WHITE PAPER

Workforce360Integrations Guide

How to Authenticate Everyone & Everything

Workforce360 Integrations GuideWHITE PAPER

2

TABLE OF CONTENTS

EXECUTIVE SUMMARY

INTEGRATING APPLICATIONS

Achieve Secure Integration

Give Users One-click Access to Apps

SaaS Apps

Mobile Apps

Legacy Apps

Single-page Apps or APIs

INTEGRATING STRONG AUTHENTICATION

Multi-factor Authentication (MFA)

Virtual Private Networks (VPNs)

Mobile Device Management (MDM)

Adaptive & Contextual Policies

INTEGRATING WITH IDPS & DATA STORES

Legacy Data Stores

Cloud

INTEGRATING WITH IDPS & DATA STORES

Identity Governance & Administration

Privileged Access Management

Zero Trust

CONCLUSION

APPLICATION INTEGRATION & AUTHENTICATION

03

05

09

12

13

15

16

Workforce360 Integrations GuideWHITE PAPER

3

An unavoidable threat landscape combined with an increase in remote work is bringing identity to the forefront. As the workforce expands

beyond traditional employees and work increasingly happens outside of the corporate confines, enterprises are abandoning the concept of

network perimeters and relying on identity to ensure their users are who they say they are. These changing workforce dynamics are also driving

the movement toward Zero Trust as enterprises seek agile ways to verify any user, using any application, accessing any data, on any device.

Identity and access management (IAM) is an essential technology to address a growing attack surface. It helps you keep up with the

exponential growth of applications, especially mobile and SaaS, while managing legacy applications that still house critical data and

workloads. Equally important, IAM plays an integral role in delivering a frictionless experience, giving you the ability to provide seamless login

and access to a diverse workforce.

But not all IAM solutions are created equal. To address an ever-evolving environment, you need a solution purpose-built for workforce

requirements and use cases. Ping’s Workforce360 solution provides centralized authentication services with the capabilities you need.

With support for widely adopted standards and out-of-the-box integrations, Workforce360 gives you the tools and technology to fully integrate

your organization’s IT stack and eliminate any silos that may exist to deliver a streamlined workforce experience. You’re able to authenticate

everyone and everything, regardless of location, device or application, with a global authentication authority that makes your organization more

productive, secure and agile.

EXECUTIVE SUMMARY

AuthenticationAuthority Apps

AuthTypes

AuthDecisions

Data

Integrations

AuthTypes

AuthDecisions

Data

Integrations

Workforce360 Integrations GuideWHITE PAPER

4

Workforce360’s centralized authentication services integrate with diverse

applications and resources across hybrid IT environments. Through open

standards, integration kits, adapters, token generators and other tools,

Ping supports a range of integrations, spanning applications, strong

authentication, data stores and ecosystems.

Read on to learn how Ping’s Workforce360 solution helps you:

• Provide authentication for everyone and everything by working

across multiple silos.

• Deliver secure, consistent experiences to your workforce.

• Utilize an identity-based workforce authentication authority to be

more productive, secure and agile.

• Create a solid identity foundation so you can accelerate digital

transformation.

Why You Need anAuthentication AuthorityAn authentication authority is more crucial for

enterprises than ever. As the number and type of

applications you must support continues to grow,

an authentication authority makes it possible to

deliver a consistent user experience regardless of

the application type or where it resides (on premises,

cloud or SaaS). By acting as a federation hub,

an authentication authority provides centralized

authentication services to all assets, including legacy

or custom systems based on proprietary standards,

as well as assets that utilize open standards like

SAML and OAuth.

In addition to applications, the authentication

authority can handle multiple directories and act

either as the identity provider or service provider. With

an authentication authority in place, you have the

orchestration engine to handle complex authentication

flows. You’re less dependent on disparate identity

silos and can consolidate where it makes sense.

Perhaps most importantly, an authentication authority

lets you provide your workforce with a simple and

consistent single sign-on (SSO) experience. By

providing a single point of access to all resources,

SSO minimizes password sprawl and the helpdesk

requirements that come with it. When you combine

SSO with advanced security features like adaptive,

policy-based multi-factor authentication (MFA)

and passwordless capabilities, you’re able to give

employees secure and streamlined access to

resources, and they’re able to be more productive.

