Pick Your Identity Bridge



Similar documents
Connecting Users with Identity as a Service

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

CA Single Sign-On Migration Guide

Extend and Enhance AD FS

Identity. Provide. ...to Office 365 & Beyond

MOBILITY. Transforming the mobile device from a security liability into a business asset. pingidentity.com

How To Manage A Plethora Of Identities In A Cloud System (Saas)

Flexible Identity Federation

A Standards-based Mobile Application IdM Architecture

Enable Your Applications for CAC and PIV Smart Cards

Speeding Office 365 Implementation Using Identity-as-a-Service

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

The Primer: Nuts and Bolts of Federated Identity Management

pingidentity.com IDENTITY SECURITY TRENDS IN THE MOBILE ERA

USING FEDERATED AUTHENTICATION WITH M-FILES

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Integrating Single Sign-on Across the Cloud By David Strom

Customer Identity and Access Management (CIAM) Buyer s Guide

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

White Paper. McAfee Cloud Single Sign On Reviewer s Guide

SAML 101. Executive Overview WHITE PAPER

Directory Integration with Okta. An Architectural Overview. Okta White paper. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Federated Identity and Single Sign-On using CA API Gateway

Google Identity Services for work

How to Get to Single Sign-On

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

White paper Contents

Simple Cloud Identity Management (SCIM)

Planning your Microsoft Application Strategy in a Cloud Crazy World. Steve Soper Senior Managing Partner

nexus Hybrid Access Gateway

OpenID Connect 1.0 for Enterprise

Flexible Identity Federation

CA Technologies Strategy and Vision for Cloud Identity and Access Management

solution brief February 2012 How Can I Obtain Identity And Access Management as a Cloud Service?

SAP Business Objects Security

HOTPin Integration Guide: Microsoft Office 365 with Active Directory Federated Services

How to Extend Identity Security to Your APIs

Two-Factor Authentication

PingFederate. SSO Integration Overview

SAML-Based SSO Solution

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

SECUREAUTH IDP AND OFFICE 365

Portal for ArcGIS: An Introduction

Azure Active Directory

STRONGER AUTHENTICATION for CA SiteMinder

expanding web single sign-on to cloud and mobile environments agility made possible

The PortalGuard All-In-One Authentication Solution-set: A Comparison Guide of Two-Factor Capabilities vs. the Competition

How To Use Salesforce Identity Features

How to Overcome Challenges in Deploying Cloud Apps to Get the Most from your IAM Investment

Leverage Your EMC Storage Investment with User Provisioning for Syncplicity:

Building a Cloud-Ready, Future-Proof Identity Infrastructure:

Single Sign-On. Security and comfort can be friend. Arnd Langguth. September, 2006

Six Best Practices for Cloud-Based IAM

PingFederate. Integration Overview

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

Centrify Cloud Connector Deployment Guide

Active Directory Integration WHITEPAPER

Single Sign-on (SSO) technologies for the Domino Web Server

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Authentication: Password Madness

White. Paper. Enterprises Need Hybrid SSO Solutions to Bridge Internal IT and SaaS. January 2013

CA SiteMinder SSO Agents for ERP Systems

Single Sign On. SSO & ID Management for Web and Mobile Applications

Product overview. CA SiteMinder lets you manage and deploy secure web applications to: Increase new business opportunities

CA Federation Manager

TrustedX - PKI Authentication. Whitepaper

UNIVERSITY OF COLORADO Procurement Service Center INTENT TO SOLE SOURCE PROCUREMENT CU-JL SS. Single Sign-On (SSO) Solution

IBM Tivoli Federated Identity Manager

How To Use Saml 2.0 Single Sign On With Qualysguard

Mod 2: User Management

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

Improving Interoperability and Reducing Cost in the Data Centre

SINGLE & SAME SIGN-ON ASPECTS

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

Active Directory Integration twitter.com/onelogin ONELOGIN WHITEPAPER

WHITEPAPER. 13 Questions You Must Ask When Integrating Office 365 With Active Directory

Identity and Access Management for the Hybrid Enterprise

Total Cost of Ownership Overview ADFS vs OneLogin WHITEPAPER

What s New in Centrify Privilege Service Centrify Identity Platform 15.4

OVERVIEW. DIGIPASS Authentication for Office 365

Leveraging SAML for Federated Single Sign-on:

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Cloud SSO and Federated Identity Management Solutions and Services

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet

Moving to the Cloud: What Every CIO Should Know

People-Focused Access Management. Software Consulting Support Services

Automating User Management and Single Sign-on for Salesforce.com OKTA WHITE PAPER. Okta Inc nd Street Suite 350 San Francisco CA, 94107

Getting Started with AD/LDAP SSO

Transcription:

