Workshop: Advanced Federation Use-Cases with PingFederate
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Workshop: Advanced Federation Use-Cases with PingFederate

on

  • 952 views

Cloud Identity Summit 2012 Workshop

Cloud Identity Summit 2012 Workshop

Statistics

Views

Total Views
952
Views on SlideShare
947
Embed Views
5

Actions

Likes
0
Downloads
19
Comments
0

2 Embeds 5

http://www.linkedin.com 3
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Insert funny pictures here
  • 5 to 40PF Web Services
  • 5 to 40PFWeb Services
  • Bad practice to give applications your passwords - Limit access – valet key to the web – only allow specific limited accessEasity revoke access – if you give out password you have to changePF – use IdP Adapters for authentication
  • Bad practice to give applications your passwords - Limit access – valet key to the web – only allow specific limited accessEasity revoke access – if you give out password you have to changePF – use IdP Adapters for authentication
  • Tunes Partner – client or appPayment Gateway – Resource ServerPF - AS
  • PFs responsibility is to authorize users and issue token to clients and validate tokens from RS
  • Available for all SP connection attribute contract fulfillment
  • Show link on spunkbase
  • Show link on spunkbase
  • Show link on spunkbase
  • 5 to 40PFWeb Services
  • 5 to 40PFWeb Services
  • 5 to 40PFWeb Services
  • 5 to 40PFWeb Services
  • 5 to 40PFWeb Services
  • 5 to 40PFWeb Services
  • 5 to 40PFWeb Services
  • 5 to 40PFWeb Services

Workshop: Advanced Federation Use-Cases with PingFederate Presentation Transcript