To learn more about the benefits of an authentication

authority, please see the Workforce Authentication

Authority white paper.

Applications

SaaS

Mobile

Legacy

Single-page Apps or APIs

Workforce360 Integration Capabilities

Data Stores

Legacy

Cloud

Strong Authentication

MFA

VPNs

MDM

Adaptive & Contextual Policies

Ecosystems

Identity Governance

Privileged Access Management

Zero Trust

https://download.pingidentity.com/public/assets/white-papers/en/3442-workforce-authentication-authority.pdfhttps://download.pingidentity.com/public/assets/white-papers/en/3442-workforce-authentication-authority.pdf

Workforce360 Integrations GuideWHITE PAPER

5

INTEGRATING APPLICATIONS

Large enterprises, more than any other segment, require IAM with advanced integration capabilities to support an extensive and diverse

portfolio of applications, as well as complex and custom use cases. They need a solution that’s flexible enough to support multiple methods

of integration to ensure security. At the same time, the solution must be capable of integrating a range of application types to ensure users

gain convenient access to the resources they need. Workforce360 excels at both.

Achieve Secure IntegrationWorkforce360 provides support for open standards like SAML, OAuth and OpenID Connect (OIDC) so you’re able to achieve fast and efficient

integrations in a developer-friendly manner. For applications that don’t support standards-based authentication, you can utilize Ping’s custom,

pre-built integration kits, which typically require 15 or fewer lines of code changes. If you have significant custom application requirements,

PingAccess, part of Ping’s adaptive access security solution, provides centralized access security with a comprehensive policy engine.

To achieve the most secure integration, you should use standards-based federation when possible and avoid methods like password vaulting,

where credentials are stored on a server. Often marketed as secure web authentication or password managers, solutions that use password

vaulting or forwarding are discouraged because they don’t offer the same level of enterprise security as SSO via federation.

Open Standards Non-StandardsIntegration Kits OR PingAccess

Gartner strongly recommends against using

password vaulting and forwarding due to the associated

risks of potential password compromise; instead, use

standards-based federation when possible.

- MAGIC QUADRANT FOR ACCESS MANAGEMENT, GARTNER, 2019

https://www.pingidentity.com/en/solutions/workforce-identity/adaptive-access-security.html

Workforce360 Integrations GuideWHITE PAPER

6

Give Users One-click Access to AppsA successful integration requires giving your workforce convenient access to all of their applications, plus giving your admins the ability to

easily onboard apps and manage permissions. With Workforce360, your users can SSO to all of their apps, including SaaS, mobile, legacy

and single-page apps relying on APIs. At the same time, your admins gain access to a central administrative portal where they can delegate

responsibilities and enable self-service for developers and business units via policies and templates.

SaaS AppsSaaS applications are built on SAML or OIDC, which Ping supports natively. This makes them the fastest and easiest candidates for

integration and a natural first step. Starting your integration with SaaS applications allows you to effectively deliver value from day one.

Workforce360 integrates SaaS applications through an application catalog and through SAML or OIDC connections.

• An application catalog provides a pre-configured connection to popular SaaS apps such as Google, Microsoft Office 365, Salesforce

and more.

• SAML or OIDC connections can be used to add apps that aren’t on the application catalog but support SAML or OIDC, making them

available by SSO to users in minutes via the admin portal.

SSO

Legacy SaaS MobileAPIs

Integration

Add App

https://www.pingidentity.com/en/software/pingcentral.html

Workforce360 Integrations GuideWHITE PAPER

7

Mobile AppsMobile apps function quite differently and require a more sophisticated approach. They consist of a client communicating to APIs and can

operate or function in the background. They’re also typically sandboxed on handheld devices, which makes it more difficult to share credentials

and sessions between apps, and makes them more susceptible to theft.

The two standards for integrating mobile applications are OIDC and OAuth. OAuth is used by application developers to obtain the access token

for authorization to back-end APIs. OIDC provides the identity layer for the application itself so the user can be authenticated on top of OAuth.

Supporting OIDC and OAuth, Workforce360 simplifies the integration of mobile apps and their corresponding APIs with SSO. With passwords

removed from the equation, your apps are more secure, and your users are more productive. By simultaneously reducing authentication

complexity, developers can focus more on application features and spend less time worrying about authentication and onboarding requirements.

