Your SlideShare is downloading. ×
CIS13: Bootcamp: PingOne as a Simple Identity Service
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CIS13: Bootcamp: PingOne as a Simple Identity Service

1,127

Published on

Whether you want to give users single sign-on to SaaS applications, create a solution with the PingOne IDaaS and PingFederate identity bridge, or simply take advantage of the CloudDesktop, this …

Whether you want to give users single sign-on to SaaS applications, create a solution with the PingOne IDaaS and PingFederate identity bridge, or simply take advantage of the CloudDesktop, this bootcamp is for you.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,127
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
64
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1 How to set up a Simple Identity Service
  • 2. Copyright ©2012 Ping Identity Corporation. All rights reserved.2 Ping Identity Staff Jennifer Patton Knowledge Base Engineer
  • 3. Copyright ©2012 Ping Identity Corporation. All rights reserved.3 Ping Identity Staff David Chase Regional Solution Architect
  • 4. Copyright ©2012 Ping Identity Corporation. All rights reserved.4 Ping Identity Staff Pam Dingle Technical Director
  • 5. Copyright ©2012 Ping Identity Corporation. All rights reserved.5 •  What is CAS? •  What is AD Connect? •  What is CloudDesktop? •  What is APS? •  Demonstration PingOne Introduction
  • 6. Copyright ©2012 Ping Identity Corporation. All rights reserved.6 OVERVIEW PingOne
  • 7. Copyright ©2012 Ping Identity Corporation. All rights reserved.7 PingOne is a cloud-deployed Tier 1 SSO solution, enabling businesses and service providers to make a one-time connection and switch to all their applications or users. Ping One provides: –  One connection to access or provide cloud apps –  One place for IT to manage user and customer accounts –  One point of cloud access for all employees PingOne Overview
  • 8. Copyright ©2012 Ping Identity Corporation. All rights reserved.8 PingOne CAS (Cloud Access Services) Enables organizations to secure and control access to multiple cloud-based business applications. •  One connection from enterprise directory to cloud applications without exposing user passwords. •  Central location for IT to manage single sign-on, access and provisioning—all provided from a simple SaaS-based management console. •  Single login to CloudDesktop® ensures secure access to web applications.
  • 9. Copyright ©2012 Ping Identity Corporation. All rights reserved.9 PingOne APS (Application Provider Services) SSO solution for service providers, letting customers or partners conveniently establish access to public and private cloud applications. •  Fast onboarding. After a quick one-time integration to Application Provider Services, onboarding new partners or customers takes less than 10 minutes. •  Increased usage. Reliable, seamless SSO access accelerates adoption and usage while avoiding support issues introduced by password storing or screen-scraping. •  Cost-effective. By multiplexing to partners or customers for SSO, service providers can save up to 90% over making one-to-one connections.
  • 10. Copyright ©2012 Ping Identity Corporation. All rights reserved.10 PingOne is not designed to replace PingFederate. PingOne supports a subset of PingFederate’s capabilities. Examples of PingOne capabilities •  Supports “workforce to external applications” use case •  2-factors authentication support: PhoneFactor •  Supports Active Directory PingFederate & PingOne (Hybrid model) •  A single connection to PingOne for all SaaS applications •  Offload connection maintenance to PingOne •  PingFederate handles all use cases not supported by PingOne PingOne and PingFederate
  • 11. Copyright ©2012 Ping Identity Corporation. All rights reserved.11 CLOUD ACCESS SERVICES PingOne - CAS
  • 12. Copyright ©2012 Ping Identity Corporation. All rights reserved.12 PingOne CAS
  • 13. Copyright ©2012 Ping Identity Corporation. All rights reserved.13 CloudDesktop
  • 14. Copyright ©2012 Ping Identity Corporation. All rights reserved.14 PingOne Cloud Access Services Enterprises Connect 1:Many Your Enterprise Cloud Apps
  • 15. Copyright ©2012 Ping Identity Corporation. All rights reserved.15 PingOne Cloud Access Services Enterprises Connect 1:Many Your Enterprise Cloud Apps
  • 16. Copyright ©2012 Ping Identity Corporation. All rights reserved.16 PingOne Cloud Access Services Enterprises Connect 1:Many Your Enterprise Cloud Apps
