Más contenido relacionado La actualidad más candente (20) Similar a CIS13: Bootcamp: PingOne as a Simple Identity Service (20) Más de CloudIDSummit (20) CIS13: Bootcamp: PingOne as a Simple Identity Service1. Copyright ©2012 Ping Identity Corporation. All rights reserved.1
How to set up a Simple Identity
Service
2. Copyright ©2012 Ping Identity Corporation. All rights reserved.2
Ping Identity Staff
Jennifer Patton
Knowledge Base Engineer
3. Copyright ©2012 Ping Identity Corporation. All rights reserved.3
Ping Identity Staff
David Chase
Regional Solution Architect
4. Copyright ©2012 Ping Identity Corporation. All rights reserved.4
Ping Identity Staff
Pam Dingle
Technical Director
5. Copyright ©2012 Ping Identity Corporation. All rights reserved.5
• What is CAS?
• What is AD Connect?
• What is CloudDesktop?
• What is APS?
• Demonstration
PingOne Introduction
7. Copyright ©2012 Ping Identity Corporation. All rights reserved.7
PingOne is a cloud-deployed Tier 1 SSO solution, enabling
businesses and service providers to make a one-time connection
and switch to all their applications or users.
Ping One provides:
– One connection to access or provide cloud apps
– One place for IT to manage user and customer accounts
– One point of cloud access for all employees
PingOne Overview
8. Copyright ©2012 Ping Identity Corporation. All rights reserved.8
PingOne CAS (Cloud Access Services)
Enables organizations to secure and control access to multiple cloud-based business
applications.
• One connection from enterprise directory to cloud applications without exposing user
passwords.
• Central location for IT to manage single sign-on, access and provisioning—all provided
from a simple SaaS-based management console.
• Single login to CloudDesktop® ensures secure access to web applications.
9. Copyright ©2012 Ping Identity Corporation. All rights reserved.9
PingOne APS (Application Provider Services)
SSO solution for service providers, letting customers or partners conveniently establish access
to public and private cloud applications.
• Fast onboarding. After a quick one-time integration to Application Provider Services,
onboarding new partners or customers takes less than 10 minutes.
• Increased usage. Reliable, seamless SSO access accelerates adoption and usage while
avoiding support issues introduced by password storing or screen-scraping.
• Cost-effective. By multiplexing to partners or customers for SSO, service providers can
save up to 90% over making one-to-one connections.
10. Copyright ©2012 Ping Identity Corporation. All rights reserved.10
PingOne is not designed to replace PingFederate.
PingOne supports a subset of PingFederate’s capabilities.
Examples of PingOne capabilities
• Supports “workforce to external applications” use case
• 2-factors authentication support: PhoneFactor
• Supports Active Directory
PingFederate & PingOne (Hybrid model)
• A single connection to PingOne for all
SaaS applications
• Offload connection maintenance to
PingOne
• PingFederate handles all use cases
not supported by PingOne
PingOne and PingFederate
11. Copyright ©2012 Ping Identity Corporation. All rights reserved.11
CLOUD ACCESS SERVICES
PingOne - CAS
14. Copyright ©2012 Ping Identity Corporation. All rights reserved.14
PingOne Cloud Access Services Enterprises Connect 1:Many
Your Enterprise Cloud Apps
15. Copyright ©2012 Ping Identity Corporation. All rights reserved.15
PingOne Cloud Access Services Enterprises Connect 1:Many
Your Enterprise Cloud Apps
16. Copyright ©2012 Ping Identity Corporation. All rights reserved.16
PingOne Cloud Access Services Enterprises Connect 1:Many
Your Enterprise Cloud Apps
17. Copyright ©2012 Ping Identity Corporation. All rights reserved.17
Cloud Access Services in 3 Steps
Register Select AppsConnect
18. Copyright ©2012 Ping Identity Corporation. All rights reserved.18
• Go to http://www.pingone.com
• Create a PingOne account for
your company
• Provide the domain name
• Create a password
• Obtain registration key from
Ping Identity
Step 1: Registration
Register
19. Copyright ©2012 Ping Identity Corporation. All rights reserved.19
Without a Federation
Solution
• Small/Medium
corporations
• AD Connect links user
directory (AD) to all
cloud applications.
