Post on 02-Feb-2021
transcript
WHITE PAPER
Workforce360Integrations Guide
How to Authenticate Everyone & Everything
Workforce360 Integrations GuideWHITE PAPER
2
TABLE OF CONTENTS
EXECUTIVE SUMMARY
INTEGRATING APPLICATIONS
Achieve Secure Integration
Give Users One-click Access to Apps
SaaS Apps
Mobile Apps
Legacy Apps
Single-page Apps or APIs
INTEGRATING STRONG AUTHENTICATION
Multi-factor Authentication (MFA)
Virtual Private Networks (VPNs)
Mobile Device Management (MDM)
Adaptive & Contextual Policies
INTEGRATING WITH IDPS & DATA STORES
Legacy Data Stores
Cloud
INTEGRATING WITH IDPS & DATA STORES
Identity Governance & Administration
Privileged Access Management
Zero Trust
CONCLUSION
APPLICATION INTEGRATION & AUTHENTICATION
03
05
09
12
13
15
16
Workforce360 Integrations GuideWHITE PAPER
3
An unavoidable threat landscape combined with an increase in remote work is bringing identity to the forefront. As the workforce expands
beyond traditional employees and work increasingly happens outside of the corporate confines, enterprises are abandoning the concept of
network perimeters and relying on identity to ensure their users are who they say they are. These changing workforce dynamics are also driving
the movement toward Zero Trust as enterprises seek agile ways to verify any user, using any application, accessing any data, on any device.
Identity and access management (IAM) is an essential technology to address a growing attack surface. It helps you keep up with the
exponential growth of applications, especially mobile and SaaS, while managing legacy applications that still house critical data and
workloads. Equally important, IAM plays an integral role in delivering a frictionless experience, giving you the ability to provide seamless login
and access to a diverse workforce.
But not all IAM solutions are created equal. To address an ever-evolving environment, you need a solution purpose-built for workforce
requirements and use cases. Ping’s Workforce360 solution provides centralized authentication services with the capabilities you need.
With support for widely adopted standards and out-of-the-box integrations, Workforce360 gives you the tools and technology to fully integrate
your organization’s IT stack and eliminate any silos that may exist to deliver a streamlined workforce experience. You’re able to authenticate
everyone and everything, regardless of location, device or application, with a global authentication authority that makes your organization more
productive, secure and agile.
EXECUTIVE SUMMARY
AuthenticationAuthority Apps
AuthTypes
AuthDecisions
Data
Integrations
AuthTypes
AuthDecisions
Data
Integrations
Workforce360 Integrations GuideWHITE PAPER
4
Workforce360’s centralized authentication services integrate with diverse
applications and resources across hybrid IT environments. Through open
standards, integration kits, adapters, token generators and other tools,
Ping supports a range of integrations, spanning applications, strong
authentication, data stores and ecosystems.
Read on to learn how Ping’s Workforce360 solution helps you:
• Provide authentication for everyone and everything by working
across multiple silos.
• Deliver secure, consistent experiences to your workforce.
• Utilize an identity-based workforce authentication authority to be
more productive, secure and agile.
• Create a solid identity foundation so you can accelerate digital
transformation.
Why You Need anAuthentication AuthorityAn authentication authority is more crucial for
enterprises than ever. As the number and type of
applications you must support continues to grow,
an authentication authority makes it possible to
deliver a consistent user experience regardless of
the application type or where it resides (on premises,
cloud or SaaS). By acting as a federation hub,
an authentication authority provides centralized
authentication services to all assets, including legacy
or custom systems based on proprietary standards,
as well as assets that utilize open standards like
SAML and OAuth.
In addition to applications, the authentication
authority can handle multiple directories and act
either as the identity provider or service provider. With
an authentication authority in place, you have the
orchestration engine to handle complex authentication
flows. You’re less dependent on disparate identity
silos and can consolidate where it makes sense.
Perhaps most importantly, an authentication authority
lets you provide your workforce with a simple and
consistent single sign-on (SSO) experience. By
providing a single point of access to all resources,
SSO minimizes password sprawl and the helpdesk
requirements that come with it. When you combine
SSO with advanced security features like adaptive,
policy-based multi-factor authentication (MFA)
and passwordless capabilities, you’re able to give
employees secure and streamlined access to
resources, and they’re able to be more productive.
