Mais conteúdo relacionado Semelhante a CIS 2013 Ping Identity Chalktalk (20) CIS 2013 Ping Identity Chalktalk2. Craig Wu
•
•
•
•
•
•
2
Director, Product Development
With Ping Identity since Feb 2007
Started with Integration Kits
PF STS integration
PingFederate Fall 2009 PF 6.2 – 6.10
2013 - Expand Ping Product Portfolio
Copyright ©2012 Ping Identity Corporation. All rights reserved.
3. PingFederate Engineering Team January 2013
Denver, CO - Vancouver, BC - American Fork, UT
Halifax, Nova Scotia - Moscow, Russia - Dublin, Ireland
3
Copyright ©2012 Ping Identity Corporation. All rights reserved.
5. PingFederate 7 Highlights
• SCIM
– Outbound
– Inbound
• OpenID Connect
– Provider (OP)
• Password
Management
• Adaptive Federation
– Selector Trees
– New selectors
• Localization
5
Copyright ©2012 Ping Identity Corporation. All rights reserved.
6. Administration Console Enhancements
Admin UI Refresh
• Usability improvements
– Friendlier form fields
– Simpler presentation
• Customer requested
improvements:
– Visual cues for
cluster replication
– Configurable
console title
– Configurable
session timeout
6
Copyright ©2012 Ping Identity Corporation. All rights reserved.
7. SCIM Provisioning – Why?
• Federation introduces a strong desire to solve
user provisioning the right way.
• Accounts need to be synchronized across
organizations to enable SSO.
• Today's provisioning approaches:
– Manual
– Just-In-Time Provisioning
– Automated – based on a proprietary protocol
7
Copyright ©2012 Ping Identity Corporation. All rights reserved.
8. SCIM Provisioning – Why? (cont'd)
Pro's
Manual
No additional
configuration.
Con's
Doesn't scale.
Tedious for
administrators.
Simple when only a
handful of users to a
SCIM (System for Cross-domain Identity Management)
single app are involved. Error prone.
offers simple, standards based automated provisioning.
Just-In-Time Single protocol for both
SSO and Provisioning
Doesn't handle deprovisioning use case.
Automated
Covers both provisioning Implemented differently
(proprietary) and de-provisioning
for every partner.
8
Copyright ©2012 Ping Identity Corporation. All rights reserved.
9. SCIM – Outbound Provisioning (formerly SaaS Provisioning)
IdP Features
• User provisioning & deprovisioning to partners
supporting SCIM 1.1
Identity Provider
SaaS
Provider
SCIM
Identity
Store
Create?
Update?
Delete?
Identity Store
• Synchronize local
corporate directory
accounts with SCIM
supporting partners
• Monitors directory for
user account changes:
– Create
– Update
– Membership Update
– Delete / Disable
9
Copyright ©2012 Ping Identity Corporation. All rights reserved.
10. SCIM – Inbound Provisioning
SP Features
SaaS
Provider
Identity Provider
Identity
Store
10
• Handle inbound user
provisioning requests
• Commit operations to a
local identity store
(Active Directory)
SCIM
Identity Store
• Enables Service
Providers with a
standard SCIM
protocol runtime
• SCIM 1.1
– JSON
– HTTP Basic and
TLS Client
Authentication
Copyright ©2012 Ping Identity Corporation. All rights reserved.
11. SCIM Provisioning Interop @ CIS 2013
•
•
•
•
•
•
•
11
Technology Nexus
Cisco
PingIdentity
SailPoint
Salesforce
UnboundID
WSO2
Copyright ©2012 Ping Identity Corporation. All rights reserved.
13. OpenID Connect - Next Gen SSO
SAML
• Separate protocols for SSO
and API security
• Build on top of XMLstandards
• Profiles and bindings with
lots of flexibility
• Manual trust bootstrapping &
certificate management
13
OpenID Connect
• SSO and API security in one
• REST based interactions
ideal for mobile
• Fewer, more focused profiles
• Auto client registration and
key management
Copyright ©2012 Ping Identity Corporation. All rights reserved.
14. OpenID Connect
Identity Provider
Mobile Apps
ID
API
Access
Web Apps
14
Features
• OpenID Connect
Provider (IdP)
• Leverages built-in OAuth
AS for API security
• User Info Endpoint
serves as a REST-based
directory service for
identity data
• Proxy SAML IdP
Connections via OIC
Benefits
• Consistent framework
for identity enabling both
Web and Mobile
applications
• Lighter weight, simpler
standard for Relying
Parties to adopt
compared to SAML
Copyright ©2012 Ping Identity Corporation. All rights reserved.
15. OpenID Connect – OAuth Playground 3.0
Features
• Interactive utility for
developers exploring
OpenID Connect and
OAuth
• Includes source code
– JSON Web Token
library for ID Token
validation (jose4j)
Supported Profiles
– Basic - mobile and
traditional web apps
– Implicit - in-browser
(JavaScript) apps
15
Copyright ©2012 Ping Identity Corporation. All rights reserved.
16. Adaptive Federation Enhancements
SSO
Authn
HTML Form
HTML Form
Browser speaks IWA?
Kerberos
Authn Policy
Inside the Firewall?
Active
Directory
16
SaaS
App
Features
• Decision Trees to
define complex Authn
Method policies
• Additional criteria:
• HTTP Headers (e.g.:
User-Agent)
• SP Connection
• Node Index
• OAuth Scope
• Prioritized default
selection
Example Use Case
• IWA on/off network with
supported browser
• Partner applications
with varied authn req's
Copyright ©2012 Ping Identity Corporation. All rights reserved.
17. Password Management
Features
Directory
• End user (LDAP)
password management
features for end users:
– Forced Password
Update (at login)
Authn
Update
Password
– User Initiated
Change Password
Example Use Case
• Medium sized
Enterprise with Remote
Users always off the
domain
17
Copyright ©2012 Ping Identity Corporation. All rights reserved.
19. Demo
• Provision user to AD using SCIM
• Password Management
– HTML Form Adapter
• Adaptive Federation Enhancements
– Selector Trees
– HTTP Header Selector
– Connection Selector
• Token Authorization
– Control when tokens are issued during attribute fulfillment
• Localization
• OpenID Connect Basic Client Profile
19
Copyright ©2012 Ping Identity Corporation. All rights reserved.
Notas do Editor System for Cross-domain Identity Management Who speaks SCIM