Date post: | 09-May-2015 |
Category: |
Technology |
Upload: | cloudidsummit |
View: | 1,158 times |
Download: | 4 times |
Copyright ©2012 Ping Identity Corporation. All rights reserved. 1
How to set up a Simple Identity Service
Copyright ©2012 Ping Identity Corporation. All rights reserved. 2
Ping Identity Staff
Jennifer Patton Knowledge Base Engineer
Copyright ©2012 Ping Identity Corporation. All rights reserved. 3
Ping Identity Staff
David Chase Regional Solution Architect
Copyright ©2012 Ping Identity Corporation. All rights reserved. 4
Ping Identity Staff
Pam Dingle Technical Director
Copyright ©2012 Ping Identity Corporation. All rights reserved. 5
• What is CAS? • What is AD Connect? • What is CloudDesktop? • What is APS? • Demonstration
PingOne Introduction
Copyright ©2012 Ping Identity Corporation. All rights reserved. 6
OVERVIEW PingOne
Copyright ©2012 Ping Identity Corporation. All rights reserved. 7
PingOne is a cloud-deployed Tier 1 SSO solution, enabling businesses and service providers to make a one-time connection and switch to all their applications or users.
Ping One provides: – One connection to access or provide cloud apps – One place for IT to manage user and customer accounts – One point of cloud access for all employees
PingOne Overview
Copyright ©2012 Ping Identity Corporation. All rights reserved. 8
PingOne CAS (Cloud Access Services)
Enables organizations to secure and control access to multiple cloud-based business applications. • One connection from enterprise directory to cloud applications without exposing user
passwords. • Central location for IT to manage single sign-on, access and provisioning—all provided
from a simple SaaS-based management console. • Single login to CloudDesktop® ensures secure access to web applications.
Copyright ©2012 Ping Identity Corporation. All rights reserved. 9
PingOne APS (Application Provider Services)
SSO solution for service providers, letting customers or partners conveniently establish access to public and private cloud applications. • Fast onboarding. After a quick one-time integration to Application Provider Services,
onboarding new partners or customers takes less than 10 minutes. • Increased usage. Reliable, seamless SSO access accelerates adoption and usage while
avoiding support issues introduced by password storing or screen-scraping. • Cost-effective. By multiplexing to partners or customers for SSO, service providers can
save up to 90% over making one-to-one connections.
Copyright ©2012 Ping Identity Corporation. All rights reserved. 10
PingOne is not designed to replace PingFederate. PingOne supports a subset of PingFederate’s capabilities. Examples of PingOne capabilities • Supports “workforce to external applications” use case • 2-factors authentication support: PhoneFactor • Supports Active Directory
PingFederate & PingOne (Hybrid model) • A single connection to PingOne for all
SaaS applications • Offload connection maintenance to
PingOne • PingFederate handles all use cases
not supported by PingOne
PingOne and PingFederate
Copyright ©2012 Ping Identity Corporation. All rights reserved. 11
CLOUD ACCESS SERVICES PingOne - CAS
Copyright ©2012 Ping Identity Corporation. All rights reserved. 12
PingOne CAS
Copyright ©2012 Ping Identity Corporation. All rights reserved. 13
CloudDesktop
Copyright ©2012 Ping Identity Corporation. All rights reserved. 14
PingOne Cloud Access Services Enterprises Connect 1:Many
Your Enterprise Cloud Apps
Copyright ©2012 Ping Identity Corporation. All rights reserved. 15
PingOne Cloud Access Services Enterprises Connect 1:Many
Your Enterprise Cloud Apps
Copyright ©2012 Ping Identity Corporation. All rights reserved. 16
PingOne Cloud Access Services Enterprises Connect 1:Many
Your Enterprise Cloud Apps
Copyright ©2012 Ping Identity Corporation. All rights reserved. 17
Cloud Access Services in 3 Steps
Register Select Apps Connect
Copyright ©2012 Ping Identity Corporation. All rights reserved. 18
• Go to http://www.pingone.com • Create a PingOne account for
your company • Provide the domain name • Create a password • Obtain registration key from
Ping Identity
Step 1: Registration
Register
Copyright ©2012 Ping Identity Corporation. All rights reserved. 19
Without a Federation Solution • Small/Medium
corporations • AD Connect links user
directory (AD) to all cloud applications.