  • 17. Copyright ©2012 Ping Identity Corporation. All rights reserved.17 Cloud Access Services in 3 Steps Register Select AppsConnect
  • 18. Copyright ©2012 Ping Identity Corporation. All rights reserved.18 •  Go to http://www.pingone.com •  Create a PingOne account for your company •  Provide the domain name •  Create a password •  Obtain registration key from Ping Identity Step 1: Registration Register
  • 19. Copyright ©2012 Ping Identity Corporation. All rights reserved.19 Without a Federation Solution •  Small/Medium corporations •  AD Connect links user directory (AD) to all cloud applications. With a Federation Solution •  Large enterprises with: –  PingFederate –  SAML 2.0 –  Google Apps •  Offload connection maintenance to PingOne Centralized Control of Sensitive Identity Information
  • 20. Copyright ©2012 Ping Identity Corporation. All rights reserved.20 •  Applications Catalog is a collection of SAML-enabled application providers •  Administrator will add applications which are appropriate for the corporation •  For example: ADP, Salesforce and WebEx Connect Step 3 : Applications Catalog Select Apps
  • 21. Copyright ©2012 Ping Identity Corporation. All rights reserved.21 CLOUD ACCESS SERVICES – ADCONNECT PingOne - CAS
  • 22. Copyright ©2012 Ping Identity Corporation. All rights reserved.22 AD Connect: A Lightweight Authentication Utility For organizations without SAML support - Authentication utility that connects Microsoft Active Directory to PingOne Cloud Access Services Authenticates users via SAML - No storing passwords in the Cloud or reverse proxies Easy “point, click & configure” -Deploys in less than 30 minutes, with no DNS (Domain Name System) changes
  • 23. Copyright ©2012 Ping Identity Corporation. All rights reserved.23 PingOne CAS Data Flow – SP-Init SSO SSO Service Browser SP Network IdP Network 1 3 4 v 5 Multi-tenant, Secure & HA/DR infrastructure SAML SAML 2
  • 24. Copyright ©2012 Ping Identity Corporation. All rights reserved.24 PingOne CAS Data Flow – IdP-Init SSO SSO Service Browser SP Network IdP Network 1 2 3 v 4 Multi-tenant, Secure & HA/DR infrastructure SAML SAML
  • 25. Copyright ©2012 Ping Identity Corporation. All rights reserved.25 •  Download AD Connect •  Set product key •  Install AD Connect on IIS server (Enter Product Key) •  Verify installation Installing AD Connect
  • 26. Copyright ©2012 Ping Identity Corporation. All rights reserved.26 CLOUD ACCESS SERVICES – HYBRID PingOne - CAS
  • 27. Copyright ©2012 Ping Identity Corporation. All rights reserved.27 PingFederate / 3rd party SAML IdPs / ADFS 2.0 •  One connection to PingOne •  Leverage on existing authentication methods •  Sends SAML assertion to PingOne •  Often known as “Hybrid” Federation model
  • 28. Copyright ©2012 Ping Identity Corporation. All rights reserved.28 •  Download metadata file from PingOne and create connection in PingFederate •  Export metadata file from PingFederate and upload to PingOne Configure PingFederate IdP
  • 29. Copyright ©2012 Ping Identity Corporation. All rights reserved.29 CLOUD ACCESS SERVICES – CLOUDDESKTOP PingOne - CAS
  • 30. Copyright ©2012 Ping Identity Corporation. All rights reserved.30 Customized portal for apps (private and public) •  Log in once to the user directory •  One-click access to all SSO-enabled applications •  Optimized user experience for desktops, laptops and mobile CloudDesktop: A Customized Portal for the Cloud Mobile support •  Device detection and rendering •  Support for SaaS native apps •  Provide SSO using OAuth tokens (PingOne OAuth AS)
  • 31. Copyright ©2012 Ping Identity Corporation. All rights reserved.31 - Jane Smith is a member of “IT” group on AD - She is granted access only to ADP and WebEx applications. CloudDesktop: A Customized Portal for the Cloud
  • 32. Copyright ©2012 Ping Identity Corporation. All rights reserved.32 - John Doe is a member of “Sales” group on AD - He is granted access to all three apps (ADP, Salesforce and WebEx) CloudDesktop: A Customized Portal for the Cloud
  • 33. Copyright ©2012 Ping Identity Corporation. All rights reserved.33 Group Management
  • 34. Copyright ©2012 Ping Identity Corporation. All rights reserved.34 •  What is the purpose of AD Connect? •  What is CloudDesktop? •  What are 2 ways that AD Connect authenticates users? •  Describe the flow of an SP initiated SSO transaction with PingOne Review Exercises
