Key concepts
This section provides background information and preparation to help administrators understand and use PingFederate.
Connection Types
PingFederate features an integrated administrative console for configuring connections to identity-federation partners. The four connection types include:
-
Browser-based single sign-on (SSO) – Called Browser SSO in the administrative console, this term refers to standards-based secure SSO, which generally depends on a user’s browser to transport identity assertions and other messaging between partner endpoints. For more information, see Supported standards.
-
WS-Trust security token service (STS) – Employs the PingFederate STS, which enables web service clients (WSCs) and web service providers (WSPs) to extend SSO to identity-enabled web services at provider sites. For more information, see the WS-Trust STS. These standards, including WS-Trust, do not rely on the user’s browser for message transport.
-
OAuth Assertion Grant – Exchanges a SAML assertion or a JSON Web Token for an OAuth access token with the PingFederate authorization server (AS). For more information, see About OAuth.
-
Provisioning – Provides automated cross-domain inbound and outbound user management. For more information, see User provisioning.
You can configure the types of connections together for the same partner or independently.
WS-Trust STS
PingFederate WS-Trust STS allows organizations to extend SSO identity management (IdM) to web services. For more information see, About WS-Trust STS.
OAuth
You can configure PingFederate to act as an OAuth authorization server (AS), allowing a resource owner to grant authorization to an OAuth client requesting access to resources hosted by a resource server (RS). For more information, see About OAuth.
SSO integration kits and adapters
PingFederate provides bundled and separate integration kits that include adapters that plug into the PingFederate server and agent toolkits that interface with local IdM systems or applications as needed. For more information, see SSO integration kits and adapters.
Security infrastructure
PingFederate security infrastructure supports encrypted messaging, certificates, and digital signing. For more information, see Security infrastructure.
Hierarchical plugin configuration
PingFederate allows you to use a configuration of an adapter, as well as certain other PingFederate plugins, as a parent instance from which you can create child instances. For more information, see Hierarchical plugin configurations.
Identity mapping
PingFederate enables identity mapping between domains for browser-based SSO and WS-Trust STS. For more information, see Identity mapping.
User attributes
Federation transactions require the transmission of a unique piece of information that identifies the user for identity mapping between security domains. For more information, see User attributes.
User provisioning
PingFederate provides cross-domain user provisioning and account management. For more information, see User provisioning.
Customer identity and access management
PingFederate empowers administrators to deliver a secure and easy-to-use customer authentication, registration, and profile management solution. For more information, see Customer identity and access management.
Federation hub use cases
As a federation hub, PingFederate can bridge browser-based SSO between IdPs and SPs. For more information, see Federation hub use cases.
Federation planning
An essential first step in establishing an identity federation involves discussions and agreements between you and your connection partners. For more information, see the Federation planning checklist.