With a Federation Solution • Large enterprises with:
– PingFederate – SAML 2.0 – Google Apps
• Offload connection maintenance to PingOne
Centralized Control of Sensitive Identity Information
Copyright ©2012 Ping Identity Corporation. All rights reserved. 20
• Applications Catalog is a collection of SAML-enabled application providers
• Administrator will add applications which are appropriate for the corporation
• For example: ADP, Salesforce and WebEx Connect
Step 3 : Applications Catalog
Select Apps
Copyright ©2012 Ping Identity Corporation. All rights reserved. 21
CLOUD ACCESS SERVICES – ADCONNECT
PingOne - CAS
Copyright ©2012 Ping Identity Corporation. All rights reserved. 22
AD Connect: A Lightweight Authentication Utility
For organizations without SAML support - Authentication utility that connects Microsoft Active Directory to PingOne Cloud Access Services Authenticates users via SAML - No storing passwords in the Cloud or reverse proxies Easy “point, click & configure” -Deploys in less than 30 minutes, with no DNS (Domain Name System) changes
Copyright ©2012 Ping Identity Corporation. All rights reserved. 23
PingOne CAS Data Flow – SP-Init SSO
SSO Service
Browser
SP Network
IdP Network
1
3
4
v
5
Multi-tenant, Secure & HA/DR infrastructure
SAML
SAML
2
Copyright ©2012 Ping Identity Corporation. All rights reserved. 24
PingOne CAS Data Flow – IdP-Init SSO
SSO Service
Browser
SP Network
IdP Network
1
2
3
v
4
Multi-tenant, Secure & HA/DR infrastructure
SAML
SAML
Copyright ©2012 Ping Identity Corporation. All rights reserved. 25
• Download AD Connect
• Set product key • Install AD Connect
on IIS server (Enter Product Key)
• Verify installation
Installing AD Connect
Copyright ©2012 Ping Identity Corporation. All rights reserved. 26
CLOUD ACCESS SERVICES – HYBRID
PingOne - CAS
Copyright ©2012 Ping Identity Corporation. All rights reserved. 27
PingFederate / 3rd party SAML IdPs / ADFS 2.0
• One connection to PingOne • Leverage on existing authentication methods • Sends SAML assertion to PingOne • Often known as “Hybrid” Federation model
Copyright ©2012 Ping Identity Corporation. All rights reserved. 28
• Download metadata file from PingOne and create connection in PingFederate
• Export metadata file from PingFederate and upload to PingOne
Configure PingFederate IdP
Copyright ©2012 Ping Identity Corporation. All rights reserved. 29
CLOUD ACCESS SERVICES – CLOUDDESKTOP
PingOne - CAS
Copyright ©2012 Ping Identity Corporation. All rights reserved. 30
Customized portal for apps (private and public) • Log in once to the user directory • One-click access to all SSO-enabled applications • Optimized user experience for desktops, laptops and mobile
CloudDesktop: A Customized Portal for the Cloud
Mobile support
• Device detection and rendering
• Support for SaaS native apps
• Provide SSO using OAuth tokens (PingOne OAuth AS)
Copyright ©2012 Ping Identity Corporation. All rights reserved. 31
- Jane Smith is a member of “IT” group on AD - She is granted access only to ADP and WebEx applications.
CloudDesktop: A Customized Portal for the Cloud
Copyright ©2012 Ping Identity Corporation. All rights reserved. 32
- John Doe is a member of “Sales” group on AD - He is granted access to all three apps (ADP, Salesforce and WebEx)
CloudDesktop: A Customized Portal for the Cloud
Copyright ©2012 Ping Identity Corporation. All rights reserved. 33
Group Management
Copyright ©2012 Ping Identity Corporation. All rights reserved. 34
• What is the purpose of AD Connect?
