Workshop: Advanced Federation Use-Cases with PingFederate
Craig Wu - Director, Product Development
Peter Motykowski - Senior Engineer/Developer
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.2
• Introductions
• New Features Overview– OAuth– Adaptive Federation– PingFederate 6.7 and beyond
Agenda
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.3
• Demos– OAuth Authorization Code Flow– Adaptive Federation Use Cases
• Adapter Selectors• Composite Adapter• Multiple IdP data stores
Agenda
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.4
• Extending PingFederate– Developing Plugins
• PingFederate SDK
– Building a custom adapter selector
Agenda
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.5
INTRODUCTIONS
Who are these guys?
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.6
• Director, Product Development• Been with Ping Identity since Feb 2007• Started with Integration Kits• PF STS integration• PingFederate Fall 2009 – PF 6.2
Craig Wu
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.7
Peter Motykowski
• Senior Engineer/Developer• Been with Ping Identity since May 2007• Started with PingLabs• PF STS Integration, Adapter
Selectors, OAuth
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.8
PingFederate Engineering Team
Denver, CO - Vancouver, BC - Moscow, Russia - Dublin, Ireland
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.9
OAUTH
PingFederate 6.5
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.10
OAuth - Drivers
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.11
OAuth - Securing APIs
• Simple and Standard – exchange user credentials for tokens– Present token for access
• Scopes to limit access• Easily revoke access• Browser, mobile and desktop clients• PingFederate Authorization Server
– User authenticates with AS– Leverage existing PF authentication
OAuth Demo
12
Demo Overview
• Payment Gateway with REST API secured using OAuth 2.0
(Resource Server)
• Users authenticate to the PF Authorization Server, then approve issuance of an OAuth token (Client)
• Tunes Partner application can request:• One-time Payments• Perpetual Payments
• Initiated via Web or Native Mobile Application partner OAuth clients
Web One Time / Initial Payments
13
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.14
ADAPTIVE FEDERATION
PingFederate 6.6
PingFederate Adaptive Federation
SAMLDefine rules for directing user to an authentication method
Examples• If user is from specific IP• If user is from outside firewall• If app requires specific type of
authentication
Create a “chain” of authentication adapters
Examples• Consumer - Facebook AND One
Time Password• Remote User - LDAP AND RSA
SecurID
Gather identity attributes from multiple sources allowing for smart attribute retrieval and reducing the need for deploying a virtual directory ExampleFulfill attribute contract with LDAP and RDBMS data sources
1 2 3
Adapter Selectors
• Administrators create authentication rules using adapter selectors
• Authentication Rules are evaluated during SSO transaction
• The result values are mapped to specific adapters to be used for authentication
• Executed in ordered sequence
• Bundled 6.6 selectors– CIDR
– SAML AuthN Context
• Custom Selector SDK
CIDR Adapter Selector
SAML AuthN Context Adapter Selector
Adapter Chaining via Composite Adapter
• Administrators chain adapters to execute in ordered sequence
• Composite adapter instance treated as single adapter instance
• Required policy creates multi-factor authentication
• Sufficient policy supports OR condition
• Authentication context weight and override
Composite Adapter
Multiple Datastore Attribute Lookup
• Connect to multiple directories and databases
• Pull attributes from any number and combination of data sources
• Fulfill complex attribute requirements
• Benefits
– Easily aggregate identity attributes from multiple data sources
• Reduce need for:
• Virtual Directories
• Custom Data Sources
IdP Multiple Datastore Lookup
• SP Connection Attribute Contract Fulfillment– Browser SSO– WS-Trust– Adapter to Adapter– Attribute Query
• Use return values from one data store as a filter criteria for a subsequent data store query
LDAP Adapter Replacement• HTML Form Adapter
– Session Management• Global• Per Adapter• None
– Per instance form template
• HTTP Basic Adapter
• Password Credential Validators– Simple Username– LDAP Username– Can have multiple PCV instances per adapter
HTML Form Adapter
HTTP Basic Adapter
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.26
Adaptive Federation Demo
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.27
Monitoring Splunk App for PingFederate
• Support PF 6.3 and above– Based on audit log– Enable Splunk log4j appender
• SSO transaction and system report – current transactions– system health– system errors
• Service Reports– daily usage report– SP/IdP provider reports per connection
• Trend Reports– weekly/monthly usage report– trend analysis
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.28
Splunk App for PingFederate
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.29
Free on SplunkBase
http://splunk-base.splunk.com/apps/Splunk+App+for+PingFederate
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.30
PINGFEDERATE FUTURES
PingFederate 6.7 and beyond
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.31
• Two month releases– RTM Release to Marketing– Fully qualified and documented– Upgrade Utility
• Marketing determines GA
PingFederate 2012 Releases
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.32
• Admin Console Optimizations– Large number of connections– Large number of adapters
• Splunk App for PingFederate
PingFederate 6.7 - RTM Feb 24, 2012
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.33
• Centralized configuration for AD Domains/Kerberos Realms– IWA 3.0 Adapter– Kerberos Token Translator 2.0
• OAuth Client Management API– REST API for CRUD operations
PingFederate 6.8 – RTM April 27, 2012
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.34
Centralized AD Domain Configuration
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.35
IWA Adapter 3.0
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.36
• Microsoft Office 365 Interoperability
• Upgrade Jetty • Remove JBoss
PingFederate 6.9 – RTM June 29, 2012
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.37
EXTENDING PINGFEDERATE
PingFederate Software Development Kit (SDK)
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.38
• Adapters• Token Translators• Custom Data Sources• Adapter Selectors• Password Credential Validators
PingFederate Plugins
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.39
• HTTP Header Adapter Selector
Custom Adapter Selector
Copyright © 2011. Cloud Identity Summit. All Rights Reserved.40
Adapter Selector API Overview
Methods needing to be implemented for the com.pingidentity.sdk.AdapterSelector interface:
PluginDescriptor getPluginDescriptor();
void configure(Configuration configuration);
AdapterSelectorContext selectContext(HttpServletRequest req, HttpServletResponse resp, Map<String, String> mappedAdapterIdsNames, Map<String, Object> extraParameters, String resumePath);
void callback(HttpServletRequest req, HttpServletResponse resp, Map authnIdentifiers, String adapterInstanceId, AdapterSelectorContext adapterSelectorContext);