With a Federation
Solution
• Large enterprises with:
– PingFederate
– SAML 2.0
– Google Apps
• Offload connection
maintenance to
PingOne
Centralized Control of Sensitive Identity Information
20. Copyright ©2012 Ping Identity Corporation. All rights reserved.20
• Applications Catalog is a
collection of SAML-enabled
application providers
• Administrator will add
applications which are
appropriate for the
corporation
• For example: ADP,
Salesforce and WebEx
Connect
Step 3 : Applications Catalog
Select Apps
21. Copyright ©2012 Ping Identity Corporation. All rights reserved.21
CLOUD ACCESS SERVICES –
ADCONNECT
PingOne - CAS
22. Copyright ©2012 Ping Identity Corporation. All rights reserved.22
AD Connect: A Lightweight Authentication Utility
For organizations without SAML support - Authentication utility that
connects Microsoft Active Directory to PingOne Cloud Access Services
Authenticates users via SAML - No storing passwords in the Cloud or
reverse proxies
Easy “point, click & configure” -Deploys in less than 30 minutes, with
no DNS (Domain Name System) changes
23. Copyright ©2012 Ping Identity Corporation. All rights reserved.23
PingOne CAS Data Flow – SP-Init SSO
SSO Service
Browser
SP Network
IdP Network
1
3
4
v
5
Multi-tenant, Secure &
HA/DR infrastructure
SAML
SAML
2
24. Copyright ©2012 Ping Identity Corporation. All rights reserved.24
PingOne CAS Data Flow – IdP-Init SSO
SSO Service
Browser
SP Network
IdP Network
1
2
3
v
4
Multi-tenant, Secure &
HA/DR infrastructure
SAML
SAML
25. Copyright ©2012 Ping Identity Corporation. All rights reserved.25
• Download AD
Connect
• Set product key
• Install AD Connect
on IIS server (Enter
Product Key)
• Verify installation
Installing AD Connect
26. Copyright ©2012 Ping Identity Corporation. All rights reserved.26
CLOUD ACCESS SERVICES –
HYBRID
PingOne - CAS
27. Copyright ©2012 Ping Identity Corporation. All rights reserved.27
PingFederate / 3rd party SAML IdPs / ADFS 2.0
• One connection to PingOne
• Leverage on existing authentication methods
• Sends SAML assertion to PingOne
• Often known as “Hybrid” Federation model
28. Copyright ©2012 Ping Identity Corporation. All rights reserved.28
• Download metadata file from PingOne
and create connection in PingFederate
• Export metadata file from PingFederate
and upload to PingOne
Configure PingFederate IdP
29. Copyright ©2012 Ping Identity Corporation. All rights reserved.29
CLOUD ACCESS SERVICES –
CLOUDDESKTOP
PingOne - CAS
30. Copyright ©2012 Ping Identity Corporation. All rights reserved.30
Customized portal for apps (private and public)
• Log in once to the user directory
• One-click access to all SSO-enabled applications
• Optimized user experience for desktops, laptops and mobile
CloudDesktop: A Customized Portal for the Cloud
Mobile support
• Device detection and
rendering
• Support for SaaS native
apps
• Provide SSO using OAuth
tokens (PingOne OAuth
AS)
31. Copyright ©2012 Ping Identity Corporation. All rights reserved.31
- Jane Smith is a member
of “IT” group on AD
- She is granted access
only to ADP and WebEx
applications.
CloudDesktop: A Customized Portal for the Cloud
32. Copyright ©2012 Ping Identity Corporation. All rights reserved.32
- John Doe is a member
of “Sales” group on AD
- He is granted access to
all three apps (ADP,
Salesforce and WebEx)
CloudDesktop: A Customized Portal for the Cloud
34. Copyright ©2012 Ping Identity Corporation. All rights reserved.34
• What is the purpose of AD Connect?