  • 1. Workshop: Advanced FederationUse-Cases with PingFederateCraig Wu - Director, Product DevelopmentPeter Motykowski - Senior Engineer/Developer
  • 2. Agenda • Introductions • New Features Overview – OAuth – Adaptive Federation – PingFederate 6.7 and beyond2 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 3. Agenda • Demos – OAuth Authorization Code Flow – Adaptive Federation Use Cases • Adapter Selectors • Composite Adapter • Multiple IdP data stores3 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 4. Agenda • Extending PingFederate – Developing Plugins • PingFederate SDK – Building a custom adapter selector4 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 5. Who are these guys? INTRODUCTIONS5 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 6. Craig Wu • Director, Product Development • Been with Ping Identity since Feb 2007 • Started with Integration Kits • PF STS integration • PingFederate Fall 2009 – PF 6.26 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 7. Peter Motykowski • Senior Engineer/Developer • Been with Ping Identity since May 2007 • Started with PingLabs • PF STS Integration, Adapter Selectors, OAuth7 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 8. PingFederate Engineering Team Denver, CO - Vancouver, BC - Moscow, Russia - Dublin, Ireland8 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 9. PingFederate 6.5 OAUTH9 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 10. OAuth - Drivers10 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 11. OAuth - Securing APIs • Simple and Standard – exchange user credentials for tokens – Present token for access • Scopes to limit access • Easily revoke access • Browser, mobile and desktop clients • PingFederate Authorization Server – User authenticates with AS – Leverage existing PF authentication11 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 12. OAuth Demo Demo Overview • Payment Gateway with REST API secured using OAuth 2.0 (Resource Server) • Users authenticate to the PF Authorization Server, then approve issuance of an OAuth token (Client) • Tunes Partner application can request: • One-time Payments • Perpetual Payments • Initiated via Web or Native Mobile Application partner OAuth clients 12
  • 13. Web One Time / Initial Payments ( 4 ) Validate Token ( 5 ) Charge Authorization Server ( 2 ) Get Token Payment Gateway (REST API endpoint) Browser ( 3 ) Use Token ( 1 ) Request Action Tunes Partner Web 13
  • 14. PingFederate 6.6 ADAPTIVE FEDERATION14 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 15. PingFederate Adaptive Federation 1 2 3 Define rules for directing user to an Create a “chain” of authentication SAML Gather identity attributes from multiple authentication method adapters sources allowing for smart attribute retrieval and reducing the need for Examples Examples deploying a virtual directory • If user is from specific IP • Consumer - Facebook AND One • If user is from outside firewall Time Password Example • If app requires specific type of • Remote User - LDAP AND RSA Fulfill attribute contract with LDAP and authentication SecurID RDBMS data sources
  • 16. Adapter Selectors • Administrators create authentication rules using adapter selectors • Authentication Rules are evaluated during SSO transaction • The result values are mapped to specific adapters to be used for authentication • Executed in ordered sequence • Bundled 6.6 selectors – CIDR – SAML AuthN Context • Custom Selector SDK
  • 17. CIDR Adapter Selector
  • 18. SAML AuthN Context Adapter Selector
  • 19. Adapter Chaining via Composite Adapter • Administrators chain adapters to execute in ordered sequence • Composite adapter instance treated as single adapter instance • Required policy creates multi-factor authentication • Sufficient policy supports OR condition • Authentication context weight and override
  • 20. Composite Adapter
  • 21. Multiple Datastore Attribute Lookup • Connect to multiple directories and databases • Pull attributes from any number and combination of data sources • Fulfill complex attribute requirements • Benefits – Easily aggregate identity attributes from multiple data sources • Reduce need for: • Virtual Directories • Custom Data Sources
  • 22. IdP Multiple Datastore Lookup• SP Connection Attribute Contract Fulfillment – Browser SSO – WS-Trust – Adapter to Adapter – Attribute Query• Use return values from one data store as a filter criteria for a subsequent data store query
  • 23. LDAP Adapter Replacement• HTML Form Adapter – Session Management • Global • Per Adapter • None – Per instance form template• HTTP Basic Adapter• Password Credential Validators – Simple Username – LDAP Username – Can have multiple PCV instances per adapter
  • 24. HTML Form Adapter
  • 25. HTTP Basic Adapter
  • 26. Adaptive Federation Demo26 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 27. Monitoring Splunk App for PingFederate • Support PF 6.3 and above – Based on audit log – Enable Splunk log4j appender • SSO transaction and system report – current transactions – system health – system errors • Service Reports – daily usage report – SP/IdP provider reports per connection • Trend Reports – weekly/monthly usage report – trend analysis27 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 28. Splunk App for PingFederate28 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 29. Free on SplunkBase http://splunk-base.splunk.com/apps/Splunk+App+for+PingFederate29 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 30. PingFederate 6.7 and beyond PINGFEDERATE FUTURES30 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 31. PingFederate 2012 Releases • Two month releases – RTM Release to Marketing – Fully qualified and documented – Upgrade Utility • Marketing determines GA31 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 32. PingFederate 6.7 - RTM Feb 24, 2012 • Admin Console Optimizations – Large number of connections – Large number of adapters • Splunk App for PingFederate32 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 33. PingFederate 6.8 – RTM April 27, 2012 • Centralized configuration for AD Domains/Kerberos Realms – IWA 3.0 Adapter – Kerberos Token Translator 2.0 • OAuth Client Management API – REST API for CRUD operations33 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 34. Centralized AD Domain Configuration34 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 35. IWA Adapter 3.035 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 36. PingFederate 6.9 – RTM June 29, 2012 • Microsoft Office 365 Interoperability • Upgrade Jetty • Remove JBoss36 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 37. PingFederate Software Development Kit (SDK) EXTENDING PINGFEDERATE37 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 38. PingFederate Plugins • Adapters • Token Translators • Custom Data Sources • Adapter Selectors • Password Credential Validators38 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 39. Custom Adapter Selector • HTTP Header Adapter Selector39 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.
  • 40. Adapter Selector API Overview Methods needing to be implemented for the com.pingidentity.sdk.AdapterSelector interface: PluginDescriptor getPluginDescriptor(); void configure(Configuration configuration); AdapterSelectorContext selectContext(HttpServletRequest req, HttpServletResponse resp, Map<String, String> mappedAdapterIdsNames, Map<String, Object> extraParameters, String resumePath); void callback(HttpServletRequest req, HttpServletResponse resp, Map authnIdentifiers, String adapterInstanceId, AdapterSelectorContext adapterSelectorContext);40 Copyright © 2011. Cloud Identity Summit. All Rights Reserved.