Pick Your Identity Bridge Options for connecting users and resources across the hybrid cloud Executive Overview Enterprises are increasing their use of software as a service (SaaS) for two principal reasons: ease of deployment and cost savings. SaaS offers an attractive alternative to the high risk, high investment big bang approach to on-premises IT deployments by providing an elastic architecture, reduced IT resource utilization and an externally hosted topography. SaaS offerings also eliminate capital expenditure (CAPEX) by leveraging a subscription-based pricing model; costs scale up or down as utilization changes. Identity management as a service (IDaaS) applications provide similar advantages. Many enterprises are migrating to IDaaS to take advantage of single sign-on (SSO) and the seamless management of user identities in s. As enterprises leverage IDaaS across the hybrid cloud, they will likely require an identity bridge to overcome the impedance mismatch between on-premises, SaaS and partner topographies. The identity bridge 1 is important for both to the cloud and from the cloud application access. On-premises identity systems that leverage Kerberos and LDAP don t make the leap to s. External identities, like those of your partners or customers, won t be able to readily connect from their environments to on-premises resources. PingOne from Ping Identity solves these connectivity challenges. This IDaaS offering delivers SSO to SaaS and on-premises environments via a single turnkey solution. PingOne provides SSO to both enabled and password-based applications. Ping Identity offers two identity bridges PingFederate and AD Connect to allow connectivity to the PingOne IDaaS from the on-premises enterprise. 2 They will be described in detail in this paper. The purpose of this document is to: Define the three identity management disciplines required to provide SSO. Describe the attributes and capabilities of the two identity bridges PingFederate and AD Connect. Provide guidance for the selection of an identity bridge for use with PingOne. 1 For a broader discussion of identity bridges, read Gartner s Hype Cycle for Identity and Access Management Technologies, 2013 (subscription required). 2 Organizations can also leverage a third-party federation product like Microsoft Active Directory Federation Services to connect to PingOne. 1

Table of Contents Executive Overview...1 The Magic of Three...3 Ping Identity Bridges...3 Provisioning....3 To the Cloud (Employees)....3 From the Cloud (Partners)...5 User Authentication....5 Token Issuance....6 On-Premises SSO...6 Conclusion...8 2

The Magic of Three SSO requires three crucial identity management processes. Without these processes, SSO isn t possible. 3 Provisioning. The process creates the user account including associated attributes and access rights inside the application. The process may occur at admin time in advance or at runtime when the user attempts to access the application for the first time. Admin time to a is frequently achieved via directory synchronization services. The runtime method is commonly referenced as just-in-time (JIT). User Authentication. The user must prove their identity by providing credentials to the SSO system. After a successful authentication, the user receives a session token. A variety of authentication methods exist, including password and hardware one-time password (OTP) devices. In the case of federation, the session token is typically a credential. Token Issuance. The session token is presented to relying applications as proof of authentication. Common token types include the previously mentioned, OAuth (particularly for native applications on mobile devices), the venerable web access management (WAM) HTTP cookie for on-premises application access, and Kerberos tickets. Without a token, users must authenticate for each transaction, which isn t really SSO at all. Ping Identity Bridges Ping Identity provides two identity bridges for access to PingOne. The AD Connect identity bridge is an unobtrusive, lightweight component. It easily connects to Active Directory and provides a single outbound federation identity provider and (via directory synchronization services) connection to PingOne. From there, PingOne takes care of the SSO part. PingFederate is a standalone identity bridge that can be used by itself and in conjunction with PingOne. Provisioning Before SSO is possible, the organization must define its users in the s. The workforce identity to the cloud problem of managing employee identities in s without recreating on-premises identity management investments is paramount. In addition, many organizations wish to solve the from the cloud problem granting partner SSO to on-premises applications. Both use cases require user identities into the application s identity store. To the Cloud (Employees) Both PingFederate and AD Connect can provision user identities into s via directory synchronization. AD Connect delivers a simplified approach; it monitors Active Directory and synchronizes a subset of user attributes from a single user object. The organization need not reinvent identity management to extend its reach to s. The PingOne IDaaS finishes the job of users into s. The result is a low-touch, rapidly installed and simply configured synchronization process (Figure 1). 3 Some might argue that SSO is possible without the process if user access to the application is anonymous. But anonymous access to enterprise applications is extremely rare as it precludes the application s ability to restrict access to specific resources and audit user activity. 3