Legacy AppsMost enterprises still rely on a number of legacy applications, whether homegrown or commercial off the shelf (COTS) products, that run critical

workloads. Integration of legacy applications can typically be accomplished through three types of integration kits.

1. Agentless Kits: Agentless integration kits are the preferred method for integrating legacy applications in a simple, flexible way. They use

back-channel to exchange user-session attributes with Workforce360 via RESTful APIs. This is ideal for developers because there’s less

reliance on the target application architecture, and kits are compatible with any application language.

2. Language Kits: When there’s limited or no access to a web or application server, custom application integration kits are an option. They

support a variety of legacy programming languages including Java, NET and PHP.

3. Server Agent Kits: If you do have access to the web or application server, server agent integration kits allow the applications to be added to

SSO via SAML. Common systems for this scenario include Internet Information Services (IIS), Apache, NetWeaver and WebSphere.

Single-click Accessvia Employee Dock

Add Homegrown/Legacy App

Integration

Agent Server Kits

Workforce360 Integrations GuideWHITE PAPER

8

Other Legacy ApplicationsCentralized authentication via PingFederate provides a range of convenient approaches

to enable SSO, but some apps might not natively support federation standards like SAML,

OAuth and OIDC, while others might be protected by agent-based legacy web access

management (WAM) agents.

When PingFederate and PingAccess are deployed together, you can easily extend single

sign-on to all applications through HTTP header injection, JWT tokens and even token

mediation to applications protected by legacy WAM agents. Ping’s partnership with

Microsoft provides the additional benefit of leveraging your identities in Azure AD to

maintain SSO for all of your on-premises applications.

Single-page Apps or APIsSingle-page applications (SPAs) are based on web technologies such as HTML,

JavaScript and HTTP and WebSocket-based APIs. SPAs are unique because the user

never navigates off the initial HTML page. Instead, locally executed JavaScript from that

first page supplies the browser with the behavior for handling user requests.

Workforce360 relies on local code to define the user experience and logic for retrieving

and manipulating data via API endpoints. Given the usage of web technologies and the

need for API access, SPAs and their corresponding APIs can be integrated via OAuth and

OIDC. Token translators can further help bridge SPAs into an existing WAM infrastructure.

What About My Existing WAM?You may need to continue using an existing

WAM system to run critical workloads. For

many, ripping and replacing isn’t an option, so

you need a solution that can integrate with this

legacy architecture.

This integration is supported through

integration kits that allow Workforce360 to

operate as either the identity provider (IdP) or

service provider (SP). Ping offers integration

kits for many common legacy WAM systems.

Using this approach, you’re able to maintain

your existing WAM system without interruption,

while giving developers the ability to extend

the single sign-on reach of an authentication

authority to applications protected by the

supported WAM system. This is accomplished

through API integration into legacy apps. Ping

is able to translate legacy token formats (WAM

tokens, Kerberos tickets) into OAuth or JWT

tokens to enable mobile apps and integration

into modern stacks. This can be done over WS-

Trust or OAuth Token Exchange via REST API +

mobile friendly preferred standard.

Check out our adaptive access security solution

to learn more about co-existence or migrating

off WAM systems through migration tools and

API management tools.

https://download.pingidentity.com/public/assets/white-papers/en/3141-microsoft-pingaccess.pdfhttps://www.pingidentity.com/en/solutions/workforce-identity/adaptive-access-security.html

Workforce360 Integrations GuideWHITE PAPER

9

The ability to make authentication decisions based on various security and risk signals is critical for enterprises. By the same measure, all

orchestration needs to maximize user experience and productivity. You achieve this with intelligent strong authentication.

Workforce360 lets you leverage existing investments in security and create reusable, granular policies that can be applied to a variety of use

cases. Admins are able to incorporate data from multiple sources—whether risk signals or user data from multiple directories—and at the

scale your enterprises requires. When you’re able to apply intelligence behind the scenes, you gain greater assurance that your users are who

they say they are, while giving them faster access to resources.

Multi-factor Authentication (MFA)Multi-factor authentication is a common form of strong

authentication for enterprises that want to limit their reliance

on password policies and reduce the risk of credential theft.

But it can be challenging to add MFA to a constantly growing

and changing portfolio of applications.