• What is CloudDesktop?
• What are 2 ways that AD Connect authenticates users?
• Describe the flow of an SP initiated SSO transaction
with PingOne
Review Exercises
Copyright ©2012 Ping Identity Corporation. All rights reserved. 35
APPLICATION PROVIDER SERVICES PingOne - APS
Copyright ©2012 Ping Identity Corporation. All rights reserved. 36
Many Customers, Single Application
Copyright ©2012 Ping Identity Corporation. All rights reserved. 37
Application Provider Services in 4 Steps
Register Integrate Configure Invite
Copyright ©2012 Ping Identity Corporation. All rights reserved. 38
Step 1 : Registration
• Create a PingOne account for your company
• Provide the domain name
• Create a password
Register
Copyright ©2012 Ping Identity Corporation. All rights reserved. 39
Step 2 : Configure
Connection Types:
• Via REST APIs
• Secure SAML SSO
Configure
Copyright ©2012 Ping Identity Corporation. All rights reserved. 40
SAML Enabled Providers
• User authenticates • SAML assertion sends to SaaS federation server • No integration is required • Standard SAML connection configuration
Copyright ©2012 Ping Identity Corporation. All rights reserved. 41
SAML Enabled Connection - Pingfederate
Configure
1. Download metadata file from PingOne
2. From PingFederate, set up an IdP connection to PingOne.
3. Export metadata file and import into PingOne.
4. Define SSO Attributes
Copyright ©2012 Ping Identity Corporation. All rights reserved. 42
REST API
• PingOne redirects users to SaaS application with a Token ID • SaaS application makes a secure back channel call to PingOne
to receive Identity information
Copyright ©2012 Ping Identity Corporation. All rights reserved. 43
PingOne APS Dataflow with Rest API
Copyright ©2012 Ping Identity Corporation. All rights reserved. 44
REST API Connection
1. Application: • Domain Name • Application URL • Error URL.
Configure
2. Define SSO Attributes
Copyright ©2012 Ping Identity Corporation. All rights reserved. 45
Integrate
Step 3 : Integrate
• PingOne handles all of the protocol details, allowing your application to be concerned with just three things: • Redirecting the user's browser to PingOne to start SSO • Exchange a token for user’s attributes • Creating a session for the user
Copyright ©2012 Ping Identity Corporation. All rights reserved. 46
Exchange Token
• After authenticating, the user returns to your application with a token to either:
• The appurl specified during the 302 redirect
• The Default Application URL you saved in SSO Settings, if appurl is not specified.
• The user's token is passed as a query parameter (tokenid) in the HTTP request. For example: • https://www.mysaas.com/testapp?tokenid=158affc71d6bc65fe2a92ffac7760dce&agentid=0055f3da
• This token is created by PingOne and is a one-time secret between the user and PingOne
• This token can be exchanged with PingOne for a set of user attributes through a simple web service call
• To exchange a token with PingOne, you must make a web service call to the Token Resolution Service
• This will be an HTTP GET call structured like:
• https://sso.connect.pingidentity.com/sso/TXS/2.0/<format>/<tokenid>
• Accepted format parameters are: "1" - JSON Format "2" - Properties Format
Integrate
REST API Integration
Copyright ©2012 Ping Identity Corporation. All rights reserved. 47
Exchange Token (continued)
• PingOne will return the following attributes, formatted according to the format parameter above:
• pingone.subject - The username of the authenticated user
• pingone.saas.id - the SaaS to which the token is issued. This will be your SaaS ID
• pingone.idp.id - the idpid of the Identity Provider who issued the Assertion
• pingone.authn.context - the "authentication context" under which the user is authenticated by the Identity Provider
Integrate
REST API Integration
Copyright ©2012 Ping Identity Corporation. All rights reserved. 48
Step 4: Invite
Customer Onboarding Options: • SSO Self-Service Widget • Email • REST API • Manual Connection
Invite
Copyright ©2012 Ping Identity Corporation. All rights reserved. 49
Accelerate Onboarding to Your App
Quickly add customers • Provide basic information • Invite customers to connect • Complete in 10 minutes or less
Manage connections to your app • Review all customers using SSO • Check onboarding status • Suspend SSO by customer or globally
“The PingOne service works very well. Setting up connections only takes a matter of minutes now,” — Leading CRM Service Provider.