  • 35. Copyright ©2012 Ping Identity Corporation. All rights reserved.35 APPLICATION PROVIDER SERVICES PingOne - APS
  • 36. Copyright ©2012 Ping Identity Corporation. All rights reserved.36 Many Customers, Single Application
  • 37. Copyright ©2012 Ping Identity Corporation. All rights reserved.37 Application Provider Services in 4 Steps Register IntegrateConfigure Invite
  • 38. Copyright ©2012 Ping Identity Corporation. All rights reserved.38 Step 1 : Registration •  Create a PingOne account for your company •  Provide the domain name •  Create a password Register
  • 39. Copyright ©2012 Ping Identity Corporation. All rights reserved.39 Step 2 : Configure Connection Types: •  Via REST APIs •  Secure SAML SSO Configure
  • 40. Copyright ©2012 Ping Identity Corporation. All rights reserved.40 SAML Enabled Providers •  User authenticates •  SAML assertion sends to SaaS federation server •  No integration is required •  Standard SAML connection configuration
  • 41. Copyright ©2012 Ping Identity Corporation. All rights reserved.41 SAML Enabled Connection - Pingfederate Configure 1.  Download metadata file from PingOne 2.  From PingFederate, set up an IdP connection to PingOne. 3.  Export metadata file and import into PingOne. 4.  Define SSO Attributes
  • 42. Copyright ©2012 Ping Identity Corporation. All rights reserved.42 REST API •  PingOne redirects users to SaaS application with a Token ID •  SaaS application makes a secure back channel call to PingOne to receive Identity information
  • 43. Copyright ©2012 Ping Identity Corporation. All rights reserved.43 PingOne APS Dataflow with Rest API
  • 44. Copyright ©2012 Ping Identity Corporation. All rights reserved.44 REST API Connection 1.  Application: •  Domain Name •  Application URL •  Error URL. Configure 2.  Define SSO Attributes
  • 45. Copyright ©2012 Ping Identity Corporation. All rights reserved.45 Integrate Step 3 : Integrate •  PingOne handles all of the protocol details, allowing your application to be concerned with just three things: •  Redirecting the user's browser to PingOne to start SSO •  Exchange a token for user’s attributes •  Creating a session for the user
  • 46. Copyright ©2012 Ping Identity Corporation. All rights reserved.46 Exchange Token •  After authenticating, the user returns to your application with a token to either: •  The appurl specified during the 302 redirect •  The Default Application URL you saved in SSO Settings, if appurl is not specified. •  The user's token is passed as a query parameter (tokenid) in the HTTP request. For example: •  https://www.mysaas.com/testapp?tokenid=158affc71d6bc65fe2a92ffac7760dce&agentid=0055f3da •  This token is created by PingOne and is a one-time secret between the user and PingOne •  This token can be exchanged with PingOne for a set of user attributes through a simple web service call •  To exchange a token with PingOne, you must make a web service call to the Token Resolution Service •  This will be an HTTP GET call structured like: •  https://sso.connect.pingidentity.com/sso/TXS/2.0/<format>/<tokenid> •  Accepted format parameters are: "1" - JSON Format "2" - Properties Format Integrate REST API Integration
  • 47. Copyright ©2012 Ping Identity Corporation. All rights reserved.47 Exchange Token (continued) •  PingOne will return the following attributes, formatted according to the format parameter above: •  pingone.subject - The username of the authenticated user •  pingone.saas.id - the SaaS to which the token is issued. This will be your SaaS ID •  pingone.idp.id - the idpid of the Identity Provider who issued the Assertion •  pingone.authn.context - the "authentication context" under which the user is authenticated by the Identity Provider Integrate REST API Integration
  • 48. Copyright ©2012 Ping Identity Corporation. All rights reserved.48 Step 4: Invite Customer Onboarding Options: •  SSO Self-Service Widget •  Email •  REST API •  Manual Connection Invite
  • 49. Copyright ©2012 Ping Identity Corporation. All rights reserved.49 Accelerate Onboarding to Your App Quickly add customers •  Provide basic information •  Invite customers to connect •  Complete in 10 minutes or less Manage connections to your app •  Review all customers using SSO •  Check onboarding status •  Suspend SSO by customer or globally “The PingOne service works very well. Setting up connections only takes a matter of minutes now,” — Leading CRM Service Provider.