To learn more about the benefits of an authentication
authority, please see the Workforce Authentication
Authority white paper.
Applications
SaaS
Mobile
Legacy
Single-page Apps or APIs
Workforce360 Integration Capabilities
Data Stores
Legacy
Cloud
Strong Authentication
MFA
VPNs
MDM
Adaptive & Contextual Policies
Ecosystems
Identity Governance
Privileged Access Management
Zero Trust
https://download.pingidentity.com/public/assets/white-papers/en/3442-workforce-authentication-authority.pdfhttps://download.pingidentity.com/public/assets/white-papers/en/3442-workforce-authentication-authority.pdf
Workforce360 Integrations GuideWHITE PAPER
5
INTEGRATING APPLICATIONS
Large enterprises, more than any other segment, require IAM with advanced integration capabilities to support an extensive and diverse
portfolio of applications, as well as complex and custom use cases. They need a solution that’s flexible enough to support multiple methods
of integration to ensure security. At the same time, the solution must be capable of integrating a range of application types to ensure users
gain convenient access to the resources they need. Workforce360 excels at both.
Achieve Secure IntegrationWorkforce360 provides support for open standards like SAML, OAuth and OpenID Connect (OIDC) so you’re able to achieve fast and efficient
integrations in a developer-friendly manner. For applications that don’t support standards-based authentication, you can utilize Ping’s custom,
pre-built integration kits, which typically require 15 or fewer lines of code changes. If you have significant custom application requirements,
PingAccess, part of Ping’s adaptive access security solution, provides centralized access security with a comprehensive policy engine.
To achieve the most secure integration, you should use standards-based federation when possible and avoid methods like password vaulting,
where credentials are stored on a server. Often marketed as secure web authentication or password managers, solutions that use password
vaulting or forwarding are discouraged because they don’t offer the same level of enterprise security as SSO via federation.
Open Standards Non-StandardsIntegration Kits OR PingAccess
Gartner strongly recommends against using
password vaulting and forwarding due to the associated
risks of potential password compromise; instead, use
standards-based federation when possible.
- MAGIC QUADRANT FOR ACCESS MANAGEMENT, GARTNER, 2019
https://www.pingidentity.com/en/solutions/workforce-identity/adaptive-access-security.html
Workforce360 Integrations GuideWHITE PAPER
6
Give Users One-click Access to AppsA successful integration requires giving your workforce convenient access to all of their applications, plus giving your admins the ability to
easily onboard apps and manage permissions. With Workforce360, your users can SSO to all of their apps, including SaaS, mobile, legacy
and single-page apps relying on APIs. At the same time, your admins gain access to a central administrative portal where they can delegate
responsibilities and enable self-service for developers and business units via policies and templates.
SaaS AppsSaaS applications are built on SAML or OIDC, which Ping supports natively. This makes them the fastest and easiest candidates for
integration and a natural first step. Starting your integration with SaaS applications allows you to effectively deliver value from day one.
Workforce360 integrates SaaS applications through an application catalog and through SAML or OIDC connections.
• An application catalog provides a pre-configured connection to popular SaaS apps such as Google, Microsoft Office 365, Salesforce
and more.
• SAML or OIDC connections can be used to add apps that aren’t on the application catalog but support SAML or OIDC, making them
available by SSO to users in minutes via the admin portal.
SSO
Legacy SaaS MobileAPIs
Integration
Add App
https://www.pingidentity.com/en/software/pingcentral.html
Workforce360 Integrations GuideWHITE PAPER
7
Mobile AppsMobile apps function quite differently and require a more sophisticated approach. They consist of a client communicating to APIs and can
operate or function in the background. They’re also typically sandboxed on handheld devices, which makes it more difficult to share credentials
and sessions between apps, and makes them more susceptible to theft.
The two standards for integrating mobile applications are OIDC and OAuth. OAuth is used by application developers to obtain the access token
for authorization to back-end APIs. OIDC provides the identity layer for the application itself so the user can be authenticated on top of OAuth.
Supporting OIDC and OAuth, Workforce360 simplifies the integration of mobile apps and their corresponding APIs with SSO. With passwords
removed from the equation, your apps are more secure, and your users are more productive. By simultaneously reducing authentication
complexity, developers can focus more on application features and spend less time worrying about authentication and onboarding requirements.