API (runtime) On premises Directory sync Sync (via ) Directory sync User Attributes: Active Directory Figure 1. Provisioning via AD Connect Compared to AD Connect, PingFederate has additional capabilities and supports additional user directories. It can also correlate user attributes from multiple, heterogeneous identity stores and then synchronize the composite user identity to PingOne (Figure 2). As with AD Connect, PingOne finishes the process and manages user identities within the SaaS applications. In addition to using PingOne as the engine, organizations can also use a combination of PingFederate and PingOne to provision user identities in applications (not shown). The use of PingFederate as the engine may be applicable for specific partner applications, while using PingOne for a broader set of s. API (runtime) Externally On Premises attributes Directory sync directory sync Web Service attributes : Active Directory LDAP Figure 2. User to the cloud via a PingFederate identity bridge (not all options shown) 4

From the Cloud (Partners) Organizations can use PingFederate to provision external identities into an on-premises identity store like Active Directory. PingFederate leverages JIT by extracting the user attributes from the assertion, then creating the user in the identity store. This is useful for providing access to on-premises applications requiring Active Directory identities (Figure 3). API (runtime) Externally On Premises attributes Directory sync directory sync Web Service attributes : Active Directory User Authentication LDAP Figure 3. From the cloud, PingOne and PingFederate User authentication is a crucial identity management service. Enterprises must match authentication methods to the identity assurance requirements of their environment. Without it, organizations have insufficient confidence that users at the other end of the transaction are legit. In many cases, Active Directory authentication (either Kerberos/IWA or a forms-based password) meets identity assurance requirements. Active Directory authentication can also provide desktop to SaaS SSO by leveraging the user s initial workstation logon. The AD Connect identity bridge best aligns to this use case (Figure 4). Figure 4. User authentication options for an AD Connect identity bridge On premises password On-premise aware application 5

For organizations that want to use other authentication methods besides those provided by Active Directory, PingFederate supports additional methods, including an X.509 certificate and one-time password. It also can be extended to support multiple authentication types (Figure 5). password On premises Directory sync Windows Kerberos (IWA) Authentication Authenticated Password (via form-based authentication) Figure 5. User authentication options for a PingFederate identity bridge (not all authentication methods are shown) Table 1 summarizes the authentication methods for each of the Ping identity bridges. Kerberos (IWA) Yes Yes Windows password (forms-based authentication) Yes Yes LDAP password No Yes One-time password devices No Yes X.509 certificate (smart card optional) No 4 Yes WAM cookies No Yes Custom authentication No Yes Table 1. Ping identity bridge user authentication options Token Issuance The last of the three identity management processes for SSO is token issuance. The token provides SSO at runtime. Regardless of the identity bridge, the PingOne IDaaS provides SSO to s and -based on-premises applications (Figure 6). Several benefits exist for using PingOne for SSO. PingOne provides a single administration point for all SSO connections, whether on premises or externally-hosted. On-Premises SSO PingOne may also preclude the need for an on-premises federation identity provider as it issues assertions (Figure 6). 4 While AD Connect cannot perform X.509 certificate logon directly, it can leverage the Kerberos tickets from a smart card authentication originating from an Active Directory-joined workstation. The result is strong authentication, natively supported by the network operating system. 6

On Premises REST HTTP On-premise aware application Figure 6. PingOne SSO for on-premises aware applications (Active Directory interaction not shown) Due to an extensive list of integration kits and token services, PingFederate delivers a rich set of heterogeneous on-premises SSO capabilities (Figure 7). Partner on-premises Partner on-premises ADFS On premises Integration Kit -enabled application WAM-protected application -enabled application Figure 7. From the cloud via the PingFederate identity bridge Of course, PingOne can provide -based SSO to on-premises applications (see Figure 6). If SSO for non- SSO is required for on-premises applications, then PingFederate may be the best choice for the identity bridge (see Figure 7). 7

Conclusion The PingOne IDaaS delivers SSO to SaaS and on-premises applications. Identity bridges can easily extend the enterprise s existing identity management processes to PingOne. The AD Connect identity bridge is best suited for enterprises that: Leverage Kerberos or Active Directory passwords as the initial user authentication. Store user attributes in a well-formed Active Directory. Desire SSO for SaaS-based applications or -based on-premises applications. The PingFederate identity bridge is the right choice for enterprises that: Store user attributes across multiple identity stores. Authenticate users with stronger authentication methods besides Kerberos and AD password. Wish to leverage PingFederate s SSO capabilities for on-premises applications. 2014 Ping Identity Corporation. All rights reserved. Ping Identity, PingFederate, PingOne, PingEnable, the Ping Identity logo, and Cloud Identity Summit are registered trademarks, or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies. 5/14.1 About Ping Identity The Identity Security Company Ping Identity is The Identity Security Company. Ping Identity believes secure professional and personal identities underlie human progress in a connected world. Our identity and access management platform gives enterprise customers and employees one-click access to any application from any device. Over 1,200 companies, including half of the Fortune 100, rely on our award-winning products to make the digital world a better experience for hundreds of millions of people. Visit pingidentity.com for more information.. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information