  • 50. Copyright ©2012 Ping Identity Corporation. All rights reserved.50 1.  Add PingOne provided JavaScript widget to your webpage where only your customer administrators have access when they visit this page 2.  Add server-side code to enable widget to include the <idpid> and <email> parameters to the OpenToken 3.  Ask user to select Enable SSO option and click the PingOne link 4.  Customer is securely redirected to the PingOne APS website where they enter their configuration information SSO Self Service On Boarding
  • 51. Copyright ©2012 Ping Identity Corporation. All rights reserved.51 1.  Fill out Identity Provider form: Email and Customer ID 2.  Send email invitation to customer from PingOne or your preferred email client. Email On Boarding
  • 52. Copyright ©2012 Ping Identity Corporation. All rights reserved.52 1.  Customer clicks on a link in the email invitation Email On Boarding 2.  Customer logs in to PingOne CAS 3.  Connection is automatically added to visible application list
  • 53. Copyright ©2012 Ping Identity Corporation. All rights reserved.53 Review!
  • 54. Copyright ©2012 Ping Identity Corporation. All rights reserved.54 QUESTIONS?
  • 55. Copyright ©2012 Ping Identity Corporation. All rights reserved.55 and the Cloud
  • 56. Copyright ©2012 Ping Identity Corporation. All rights reserved.56 •  This workshop explores how on-premises and cloud resources can work together to achieve Enterprise business goals •  No one choice is right for everybody –  Zero on-premises footprint –  No Cloud –  Little bit of both •  We want you to leave knowing: –  When using an IDaaS works best –  Mix and match cloud and on-premise products –  Benefits of choosing a mixed deployment PingOne and the Cloud
  • 57. Copyright ©2012 Ping Identity Corporation. All rights reserved.57 Standard Federated Identity On-Premises Infrastructure IIS App App App Kerberos Partner Infrastructure App App App App Cloud Resources Federation Server
  • 58. Copyright ©2012 Ping Identity Corporation. All rights reserved.58 The Federation Can Move On-Premises Infrastructure IIS App App App Kerberos Partner Infrastructure App App App App Cloud Resources Federation Server On-Premises Infrastructure IIS App App App Kerberos App App App App Cloud Resources Federation Server
  • 59. Copyright ©2012 Ping Identity Corporation. All rights reserved.59 Becoming IDaaS + Identity Bridge On-Premises Infrastructure IIS App App App Kerberos App App App App Cloud Resources IDaaS Identity Bridge
  • 60. Copyright ©2012 Ping Identity Corporation. All rights reserved.60 What is an Identity Bridge? •  A service that can authoritatively speak about users •  An on-premises physical or virtual appliance •  Another cloud platform •  Enables users, applications and identity services across the hybrid cloud •  Can be unidirectional or bidirectional The Sundial bridge, Redding CA (Aaron Patterson)
  • 61. Copyright ©2012 Ping Identity Corporation. All rights reserved.61 What Crosses an Identity Bridge? 1. Authentication requests & responses 2. Account information 3. Business data to make authorization decisions Important: It matters how this data is sent. Identity data should only travel across the Internet using internet-grade security and trust
  • 62. Copyright ©2012 Ping Identity Corporation. All rights reserved.62 Becoming IDaaS + Identity Bridge On-Premises Infrastructure IIS App App App Kerberos App App App App Cloud Resources IDaaS Identity Bridge •  IDaaS Platform –  PingOne CAS (Cloud Access Services) PingOne APS (Application Provider Services) •  Bridges –  PingOne ADConnect –  PingFederate •  User Features –  CloudDesktop

×