Legacy AppsMost enterprises still rely on a number of legacy applications, whether homegrown or commercial off the shelf (COTS) products, that run critical
workloads. Integration of legacy applications can typically be accomplished through three types of integration kits.
1. Agentless Kits: Agentless integration kits are the preferred method for integrating legacy applications in a simple, flexible way. They use
back-channel to exchange user-session attributes with Workforce360 via RESTful APIs. This is ideal for developers because there’s less
reliance on the target application architecture, and kits are compatible with any application language.
2. Language Kits: When there’s limited or no access to a web or application server, custom application integration kits are an option. They
support a variety of legacy programming languages including Java, NET and PHP.
3. Server Agent Kits: If you do have access to the web or application server, server agent integration kits allow the applications to be added to
SSO via SAML. Common systems for this scenario include Internet Information Services (IIS), Apache, NetWeaver and WebSphere.
Single-click Accessvia Employee Dock
Add Homegrown/Legacy App
Integration
Agent Server Kits
Workforce360 Integrations GuideWHITE PAPER
8
Other Legacy ApplicationsCentralized authentication via PingFederate provides a range of convenient approaches
to enable SSO, but some apps might not natively support federation standards like SAML,
OAuth and OIDC, while others might be protected by agent-based legacy web access
management (WAM) agents.
When PingFederate and PingAccess are deployed together, you can easily extend single
sign-on to all applications through HTTP header injection, JWT tokens and even token
mediation to applications protected by legacy WAM agents. Ping’s partnership with
Microsoft provides the additional benefit of leveraging your identities in Azure AD to
maintain SSO for all of your on-premises applications.
Single-page Apps or APIsSingle-page applications (SPAs) are based on web technologies such as HTML,
JavaScript and HTTP and WebSocket-based APIs. SPAs are unique because the user
never navigates off the initial HTML page. Instead, locally executed JavaScript from that
first page supplies the browser with the behavior for handling user requests.
Workforce360 relies on local code to define the user experience and logic for retrieving
and manipulating data via API endpoints. Given the usage of web technologies and the
need for API access, SPAs and their corresponding APIs can be integrated via OAuth and
OIDC. Token translators can further help bridge SPAs into an existing WAM infrastructure.
What About My Existing WAM?You may need to continue using an existing
WAM system to run critical workloads. For
many, ripping and replacing isn’t an option, so
you need a solution that can integrate with this
legacy architecture.
This integration is supported through
integration kits that allow Workforce360 to
operate as either the identity provider (IdP) or
service provider (SP). Ping offers integration
kits for many common legacy WAM systems.
Using this approach, you’re able to maintain
your existing WAM system without interruption,
while giving developers the ability to extend
the single sign-on reach of an authentication
authority to applications protected by the
supported WAM system. This is accomplished
through API integration into legacy apps. Ping
is able to translate legacy token formats (WAM
tokens, Kerberos tickets) into OAuth or JWT
tokens to enable mobile apps and integration
into modern stacks. This can be done over WS-
Trust or OAuth Token Exchange via REST API +
mobile friendly preferred standard.
Check out our adaptive access security solution
to learn more about co-existence or migrating
off WAM systems through migration tools and
API management tools.
https://download.pingidentity.com/public/assets/white-papers/en/3141-microsoft-pingaccess.pdfhttps://www.pingidentity.com/en/solutions/workforce-identity/adaptive-access-security.html
Workforce360 Integrations GuideWHITE PAPER
9
The ability to make authentication decisions based on various security and risk signals is critical for enterprises. By the same measure, all
orchestration needs to maximize user experience and productivity. You achieve this with intelligent strong authentication.
Workforce360 lets you leverage existing investments in security and create reusable, granular policies that can be applied to a variety of use
cases. Admins are able to incorporate data from multiple sources—whether risk signals or user data from multiple directories—and at the
scale your enterprises requires. When you’re able to apply intelligence behind the scenes, you gain greater assurance that your users are who
they say they are, while giving them faster access to resources.
Multi-factor Authentication (MFA)Multi-factor authentication is a common form of strong
authentication for enterprises that want to limit their reliance
on password policies and reduce the risk of credential theft.
But it can be challenging to add MFA to a constantly growing
and changing portfolio of applications.