• What is CloudDesktop?
• What are 2 ways that AD Connect authenticates
users?
• Describe the flow of an SP initiated SSO transaction
with PingOne
Review Exercises
35. Copyright ©2012 Ping Identity Corporation. All rights reserved.35
APPLICATION PROVIDER SERVICES
PingOne - APS
36. Copyright ©2012 Ping Identity Corporation. All rights reserved.36
Many Customers, Single Application
37. Copyright ©2012 Ping Identity Corporation. All rights reserved.37
Application Provider Services in 4 Steps
Register IntegrateConfigure Invite
38. Copyright ©2012 Ping Identity Corporation. All rights reserved.38
Step 1 : Registration
• Create a PingOne account for
your company
• Provide the domain name
• Create a password
Register
39. Copyright ©2012 Ping Identity Corporation. All rights reserved.39
Step 2 : Configure
Connection Types:
• Via REST APIs
• Secure SAML SSO
Configure
40. Copyright ©2012 Ping Identity Corporation. All rights reserved.40
SAML Enabled Providers
• User authenticates
• SAML assertion sends to SaaS federation server
• No integration is required
• Standard SAML connection configuration
41. Copyright ©2012 Ping Identity Corporation. All rights reserved.41
SAML Enabled Connection - Pingfederate
Configure
1. Download metadata file from
PingOne
2. From PingFederate, set up an
IdP connection to PingOne.
3. Export metadata file and import
into PingOne.
4. Define SSO Attributes
42. Copyright ©2012 Ping Identity Corporation. All rights reserved.42
REST API
• PingOne redirects users to SaaS application with a Token ID
• SaaS application makes a secure back channel call to PingOne
to receive Identity information
43. Copyright ©2012 Ping Identity Corporation. All rights reserved.43
PingOne APS Dataflow with Rest API
44. Copyright ©2012 Ping Identity Corporation. All rights reserved.44
REST API Connection
1. Application:
• Domain Name
• Application URL
• Error URL.
Configure
2. Define SSO Attributes
45. Copyright ©2012 Ping Identity Corporation. All rights reserved.45
Integrate
Step 3 : Integrate
• PingOne handles all of the protocol details, allowing your
application to be concerned with just three things:
• Redirecting the user's browser to PingOne to start SSO
• Exchange a token for user’s attributes
• Creating a session for the user
46. Copyright ©2012 Ping Identity Corporation. All rights reserved.46
Exchange Token
• After authenticating, the user returns to your application with a token to either:
• The appurl specified during the 302 redirect
• The Default Application URL you saved in SSO Settings, if appurl is not specified.
• The user's token is passed as a query parameter (tokenid) in the HTTP request. For example:
• https://www.mysaas.com/testapp?tokenid=158affc71d6bc65fe2a92ffac7760dce&agentid=0055f3da
• This token is created by PingOne and is a one-time secret between the user and PingOne
• This token can be exchanged with PingOne for a set of user attributes through a simple web service call
• To exchange a token with PingOne, you must make a web service call to the Token Resolution Service
• This will be an HTTP GET call structured like:
• https://sso.connect.pingidentity.com/sso/TXS/2.0/<format>/<tokenid>
• Accepted format parameters are:
"1" - JSON Format
"2" - Properties Format
Integrate
REST API Integration
47. Copyright ©2012 Ping Identity Corporation. All rights reserved.47
Exchange Token (continued)
• PingOne will return the following attributes, formatted according to the format parameter above:
• pingone.subject - The username of the authenticated user
• pingone.saas.id - the SaaS to which the token is issued. This will be your SaaS ID
• pingone.idp.id - the idpid of the Identity Provider who issued the Assertion
• pingone.authn.context - the "authentication context" under which the user is authenticated by the Identity Provider
Integrate
REST API Integration
48. Copyright ©2012 Ping Identity Corporation. All rights reserved.48
Step 4: Invite
Customer Onboarding
Options:
• SSO Self-Service Widget
• Email
• REST API
• Manual Connection
Invite
49. Copyright ©2012 Ping Identity Corporation. All rights reserved.49
Accelerate Onboarding to Your App
Quickly add customers
• Provide basic information
• Invite customers to connect
• Complete in 10 minutes or less
Manage connections to your app
• Review all customers using SSO
• Check onboarding status
• Suspend SSO by customer or globally
“The PingOne service works very well.
