An SP is the consumer of identity attributes provided by the identity provider (IdP) through a SAML assertion. The SP application uses this information to set a valid session or other security context for the user, represented by the identity attributes. Session creation involves a number of approaches. For the IdP, Ping Identity offers commercial integration kits that address the various SP scenarios. Most SP scenarios involve custom-application integration, server-agent integration, integration with an identity management (IdM) product, or integration with a commercial application.

Diagram depicting SP integration with PingFederate.

Custom applications

Many applications use their own authentication mechanisms, typically through a database or LDAP repository, and are responsible for their own user-session management. Custom-application integration is necessary when there is limited or no access to the web or application server hosting the application. Application-level integration kits handle integration with these custom applications and allow software developers to integrate their applications with a PingFederate server acting as an SP.

With these integration kits, PingFederate sends the identity attributes from the SAML assertion to the SP application, which can then use them for its own authentication and session management. As for the IdP, application-specific integration kits include an SP agent, which resides with the SP application and provides a simple programming interface to extract the identity attributes sent from the PingFederate server. PingFederate cam use this information to start a session for the SP application.

Ping Identity provides custom-application integration kits for a variety of programming environments, including:

  • Java
  • .NET
  • PHP

In addition, Ping Identity provides an Agentless Integration Kit, which allows developers to use direct HTTP calls to the PingFederate server to temporarily store and retrieve user attributes securely, eliminating the need for an agent interface.

Server agents

Server-agent integration with PingFederate allows SP enterprises to accept SAML assertions and provide single sign-on (SSO) to all applications running on that web or application server; there is no need to integrate each application. Since integration occurs at the server level, server-agent integration maximizes ease of deployment and scalability. Applications running on the web or application server must delegate authentication to the server. If the application employs its own authentication mechanism, integration must occur at the application level.

With server-agent integration kits, PingFederate sends the identity attributes from the SAML assertion to the server agent, which is typically a web filter or Java Authentication and Authorization Service ( JAAS) Login Module. The server agent extracts the identity attributes, which the server then uses to authenticate and create a session for the user.

SP server-integration kits do not require any development work: the PingFederate administrative console accomplishes all integrations with PingFederate.

Ping Identity provides integration kits for many web and application servers, including:

  • Internet Information Services (IIS)
  • Apache (Red Hat)
  • Apache (Windows)
  • NetWeaver
  • WebSphere

IdM systems

IdM integration with PingFederate allows an SP enterprise to accept SAML assertions and provide SSO to applications protected by the IdM domain. IdM integration kits typically use the IdM agent API to create an IdM proprietary session token based on the identity attributes received from PingFederate.

IdM integration kits do not require any development; the PingFederate administrative console and the IdM administration tool accomplish integration with PingFederate.

Ping Identity provides integration kits for leading IdM systems, such as Oracle Access Manager.

Commercial applications and SaaS

Commercial-application integration with PingFederate allows an SP enterprise to accept SAML assertions and provide SSO to those commercial applications.

These integration kits do not require any development; the PingFederate administrative console accomplishes all integrations.

Ping Identity offers integration kits to many commercial applications and SaaS vendors, including:

  • Citrix
  • SharePoint
  • Box
  • Google
  • Office 365
  • Salesforce
  • Slack
  • Workday
  • Zendesk