An essential first step in establishing an identity federation involves discussions and agreements between you and your connection partners. The sections below comprise a partial checklist of items that should be coordinated before you deploy PingFederate.
Standards and Specifications
Choose which federation protocol(s) your deployment will support. For SAML SSO configurations, decide which profiles and bindings will be used. (See Supported Standards.)
Signing and Validation
Decide which SAML messages—assertions, responses, requests—will be digitally signed and how the messages will be verified by your federation partner. If messages are signed, decide how certificates will be exchanged (for example, secure email). (See Security infrastructure.)
Also, if a stronger signature algorithm is required, determine what RSA algorithm will be used for signing. (The optional algorithm selection is available throughout the administrative console, where signing certificates are specified for various uses.)
Back-Channel Security
Determine what type of SOAP channel authentication will be used: Basic or SSL/TLS. If SSL/TLS is used, determine whether server-only or both server and client certificates will be needed and how they will be managed. Also decide what level of security will be required for connections to back-end datastores or identity management systems.
Trusted Certificate Management
Determine whether both partners are using SSL/TLS runtime certificates, signing certificates, or both that have been signed by a major CA. (If self-signed certificates or nonstandard CAs are used, the signed certificates must be exchanged and imported into Trusted Certificate stores.) Also, determine whether you want to adopt a trust model that uses embedded certificates (see Digital signing policy coordination).
Deployment
Decide how PingFederate fits into your existing network. Also, determine whether high-availability, failover options, or both, are required (see the PingFederate Server Clustering Guide ).
Federation Server Identification
Determine how you and your partner(s) will identify your respective federation deployments. Under federation standards, both the sender (IdP) and the receiver (SP) of an assertion must be uniquely identified within the identity federation (see Configuration data exchange).
With PingFederate, you define a unique ID for each supported protocol (see Specifying federation information). Optionally, you can also use a list of multiple Virtual Server IDs on a connection-by-connection basis (see Multiple virtual server IDs).
PingFederate also provides for virtual host names, which differ from virtual server IDs (but are not mutually exclusive); they are intended to be used when your network configuration is such that you receive federation messages under more than one domain name (see Configuring virtual host names).
Server Clock Synchronization
Ensure that both the SP and IdP server clocks are synchronized. SAML messages and STS tokens provide a time window that allows for small synchronization differentials. However, wide disparities will result in assertion or request time-outs.
User Datastores
Identify the type of datastore that contains user data when needed (see Datastores).
Web Application and Session Integration
Decide how PingFederate as an IdP receives subject identity information, either from an STS token or a user session.
For an SP, decide how PingFederate will forward user identity information to the destination web application or system to start a session.
(See SSO integration kits and adapters and Token processors and generators.)
Transaction Logging
PingFederate provides basic transaction logging and monitoring. Decide whether transaction logging should be integrated with a systems management application and whether you have regulatory compliance requirements that affect your logging processes. (For more information, see PingFederate log files.)
Identity Mapping
For browser-based SSO, decide whether you will use PingFederate to link accounts on your respective systems using a persistent name identifier, or whether you will use account mapping (see Identity mapping).
Attribute Contract Agreement
If your federation partnership will not use account linking, or will not use it exclusively, then you and your partner must agree on a set of attributes that the IdP will send in an assertion for either SSO or web service access. (For more information, see Attribute contracts.)
Metadata Exchange
If you are using SAML, decide whether you will use the metadata standard to exchange XML files containing configuration information. PingFederate makes it easy to use this protocol, which provides a significant shortcut to setting up your partner connections.