Identity provider integration
Identity provider (IdP) integration involves retrieving user-identity attributes from the IdP domain and sending them to the PingFederate server.
An IdP is a system entity that authenticates a user, or “SAML subject,” and transmits referential identity attributes based on that authentication to PingFederate. Typically, the IdP retrieves the identity attributes from an authenticated user session. Depending on the IdP deployment/implementation enviornment, a number of attribute-retrieval approaches are used for IdP integration. Ping Identity offers a broad range of commercial integration kits that address various IdP scenarios, such as custom-application integration, integration with a commercial identity management (IdM) product, or integration with an authentication system.
For IdPs implementing single sign-on (SSO) to selected software as a service (SaaS) providers such as Google Apps and Salesforce, PingFederate also provides automated user provisioning. |
Custom applications
Many applications use their own authentication mechanisms, typically through a database or LDAP repository, and are responsible for their own user-session management. Custom-application integration is necessary when there is limited or no access to the web or application server hosting the application. Integration with these custom applications is handled by application-level integration kits, which allow software developers to integrate their applications with a PingFederate server acting as a service provider (SP).
With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the SP application, which then uses them for its own authentication and session management. As for the IdP, application-specific integration kits include an SP agent, which resides with the SP application and provides a simple programming interface to extract the identity attributes sent from the PingFederate server. PingFederate cam use this information to start a session for the SP application.
Ping Identity provides custom-application integration kits for a variety of programming environments, including:
-
Java
-
.NET
-
PHP
Ping Identity provides an Agentless Integration Kit, which allows developers to use direct HTTP calls to the PingFederate server to temporarily store and retrieve user attributes securely, eliminating the need for an agent interface.
IdM systems
An IdP enterprise that uses an IdM system expands the reach of the IdM domain to external partner applications through integration with PingFederate. IdM integration kits typically use the IdM agent API to access identity attributes in the IdM proprietary session cookie and transmit those attributes to the PingFederate server.
IdM integration kits do not require any development; the PingFederate administrative console accomplishes all integrations.
Ping Identity provides integration kits for many of the leading IdM systems, such as Oracle Access Manager.
Authentication systems
An authentication application or service normally handles initial user authentication outside of the PingFederate server. To access applications outside the security domain, PingFederate authentication-system integration kits leverage this local authentication.
Authentication integration kits do not require any development; the PingFederate administrative console accomplishes all integrations with PingFederate. Ping Identity offers integration kits for authentication systems including:
-
X.509 Certificate
-
RSA SecurID Integration Kit
-
Symantec VIP Integration Kit
PingFederate also packages two IdP adapters, an HTML Form Adapter and an HTTP Basic Adapter, which delegate user authentication to plugin password credential validators (PCVs). Supplied validators use either an LDAP directory, RADIUS server, or a simple username/password verification system maintained by PingFederate. Customized validators can also be developed. When the PingFederate IdP server receives an authentication request for SP-initiated SSO or a user clicks a link for IdP-initiated SSO, PingFederate invokes the implemented adapter and prompts the user for credentials, if the user is not already logged on.