authorization– Control when tokens are issued during attribute fulfillment

• Localization

• OpenID Connect Basic Client Profile

Demo


Q & A