CIS13: Bootcamp: PingOne as a Simple Identity Service

Copyright ©2012 Ping Identity Corporation. All rights reserved. 1

How to set up a Simple Identity Service


Ping Identity Staff

Jennifer Patton Knowledge Base Engineer


Ping Identity Staff

David Chase Regional Solution Architect


Ping Identity Staff

Pam Dingle Technical Director


•  What is CAS? •  What is AD Connect? •  What is CloudDesktop? •  What is APS? •  Demonstration

PingOne Introduction


OVERVIEW PingOne


PingOne is a cloud-deployed Tier 1 SSO solution, enabling businesses and service providers to make a one-time connection and switch to all their applications or users.

Ping One provides: –  One connection to access or provide cloud apps –  One place for IT to manage user and customer accounts –  One point of cloud access for all employees

PingOne Overview


PingOne CAS (Cloud Access Services)

Enables organizations to secure and control access to multiple cloud-based business applications. •  One connection from enterprise directory to cloud applications without exposing user

passwords. •  Central location for IT to manage single sign-on, access and provisioning—all provided

from a simple SaaS-based management console. •  Single login to CloudDesktop® ensures secure access to web applications.


PingOne APS (Application Provider Services)

SSO solution for service providers, letting customers or partners conveniently establish access to public and private cloud applications. •  Fast onboarding. After a quick one-time integration to Application Provider Services,

onboarding new partners or customers takes less than 10 minutes. •  Increased usage. Reliable, seamless SSO access accelerates adoption and usage while

avoiding support issues introduced by password storing or screen-scraping. •  Cost-effective. By multiplexing to partners or customers for SSO, service providers can

save up to 90% over making one-to-one connections.


PingOne is not designed to replace PingFederate. PingOne supports a subset of PingFederate’s capabilities. Examples of PingOne capabilities •  Supports “workforce to external applications” use case •  2-factors authentication support: PhoneFactor •  Supports Active Directory

PingFederate & PingOne (Hybrid model) •  A single connection to PingOne for all

SaaS applications •  Offload connection maintenance to

PingOne •  PingFederate handles all use cases

not supported by PingOne

PingOne and PingFederate


CLOUD ACCESS SERVICES PingOne - CAS


PingOne CAS


CloudDesktop


PingOne Cloud Access Services Enterprises Connect 1:Many

Your Enterprise Cloud Apps


Cloud Access Services in 3 Steps

Register Select Apps Connect


•  Go to http://www.pingone.com •  Create a PingOne account for

your company •  Provide the domain name •  Create a password •  Obtain registration key from

Ping Identity

Step 1: Registration

Register


Without a Federation Solution •  Small/Medium

corporations •  AD Connect links user

directory (AD) to all cloud applications.

With a Federation Solution •  Large enterprises with:

–  PingFederate –  SAML 2.0 –  Google Apps

•  Offload connection maintenance to PingOne

Centralized Control of Sensitive Identity Information


•  Applications Catalog is a collection of SAML-enabled application providers

•  Administrator will add applications which are appropriate for the corporation

•  For example: ADP, Salesforce and WebEx Connect

Step 3 : Applications Catalog

Select Apps


CLOUD ACCESS SERVICES – ADCONNECT

PingOne - CAS


AD Connect: A Lightweight Authentication Utility

For organizations without SAML support - Authentication utility that connects Microsoft Active Directory to PingOne Cloud Access Services Authenticates users via SAML - No storing passwords in the Cloud or reverse proxies Easy “point, click & configure” -Deploys in less than 30 minutes, with no DNS (Domain Name System) changes


PingOne CAS Data Flow – SP-Init SSO

SSO Service

Browser

SP Network

IdP Network

1

3

4

v

5

Multi-tenant, Secure & HA/DR infrastructure

SAML

SAML

2


PingOne CAS Data Flow – IdP-Init SSO

SSO Service

Browser

SP Network

IdP Network

1

2

3

v

4

Multi-tenant, Secure & HA/DR infrastructure

SAML

SAML


•  Download AD Connect

•  Set product key •  Install AD Connect

on IIS server (Enter Product Key)

•  Verify installation

Installing AD Connect


CLOUD ACCESS SERVICES – HYBRID

PingOne - CAS


PingFederate / 3rd party SAML IdPs / ADFS 2.0

•  One connection to PingOne •  Leverage on existing authentication methods •  Sends SAML assertion to PingOne •  Often known as “Hybrid” Federation model


•  Download metadata file from PingOne and create connection in PingFederate

•  Export metadata file from PingFederate and upload to PingOne

Configure PingFederate IdP


CLOUD ACCESS SERVICES – CLOUDDESKTOP

PingOne - CAS


Customized portal for apps (private and public) •  Log in once to the user directory •  One-click access to all SSO-enabled applications •  Optimized user experience for desktops, laptops and mobile

CloudDesktop: A Customized Portal for the Cloud

Mobile support

• Device detection and rendering

• Support for SaaS native apps

• Provide SSO using OAuth tokens (PingOne OAuth AS)


- Jane Smith is a member of “IT” group on AD - She is granted access only to ADP and WebEx applications.



- John Doe is a member of “Sales” group on AD - He is granted access to all three apps (ADP, Salesforce and WebEx)



Group Management


•  What is the purpose of AD Connect?

•  What is CloudDesktop?

•  What are 2 ways that AD Connect authenticates users?