When you’re able to piggyback off of an authentication

authority, you no longer have to go through the arduous

process of integrating MFA to each application individually.

You’re freed from the limitations of authentication protocols

and can utilize numerous MFA providers if necessary and as

is common after mergers and acquisitions.

INTEGRATING STRONG AUTHENTICATION

Workforce360 includes PingID, our enterprise-grade cloud MFA, as part of the solution. In addition to integrating with PKI systems through

either software based X.509 certificates or smartcards, Ping integrates with all popular MFA providers.

AccessApplication

1

2

AuthenticationAuthority

Access Decision

Directory Lookup

Any MFA

4

3

Workforce360 Integrations GuideWHITE PAPER

10

Virtual Private Networks (VPNs)VPNs are a popular means of enabling secure remote access. Using Ping’s integrations, enterprises can strengthen VPN security by adding

MFA and granular group policies. Integrations also allow user management and access to VPNs to be controlled by the authentication

authority.

Mobile Device Management (MDM)Whether you’re provisioning mobile devices or supporting a BYOD model, mobile device management is crucial for ensuring secure

authentication. Workforce360 integrates with MDM software to enforce security policies based on device-level attributes like establishing a

minimum OS, preventing jailbroken/rooted devices, requiring password criteria or disallowing certain types of devices.

Ping can integrate any third-party MDM and is officially certified by the following providers:

Workforce360 can integrate with SAML-based VPNs. If PingID is being used, VPNs can be added via RADIUS as well. Ping is officially certified

by the following providers:

VPN ClientAuthentication

Authority

Any Directory

Any MFA

Integration via SAML

Workforce360 Integrations GuideWHITE PAPER

11

Adaptive & Contextual PoliciesBy incorporating adaptive and contextual policies, you’re able to implement enterprise-grade authentication without disrupting the

productivity of your workforce. This approach provides stronger security by evaluating a user’s device, behavior and other context beyond

passwords to dynamically assess risk and step authentication requirements up or down accordingly.

You can define advanced authentication, pairing and device posture policies, such as:

• Limiting MFA and available authentication methods to specific groups, IP addresses or applications.

• Employing geo-fencing to skip MFA requirements if a trusted device is requesting access from a “secure” location or network.

• Restricting users from sharing authentication devices and from using devices that are rooted or jailbroken through root detection.

• Defining sessions that allow users to avoid prompts for MFA if authenticated within a predefined amount of time (hours, minutes, days, etc.).

Paired with MFA that can extend anywhere, context and risk signals are an essential piece to intelligent, seamless authentication. By leveraging

the authentication authority policies, they provide security for any use case. Ping integrates with the following risk signal providers:

Workforce360 Integrations GuideWHITE PAPER

12

INTEGRATING WITH IDPS & DATA STORES

To provide a consistent login experience, central authentication services must be able to integrate with multiple identity providers (IdPs). The

most common enterprise IdP is Active Directory, though enterprises have also adopted more modern directories from cloud providers such

as Amazon and Google. Many enterprises also maintain on-premises data stores as their primary user directories.

Authentication typically requires pulling user attributes from multiple directories in real-time. Few if any can match the capabilities of Ping in

this regard. By supporting multiple IdPs and legacy data stores, Workforce360 lets you validate, retrieve and send user and device attributes

during provisioning. You’re able to connect all of your users to any application they require, as well as centralize credential validation to

improve user experience.

Legacy Data StoresWith Workforce360, you’re able to extend the capabilities of legacy data stores to any app and any device. Ping integrates with:

• Microsoft Active Directory

• Microsoft SQL

• Oracle DSEE

• Oracle Unified Directory

• Oracle DB 12c

• Oracle MySQL

• PostgreSQL

CloudPing’s cloud directory integrations enable the cloud service to be the identity provider for certain applications by utilizing the cloud API to

authenticate users and return user information. Ping offers integrations with cloud services and social identity providers including:

Workforce360 Integrations GuideWHITE PAPER

13

• Leverage Profile• Provide Contextual Access• Strengthen security with MFA

• Provision• Update Profile• Certify Access

CORPORATEDIRECTORY

Mobile Apps

Cloud Apps

SaaS Apps

On-prem Apps

INTEGRATING WITH THE IDENTITY ECOSYSTEM

An authentication authority must support integration with the broader identity ecosystem, namely identity governance and administration

(IGA) and privileged access management (PAM). While Ping offers basic provisioning, we integrate with SailPoint and CyberArk to provide

best-of-breed solutions for these capabilities. The authentication authority capabilities of Workforce360 also provide a solid foundation for a

Zero Trust ecosystem.