When you’re able to piggyback off of an authentication
authority, you no longer have to go through the arduous
process of integrating MFA to each application individually.
You’re freed from the limitations of authentication protocols
and can utilize numerous MFA providers if necessary and as
is common after mergers and acquisitions.
INTEGRATING STRONG AUTHENTICATION
Workforce360 includes PingID, our enterprise-grade cloud MFA, as part of the solution. In addition to integrating with PKI systems through
either software based X.509 certificates or smartcards, Ping integrates with all popular MFA providers.
AccessApplication
1
2
AuthenticationAuthority
Access Decision
Directory Lookup
Any MFA
4
3
Workforce360 Integrations GuideWHITE PAPER
10
Virtual Private Networks (VPNs)VPNs are a popular means of enabling secure remote access. Using Ping’s integrations, enterprises can strengthen VPN security by adding
MFA and granular group policies. Integrations also allow user management and access to VPNs to be controlled by the authentication
authority.
Mobile Device Management (MDM)Whether you’re provisioning mobile devices or supporting a BYOD model, mobile device management is crucial for ensuring secure
authentication. Workforce360 integrates with MDM software to enforce security policies based on device-level attributes like establishing a
minimum OS, preventing jailbroken/rooted devices, requiring password criteria or disallowing certain types of devices.
Ping can integrate any third-party MDM and is officially certified by the following providers:
Workforce360 can integrate with SAML-based VPNs. If PingID is being used, VPNs can be added via RADIUS as well. Ping is officially certified
by the following providers:
VPN ClientAuthentication
Authority
Any Directory
Any MFA
Integration via SAML
Workforce360 Integrations GuideWHITE PAPER
11
Adaptive & Contextual PoliciesBy incorporating adaptive and contextual policies, you’re able to implement enterprise-grade authentication without disrupting the
productivity of your workforce. This approach provides stronger security by evaluating a user’s device, behavior and other context beyond
passwords to dynamically assess risk and step authentication requirements up or down accordingly.
You can define advanced authentication, pairing and device posture policies, such as:
• Limiting MFA and available authentication methods to specific groups, IP addresses or applications.
• Employing geo-fencing to skip MFA requirements if a trusted device is requesting access from a “secure” location or network.
• Restricting users from sharing authentication devices and from using devices that are rooted or jailbroken through root detection.
• Defining sessions that allow users to avoid prompts for MFA if authenticated within a predefined amount of time (hours, minutes, days, etc.).
Paired with MFA that can extend anywhere, context and risk signals are an essential piece to intelligent, seamless authentication. By leveraging
the authentication authority policies, they provide security for any use case. Ping integrates with the following risk signal providers:
Workforce360 Integrations GuideWHITE PAPER
12
INTEGRATING WITH IDPS & DATA STORES
To provide a consistent login experience, central authentication services must be able to integrate with multiple identity providers (IdPs). The
most common enterprise IdP is Active Directory, though enterprises have also adopted more modern directories from cloud providers such
as Amazon and Google. Many enterprises also maintain on-premises data stores as their primary user directories.
Authentication typically requires pulling user attributes from multiple directories in real-time. Few if any can match the capabilities of Ping in
this regard. By supporting multiple IdPs and legacy data stores, Workforce360 lets you validate, retrieve and send user and device attributes
during provisioning. You’re able to connect all of your users to any application they require, as well as centralize credential validation to
improve user experience.
Legacy Data StoresWith Workforce360, you’re able to extend the capabilities of legacy data stores to any app and any device. Ping integrates with:
• Microsoft Active Directory
• Microsoft SQL
• Oracle DSEE
• Oracle Unified Directory
• Oracle DB 12c
• Oracle MySQL
• PostgreSQL
CloudPing’s cloud directory integrations enable the cloud service to be the identity provider for certain applications by utilizing the cloud API to
authenticate users and return user information. Ping offers integrations with cloud services and social identity providers including:
Workforce360 Integrations GuideWHITE PAPER
13
• Leverage Profile• Provide Contextual Access• Strengthen security with MFA
• Provision• Update Profile• Certify Access
CORPORATEDIRECTORY
Mobile Apps
Cloud Apps
SaaS Apps
On-prem Apps
INTEGRATING WITH THE IDENTITY ECOSYSTEM
An authentication authority must support integration with the broader identity ecosystem, namely identity governance and administration
(IGA) and privileged access management (PAM). While Ping offers basic provisioning, we integrate with SailPoint and CyberArk to provide
best-of-breed solutions for these capabilities. The authentication authority capabilities of Workforce360 also provide a solid foundation for a
Zero Trust ecosystem.