•  Describe the flow of an SP initiated SSO transaction

with PingOne

Review Exercises


APPLICATION PROVIDER SERVICES PingOne - APS


Many Customers, Single Application


Application Provider Services in 4 Steps

Register Integrate Configure Invite


Step 1 : Registration

• Create a PingOne account for your company

• Provide the domain name

• Create a password

Register


Step 2 : Configure

Connection Types:

• Via REST APIs

• Secure SAML SSO

Configure


SAML Enabled Providers

•  User authenticates •  SAML assertion sends to SaaS federation server •  No integration is required •  Standard SAML connection configuration


SAML Enabled Connection - Pingfederate

Configure

1.  Download metadata file from PingOne

2.  From PingFederate, set up an IdP connection to PingOne.

3.  Export metadata file and import into PingOne.

4.  Define SSO Attributes


REST API

•  PingOne redirects users to SaaS application with a Token ID •  SaaS application makes a secure back channel call to PingOne

to receive Identity information


PingOne APS Dataflow with Rest API


REST API Connection

1.  Application: •  Domain Name •  Application URL •  Error URL.

Configure

2.  Define SSO Attributes


Integrate

Step 3 : Integrate

•  PingOne handles all of the protocol details, allowing your application to be concerned with just three things: •  Redirecting the user's browser to PingOne to start SSO •  Exchange a token for user’s attributes •  Creating a session for the user


Exchange Token

•  After authenticating, the user returns to your application with a token to either:

•  The appurl specified during the 302 redirect

•  The Default Application URL you saved in SSO Settings, if appurl is not specified.

•  The user's token is passed as a query parameter (tokenid) in the HTTP request. For example: •  https://www.mysaas.com/testapp?tokenid=158affc71d6bc65fe2a92ffac7760dce&agentid=0055f3da

•  This token is created by PingOne and is a one-time secret between the user and PingOne

•  This token can be exchanged with PingOne for a set of user attributes through a simple web service call

•  To exchange a token with PingOne, you must make a web service call to the Token Resolution Service

•  This will be an HTTP GET call structured like:

•  https://sso.connect.pingidentity.com/sso/TXS/2.0/<format>/<tokenid>

•  Accepted format parameters are: "1" - JSON Format "2" - Properties Format

Integrate

REST API Integration


Exchange Token (continued)

•  PingOne will return the following attributes, formatted according to the format parameter above:

•  pingone.subject - The username of the authenticated user

•  pingone.saas.id - the SaaS to which the token is issued. This will be your SaaS ID

•  pingone.idp.id - the idpid of the Identity Provider who issued the Assertion

•  pingone.authn.context - the "authentication context" under which the user is authenticated by the Identity Provider

Integrate

REST API Integration


Step 4: Invite

Customer Onboarding Options: •  SSO Self-Service Widget •  Email •  REST API •  Manual Connection

Invite


Accelerate Onboarding to Your App

Quickly add customers •  Provide basic information •  Invite customers to connect •  Complete in 10 minutes or less

Manage connections to your app •  Review all customers using SSO •  Check onboarding status •  Suspend SSO by customer or globally

“The PingOne service works very well. Setting up connections only takes a matter of minutes now,” — Leading CRM Service Provider.


1.  Add PingOne provided JavaScript widget to your webpage where only your customer administrators have access when they visit this page

2.  Add server-side code to enable widget to include the <idpid> and <email> parameters to the OpenToken

3.  Ask user to select Enable SSO option and click the PingOne link 4.  Customer is securely redirected to the PingOne APS website

where they enter their configuration information

SSO Self Service On Boarding


1.  Fill out Identity Provider form: Email and Customer ID

2.  Send email invitation to customer from PingOne or your preferred email client.

Email On Boarding


1.  Customer clicks on a link in the email invitation

Email On Boarding

2.  Customer logs in to PingOne CAS

3.  Connection is automatically added to visible application list


Review!


QUESTIONS?


and the Cloud


•  This workshop explores how on-premises and cloud resources can work together to achieve Enterprise business goals

•  No one choice is right for everybody –  Zero on-premises footprint –  No Cloud –  Little bit of both

•  We want you to leave knowing: –  When using an IDaaS works best –  Mix and match cloud and on-premise products –  Benefits of choosing a mixed deployment

PingOne and the Cloud


Standard Federated Identity

On-Premises Infrastructure

IIS

App

App

App

Kerberos

Partner Infrastructure

App

App

App

App

CloudResources

FederationServer


The Federation Can Move


IIS

App

App

App

Kerberos

Partner Infrastructure

App

App

App

App

CloudResources

FederationServer


IIS

App

App

App

Kerberos

App

App

App

App

CloudResources

FederationServer


Becoming IDaaS + Identity Bridge


IIS

App

App

App

Kerberos

App

App

App

App

CloudResources

IDaaSIdentityBridge


What is an Identity Bridge?

•  A service that can authoritatively speak about users

•  An on-premises physical or virtual appliance

•  Another cloud platform •  Enables users, applications

and identity services across the hybrid cloud

•  Can be unidirectional or bidirectional

The Sundial bridge, Redding CA (Aaron Patterson)


What Crosses an Identity Bridge?

1. Authentication requests & responses 2. Account information 3. Business data to make authorization

decisions Important: It matters how this data is sent. Identity data should only travel across the Internet using internet-grade security and trust


Becoming IDaaS + Identity Bridge


IIS

App

App

App

Kerberos

App

App

App

App

CloudResources

IDaaSIdentityBridge

•  IDaaS Platform –  PingOne CAS (Cloud Access

Services) PingOne APS (Application Provider Services)

•  Bridges –  PingOne ADConnect –  PingFederate

•  User Features –  CloudDesktop

CIS13: Bootcamp: PingOne as a Simple Identity Service

Technology

Transcript of CIS13: Bootcamp: PingOne as a Simple Identity Service