An identity repository stores the user credentials necessary to validate a user's local or network access to your organization. You can use PingOne for Enterprise Directory as your identity repository, or use an identity bridge to establish a connection to an identity repository. An identity bridge establishes a standards-based, high security relationship with an identity repository to authenticate and provision your users for single sign-on (SSO).
- PingOne for Enterprise Directory
- PingFederate Bridge
- AD Connect
PingOne for Enterprise Directory
The PingOne for Enterprise Directory is a cloud-based user directory as a service, providing user and group management, user provisioning, directory access entitlements, easy user registration, and API support for custom applications.
The identity bridges use Federated SSO. Federated SSO uses the industry-standard protocols SAML or OpenID Connect to establish a secure connection, an identity bridge, to your user repositories. User credentials are authenticated through the identity bridge using either SAML or OAuth. You can also choose to apply a secondary level of authentication using PingID through the use of an authentication policy.
- AD Connect
- AD Connect is a free PingOne for Enterprise plugin that provides an identity bridge to
AD Connect, and supports user provisioning.
AD Connect comes in two versions:
- Standard AD Connect uses a secure backchannel protocol to communicate with PingOne. This eliminates the requirement for IIS, open ports, or signing certificates.
- The AD Connect with IIS version uses IIS with open ports for HTTPS to communicate with PingOne for Enterprise, and verifies the communication with signing certificates.
- PingFederate Bridge
- PingFederate Bridge is a lightweight version of PingFederate, designed for use with PingOne for Enterprise. PingFederate Bridge can connect to a large variety of user repositories, and supports user provisioning.
- A PingFederate license can be either a "Bridge" license or a "Full" license. You can use either type of license with PingOne. This documentation references PingFederate Bridgee. If your organization has a full PingFederate license, all instructions are the same unless otherwise noted. See Introduction to PingFederate Bridge for more information.
- OpenID Connect
- If you have an identity provider that supports OpenID Connect, you can set up PingOne to use OpenID Connect as your identity bridge.
- Microsoft ADFS
- If you have a Microsoft Active Directory Federation Services (ADFS) identity provider, you can set up PingOne for Enterprise to use ADFS as your identity bridge.
- If you are already using Google Apps for mail and calendar, there are just a few extra steps to set up PingOne for Enterprise to use Google as your identity bridge.
- Third Party SAML
- There are many federation tools that support the SAML protocol. Examples of third party SAML products that can operate as identity bridges are Shibboleth®, CA Siteminder®, Oracle Identity Federation, and others. PingOne for Enterprise can interoperate with all identity providers supporting SAML 2.0.
Connections to multiple PingOne for Enterprise accounts
In some cases, your organization may want to configure the identity bridge to support connections to multiple PingOne for Enterprise accounts. A typical scenario is organizations needing distinct connections from a number of divisions or subsidiaries.
To make use of PingOne for Enterprise's account-specific IDs for multiple connections to a single identity bridge instance, your identity bridge needs to support the PingFederate concept of "virtual server IDs". This is an identity bridge feature for aliasing entity IDs (connection IDs) for use by multiple service providers (SPs). Using account-specific IDs, PingOne for Enterprise effectively impersonates multiple SPs.
The Google identity bridge doesn't support a "virtual server IDs" facility, so you cannot use account-specific entity IDs in this case.