Identity Governance & AdministrationYou can support most sophisticated environments when it comes to user and lifecycle management by combining a dedicated IGA platform
with an authentication authority. The Ping + SailPoint integration lets you give the right access to the right employees across any app and any
directory in any environment. At the same time, you gain greater control over processes such as provisioning, password management, and
access requests and certification.
Privileged Access ManagementWhen PAM is integrated with an authentication authority, each technology protects the other. The Ping + CyberArk integration gives admins
logging into CyberArk an extra layer of security provided by the MFA and SSO capabilities of PingID and PingFederate. Conversely, Ping
administrator accounts are protected by CyberArk’s market-leading PAM solution.
https://support.pingidentity.com/s/directory-profile/a7h1W000000Cl0OQAS/sailpoint-technologies-inchttps://support.pingidentity.com/s/marketplace-integration/a7i1W000000Cfi7QAC/cyberark-core-privileged-access-security-solution
Workforce360 Integrations GuideWHITE PAPER
14
Zero TrustAs more enterprises adopt cloud technologies and enable work beyond the corporate premises, the notion of security via network perimeters
has given way to a Zero Trust framework. Zero Trust assumes no network traffic is trusted and everything must be verified. At the heart of
this are identity and an authentication authority that first requires users to verify they are who they say there are.
An authentication authority is central to Zero Trust, allowing you to implement resource perimeters over network perimeters and replace
network-based trust with greater assurance and confidence that users are who they say they are. Workforce360 provides a solid foundation
on which to build your Zero Trust framework, either integrating with or supporting complementary technologies and providing the
orchestration engine to ensure an optimal user experience.
To learn more about using an authentication authority to create the foundation for Zero Trust, read the white paper.
https://download.pingidentity.com/public/assets/white-papers/en/3442-workforce-authentication-authority.pdf
Ping Identity is pioneering Intelligent Identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. The Ping Intelligent IdentityTM platform provides customers, employees, partners and, increasingly, IoT, with access to cloud, mobile, SaaS and on-premises applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards leadership, and partnership with companies including Microsoft and Amazon. We provide flexible options to extend hybrid IT environments and accelerate digital business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities. Visit www.pingidentity.com. #3500 | 06.2020 | v05
15
You need to deliver a consistent experience to your users, no matter where they are or what device they’re using. An authentication authority
capable of integrating anything and everything is more essential for today’s enterprises than ever before. With Workforce360, you gain the global
authentication authority needed to deliver secure and consistent experiences to your workforce, making your organization more productive while
increasing security and agility.
• Provide authentication for everyone and everything by working across multiple silos.
• Deliver secure, consistent experiences to your workforce.
• Utilize an identity-based workforce authentication authority to be more productive, secure and agile.
• Create a solid identity foundation so you can accelerate digital transformation.
To learn more about Workforce360, visit pingidentity.com/workforce360.
CONCLUSION
http://www.pingidentity.comhttp://pingidentity.com/workforce360
Workforce360 Integrations GuideWHITE PAPER
16
Application Integration Authentications
Single Sign-on Standards
Application Type Integration LDAP
Standards WS-FED RADIUS
Standards OAuth/OIDC Kerberos
Standards SAML SAML
Local Language SDK WS-FED
Local Agentless SDK OAuth/OIDC
Local Web Server Agent X.509 Certificates (PIV/Smart Cards)
Local Reverse Proxies
Local Access Security (URL level access control)
Legacy WAM Custom
CA/Broadcom/Symantec Siteminder Agent SDK
Oracle Access Manager Agentless SDK
RSA Access Manager MFA
MFA Out-of-band OTP (Email, SMS, Voice)
Windows Login Mobile Push
SSH OATH (Mobile, Hardware Tokens)
VPN Biometrics
Provisioning Desktop
SCIM FIDO
JIT Risk Engines
App Specific APIs Social
Directory Sync MDM
Legacy WAM