Copyright ©2012 Ping Identity Corporation. All rights reserved. 50
1. Add PingOne provided JavaScript widget to your webpage where only your customer administrators have access when they visit this page
2. Add server-side code to enable widget to include the <idpid> and <email> parameters to the OpenToken
3. Ask user to select Enable SSO option and click the PingOne link 4. Customer is securely redirected to the PingOne APS website
where they enter their configuration information
SSO Self Service On Boarding
Copyright ©2012 Ping Identity Corporation. All rights reserved. 51
1. Fill out Identity Provider form: Email and Customer ID
2. Send email invitation to customer from PingOne or your preferred email client.
Email On Boarding
Copyright ©2012 Ping Identity Corporation. All rights reserved. 52
1. Customer clicks on a link in the email invitation
Email On Boarding
2. Customer logs in to PingOne CAS
3. Connection is automatically added to visible application list
Copyright ©2012 Ping Identity Corporation. All rights reserved. 53
Review!
Copyright ©2012 Ping Identity Corporation. All rights reserved. 54
QUESTIONS?
Copyright ©2012 Ping Identity Corporation. All rights reserved. 55
and the Cloud
Copyright ©2012 Ping Identity Corporation. All rights reserved. 56
• This workshop explores how on-premises and cloud resources can work together to achieve Enterprise business goals
• No one choice is right for everybody – Zero on-premises footprint – No Cloud – Little bit of both
• We want you to leave knowing: – When using an IDaaS works best – Mix and match cloud and on-premise products – Benefits of choosing a mixed deployment
PingOne and the Cloud
Copyright ©2012 Ping Identity Corporation. All rights reserved. 57
Standard Federated Identity
On-Premises Infrastructure
IIS
App
App
App
Kerberos
Partner Infrastructure
App
App
App
App
CloudResources
FederationServer
Copyright ©2012 Ping Identity Corporation. All rights reserved. 58
The Federation Can Move
On-Premises Infrastructure
IIS
App
App
App
Kerberos
Partner Infrastructure
App
App
App
App
CloudResources
FederationServer
On-Premises Infrastructure
IIS
App
App
App
Kerberos
App
App
App
App
CloudResources
FederationServer
Copyright ©2012 Ping Identity Corporation. All rights reserved. 59
Becoming IDaaS + Identity Bridge
On-Premises Infrastructure
IIS
App
App
App
Kerberos
App
App
App
App
CloudResources
IDaaSIdentityBridge
Copyright ©2012 Ping Identity Corporation. All rights reserved. 60
What is an Identity Bridge?
• A service that can authoritatively speak about users
• An on-premises physical or virtual appliance
• Another cloud platform • Enables users, applications
and identity services across the hybrid cloud
• Can be unidirectional or bidirectional
The Sundial bridge, Redding CA (Aaron Patterson)
Copyright ©2012 Ping Identity Corporation. All rights reserved. 61
What Crosses an Identity Bridge?
1. Authentication requests & responses 2. Account information 3. Business data to make authorization
decisions Important: It matters how this data is sent. Identity data should only travel across the Internet using internet-grade security and trust
Copyright ©2012 Ping Identity Corporation. All rights reserved. 62
Becoming IDaaS + Identity Bridge
On-Premises Infrastructure
IIS
App
App
App
Kerberos
App
App
App
App
CloudResources
IDaaSIdentityBridge
• IDaaS Platform – PingOne CAS (Cloud Access
Services) PingOne APS (Application Provider Services)
• Bridges – PingOne ADConnect – PingFederate
• User Features – CloudDesktop