Identity Governance & AdministrationYou can support most sophisticated environments when it comes to user and lifecycle management by combining a dedicated IGA platform

with an authentication authority. The Ping + SailPoint integration lets you give the right access to the right employees across any app and any

directory in any environment. At the same time, you gain greater control over processes such as provisioning, password management, and

access requests and certification.

Privileged Access ManagementWhen PAM is integrated with an authentication authority, each technology protects the other. The Ping + CyberArk integration gives admins

logging into CyberArk an extra layer of security provided by the MFA and SSO capabilities of PingID and PingFederate. Conversely, Ping

administrator accounts are protected by CyberArk’s market-leading PAM solution.

https://support.pingidentity.com/s/directory-profile/a7h1W000000Cl0OQAS/sailpoint-technologies-inchttps://support.pingidentity.com/s/marketplace-integration/a7i1W000000Cfi7QAC/cyberark-core-privileged-access-security-solution

Workforce360 Integrations GuideWHITE PAPER

14

Zero TrustAs more enterprises adopt cloud technologies and enable work beyond the corporate premises, the notion of security via network perimeters

has given way to a Zero Trust framework. Zero Trust assumes no network traffic is trusted and everything must be verified. At the heart of

this are identity and an authentication authority that first requires users to verify they are who they say there are.

An authentication authority is central to Zero Trust, allowing you to implement resource perimeters over network perimeters and replace

network-based trust with greater assurance and confidence that users are who they say they are. Workforce360 provides a solid foundation

on which to build your Zero Trust framework, either integrating with or supporting complementary technologies and providing the

orchestration engine to ensure an optimal user experience.

To learn more about using an authentication authority to create the foundation for Zero Trust, read the white paper.

https://download.pingidentity.com/public/assets/white-papers/en/3442-workforce-authentication-authority.pdf

Ping Identity is pioneering Intelligent Identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences. The Ping Intelligent IdentityTM platform provides customers, employees, partners and, increasingly, IoT, with access to cloud, mobile, SaaS and on-premises applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards leadership, and partnership with companies including Microsoft and Amazon. We provide flexible options to extend hybrid IT environments and accelerate digital business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities. Visit www.pingidentity.com.  #3500 | 06.2020 | v05

15

You need to deliver a consistent experience to your users, no matter where they are or what device they’re using. An authentication authority

capable of integrating anything and everything is more essential for today’s enterprises than ever before. With Workforce360, you gain the global

authentication authority needed to deliver secure and consistent experiences to your workforce, making your organization more productive while

increasing security and agility.

• Provide authentication for everyone and everything by working across multiple silos.

• Deliver secure, consistent experiences to your workforce.

• Utilize an identity-based workforce authentication authority to be more productive, secure and agile.

• Create a solid identity foundation so you can accelerate digital transformation.

To learn more about Workforce360, visit pingidentity.com/workforce360.

CONCLUSION

http://www.pingidentity.comhttp://pingidentity.com/workforce360

Workforce360 Integrations GuideWHITE PAPER

16

Application Integration Authentications

Single Sign-on Standards

Application Type Integration LDAP

Standards WS-FED RADIUS

Standards OAuth/OIDC Kerberos

Standards SAML SAML

Local Language SDK WS-FED

Local Agentless SDK OAuth/OIDC

Local Web Server Agent X.509 Certificates (PIV/Smart Cards)

Local Reverse Proxies

Local Access Security (URL level access control)

Legacy WAM Custom

CA/Broadcom/Symantec Siteminder Agent SDK

Oracle Access Manager Agentless SDK

RSA Access Manager MFA

MFA Out-of-band OTP (Email, SMS, Voice)

Windows Login Mobile Push

SSH OATH (Mobile, Hardware Tokens)

VPN Biometrics

Provisioning Desktop

SCIM FIDO

JIT Risk Engines

App Specific APIs Social

Directory Sync MDM

Legacy WAM