Download - CIS 2013 Ping Identity Chalktalk
![Page 1: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/1.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.1
PingFederate 7ChalkTalk Demo
Craig Wu
July 8, 2013
![Page 2: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/2.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.2
• Director, Product Development• With Ping Identity since Feb 2007• Started with Integration Kits• PF STS integration• PingFederate Fall 2009 PF 6.2 – 6.10• 2013 - Expand Ping Product Portfolio
Craig Wu
![Page 3: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/3.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.3
PingFederate Engineering Team January 2013
Denver, CO - Vancouver, BC - American Fork, UT Halifax, Nova Scotia - Moscow, Russia - Dublin, Ireland
![Page 4: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/4.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.4
[PINGFEDERATE 7]
[Features]
![Page 5: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/5.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.5
PingFederate 7 Highlights
• SCIM
– Outbound
– Inbound
• OpenID Connect
– Provider (OP)
• Password Management
• Adaptive Federation
– Selector Trees
– New selectors
• Localization
![Page 6: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/6.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.6
Administration Console Enhancements
Admin UI Refresh
• Usability improvements
– Friendlier form fields
– Simpler presentation
• Customer requested improvements:
– Visual cues for cluster replication
– Configurable console title
– Configurable session timeout
![Page 7: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/7.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.7
SCIM Provisioning – Why?
• Federation introduces a strong desire to solve user provisioning the right way.
• Accounts need to be synchronized across organizations to enable SSO.
• Today's provisioning approaches:– Manual– Just-In-Time Provisioning– Automated – based on a proprietary protocol
![Page 8: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/8.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.8
Pro's Con's
Manual No additional configuration.
Simple when only a handful of users to a single app are involved.
Doesn't scale.
Tedious for administrators.
Error prone.
Just-In-Time Single protocol for both SSO and Provisioning
Doesn't handle de-provisioning use case.
Automated (proprietary)
Covers both provisioning and de-provisioning
Implemented differently for every partner.
SCIM (System for Cross-domain Identity Management) offers simple, standards based automated provisioning.
SCIM Provisioning – Why? (cont'd)
![Page 9: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/9.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.9
SCIM – Outbound Provisioning (formerly SaaS Provisioning)
IdP Features
• User provisioning & de-provisioning to partners supporting SCIM 1.1
• Synchronize local corporate directory accounts with SCIM supporting partners
• Monitors directory for user account changes:
– Create
– Update
– Membership Update
– Delete / DisableIdentity Store
SCIM
Identity Provider
Create?Update?Delete?
SaaSProvider
Identity Store
![Page 10: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/10.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.10
SCIM – Inbound Provisioning
SP Features
• Enables Service Providers with a standard SCIM protocol runtime
• Handle inbound user provisioning requests
• Commit operations to a local identity store (Active Directory)
• SCIM 1.1
– JSON
– HTTP Basic and TLS Client Authentication
Identity Store
SCIM
SaaSProvider
Identity Store
Identity Provider
![Page 11: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/11.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.11
SCIM Provisioning Interop @ CIS 2013
• Technology Nexus• Cisco• PingIdentity• SailPoint• Salesforce• UnboundID• WSO2
![Page 12: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/12.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.12
OpenID Connect
?
![Page 13: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/13.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.13
OpenID Connect - Next Gen SSO
SAML• Separate protocols for SSO
and API security
• Build on top of XML-standards
• Profiles and bindings with lots of flexibility
• Manual trust bootstrapping & certificate management
OpenID Connect• SSO and API security in one
• REST based interactions ideal for mobile
• Fewer, more focused profiles
• Auto client registration and key management
![Page 14: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/14.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.14
OpenID Connect
Features
• OpenID Connect Provider (IdP)
• Leverages built-in OAuth AS for API security
• User Info Endpoint serves as a REST-based directory service for identity data
• Proxy SAML IdP Connections via OIC
Benefits
• Consistent framework for identity enabling both Web and Mobile applications
• Lighter weight, simpler standard for Relying Parties to adopt compared to SAML
Mobile Apps
Web Apps
IDAPI
Access
Identity Provider
![Page 15: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/15.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.15
OpenID Connect – OAuth Playground 3.0
Features
• Interactive utility for developers exploring OpenID Connect and OAuth
• Includes source code
– JSON Web Token library for ID Token validation (jose4j)
Supported Profiles
– Basic - mobile and traditional web apps
– Implicit - in-browser (JavaScript) apps
![Page 16: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/16.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.16
Adaptive Federation Enhancements
Features
• Decision Trees to define complex Authn Method policies
• Additional criteria:
• HTTP Headers (e.g.: User-Agent)
• SP Connection
• Node Index
• OAuth Scope
• Prioritized default selection
Example Use Case
• IWA on/off network with supported browser
• Partner applications with varied authn req's
Inside the Firewall?
Browser speaks IWA?
ActiveDirectory
Ke
rbe
ros
HT
ML
Fo
rm
HT
ML
Fo
rm
SaaSApp
Au
thn
Po
licy
SSOAuthn
![Page 17: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/17.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.17
Password Management
Features
• End user (LDAP) password management features for end users:
– Forced Password Update (at login)
– User Initiated Change Password
Example Use Case
• Medium sized Enterprise with Remote Users always off the domain
Authn
Directory
UpdatePassword
![Page 18: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/18.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.18
[DEMO]
[PingFederate 7]
![Page 19: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/19.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.19
• Provision user to AD using SCIM
• Password Management– HTML Form Adapter
• Adaptive Federation Enhancements– Selector Trees– HTTP Header Selector– Connection Selector
• Token Authorization– Control when tokens are issued during attribute fulfillment
• Localization
• OpenID Connect Basic Client Profile
Demo
![Page 20: CIS 2013 Ping Identity Chalktalk](https://reader034.vdocuments.net/reader034/viewer/2022051111/554f9417b4c905435d8b5230/html5/thumbnails/20.jpg)
Copyright ©2012 Ping Identity Corporation. All rights reserved.20
Q & A