Setting up connections only takes a matter
of minutes now,”
— Leading CRM Service Provider.
50. Copyright ©2012 Ping Identity Corporation. All rights reserved.50
1. Add PingOne provided JavaScript widget to your webpage where
only your customer administrators have access when they visit this
page
2. Add server-side code to enable widget to include the <idpid> and
<email> parameters to the OpenToken
3. Ask user to select Enable SSO option and click the PingOne link
4. Customer is securely redirected to the PingOne APS website
where they enter their configuration information
SSO Self Service On Boarding
51. Copyright ©2012 Ping Identity Corporation. All rights reserved.51
1. Fill out Identity
Provider form: Email
and Customer ID
2. Send email invitation
to customer from
PingOne or your
preferred email client.
Email On Boarding
52. Copyright ©2012 Ping Identity Corporation. All rights reserved.52
1. Customer clicks on a
link in the email
invitation
Email On Boarding
2. Customer logs in to
PingOne CAS
3. Connection is
automatically added to
visible application list
56. Copyright ©2012 Ping Identity Corporation. All rights reserved.56
• This workshop explores how on-premises and
cloud resources can work together to achieve
Enterprise business goals
• No one choice is right for everybody
– Zero on-premises footprint
– No Cloud
– Little bit of both
• We want you to leave knowing:
– When using an IDaaS works best
– Mix and match cloud and on-premise products
– Benefits of choosing a mixed deployment
PingOne and the Cloud
57. Copyright ©2012 Ping Identity Corporation. All rights reserved.57
Standard Federated Identity
On-Premises Infrastructure
IIS
App
App
App
Kerberos
Partner
Infrastructure
App
App
App
App
Cloud
Resources
Federation
Server
58. Copyright ©2012 Ping Identity Corporation. All rights reserved.58
The Federation Can Move
On-Premises Infrastructure
IIS
App
App
App
Kerberos
Partner
Infrastructure
App
App
App
App
Cloud
Resources
Federation
Server
On-Premises Infrastructure
IIS
App
App
App
Kerberos
App
App
App
App
Cloud
Resources
Federation
Server
59. Copyright ©2012 Ping Identity Corporation. All rights reserved.59
Becoming IDaaS + Identity Bridge
On-Premises Infrastructure
IIS
App
App
App
Kerberos
App
App
App
App
Cloud
Resources
IDaaS
Identity
Bridge
60. Copyright ©2012 Ping Identity Corporation. All rights reserved.60
What is an Identity Bridge?
• A service that can
authoritatively speak about
users
• An on-premises physical or
virtual appliance
• Another cloud platform
• Enables users, applications
and identity services across
the hybrid cloud
• Can be unidirectional or
bidirectional
The Sundial bridge, Redding CA (Aaron Patterson)
61. Copyright ©2012 Ping Identity Corporation. All rights reserved.61
What Crosses an Identity Bridge?
1. Authentication requests & responses
2. Account information
3. Business data to make authorization
decisions
Important: It matters how this data is sent.
Identity data should only travel across the
Internet using internet-grade security and trust
62. Copyright ©2012 Ping Identity Corporation. All rights reserved.62
Becoming IDaaS + Identity Bridge
On-Premises Infrastructure
IIS
App
App
App
Kerberos
App
App
App
App
Cloud
Resources
IDaaS
Identity
Bridge
• IDaaS Platform
– PingOne CAS (Cloud Access
Services)
PingOne APS (Application
Provider Services)
• Bridges
– PingOne ADConnect
– PingFederate
• User Features
– CloudDesktop