Ping Identity Blog

The Golden Guardian

2008-11-17T17:10:32-07:00

A few months back, our marketing department brought up the notion of some sort of identity super hero. I spoke about it to a few friends a few weeks later and it sort of caught on. To say my friend Bill Turner and Ellory (the artist) 'ran' with the idea would be gross understatement. I'll let you judge for yourself. Introducing the Golden Guardian.

Unsolicited Kudo's

2008-11-12T20:14:37-07:00

Quite frankly, I'm blown away by some of the compliments we receive from customers. I consider myself fortunate to a part of an organization that is deserving of such kudo's. I woke up to the following email this morning. This is the way to start a day.

It's always difficult to prioritize taking the time to say thanks, but on the way to work this morning I was thinking about things that are reliable in our computing environment, and your product is definitely one of the them. Thank you for that.
Ironically, when things are reliable, there is naturally less need to talk with eachother, so I just wanted to take a moment to let you, and your whole team, know that we appreciate the engineering and user interface excellence of your products. With efficiency changes pressuring IT solutions, the "set it and forget it" attributes of your services become all the more appreciated, especially by those that directly play in the middleware forests.

All the best, -- Fortune 1000 Company

SAML Integration Kits for Java, .NET and PHP

2008-11-09T17:41:52-07:00

Java Integration Kit 2.3 – November 2008

• Added POST Transport Method for OpenToken when used by an SP
• Added configuration option to specify session vs. persistent cookie
• Added option to set the Secure attribute on an OpenToken when a cookie is used
• Added ability to bypass password obfuscation and strength enforcement for backward compatibility with previous Java OpenToken agents
• Correctly handles null parameters for single logout via the back-channel (SOAP)
• Empty query string (?) is not automatically appended to the URL when redirecting to the Target Resource
• Target Resource URL is URL-encoded

.NET Integration Kit 2.3 – November 2008
• Added POST Transport Method for OpenToken when used by a Service Provider
• Added configuration to specify session cookie vs. persistent cookie
• Added option to set the “Secure” attribute on an OpenToken when cookie is used
• Added ability to bypass password obfuscation and strength enforcement for backward compatibility with previous .NET OpenToken agents
• Correctly handles null parameters for SOAP SLO
• Empty query string (?) is not automatically appended to the URL when redirecting to TargetResource
• TargetResource URL is URL encoded
• Corrected not-before tolerance processing

PHP Integration Kit 2.3 – November 2008
• Added POST Transport Method for OpenToken when used by a Service Provider
• Added configuration to specify session cookie vs. persistent cookie
• Added option to set the “Secure” attribute on an OpenToken when cookie is used
• Correctly handles null parameters for SOAP SLO
• Empty query string (?) is not automatically appended to the URL when redirecting to TargetResource
• TargetResource URL is URL encoded

On-Demand Single SignOn for Salesforce & Google

2008-11-04T07:33:51-07:00

Denver, Colo. – Nov. 4, 2008 – Ping Identity® today announced PingConnect™, an on-demand Internet SSO service for SaaS (software as a service) applications. Now available from Ping Identity, and on the Force.com AppExchange, PingConnect increases user adoption, reduces administration and strengthens security.

Ping Connect is initially available for Salesforce CRM and Google Apps™. It leverages Ping Identity’s award-winning PingFederate® Internet SSO software and PingEnable, the company’s expert support, services and methodologies, to deliver an on-demand Internet SSO service. PingConnect makes anytime, anywhere access to Salesforce CRM and Google Apps easier, automates user set up and removal and protects valuable data.

HOW IT WORKS

“Through years of working with hundreds of SaaS vendors, business process outsourcers, and their customers, we’ve clearly seen that PingFederate improves user adoption and streamlines administrative tasks,” said Ping Identity CEO Andre Durand. “With PingConnect we’re adding the advantages of an on-demand service to provide the benefits of Internet SSO to Salesforce and Google Apps users.”

More companies are moving to SaaS applications for inherent benefits like rapid deployment of new capabilities and easier configuration for administrators. In the May 21, 2008, report “On-Demand SFA Can’t Guarantee Success,” Gartner Vice President and Distinguished Analyst Robert Desisto said, “SaaS alone does not guarantee improved user adoption by salespeople…Salespeople want an SFA solution that's easy to use, provides information that will give them advantage selling, has collaboration tools that enable them to work with other team members, and reduces administrative burdens.”

Because PingConnect works with existing user directories and authentication mechanisms, there is no compromise to security and no administrative time wasted in setting up external SaaS directories or manually provisioning users. PingConnect supports all access methods to Salesforce CRM including desktop and mobile browsers, Connect for Microsoft Outlook and emailed report URLs.

To learn more about PingConnect visit www.pingidentity.com.

Apache 2.0 Integration Kit for SAML - Now Available

2008-10-29T09:01:26-06:00

The Apache Integration Kit v1.1 for Apache 2.0 is now available for download from the Ping Identity Website.

Key Features:

· Added support for dynamic TargetResource

· Simplified configuration by removing several items not needed for the PingFederate implementation

· Added support to filters to use the full request URL, including query parameters, to determine if a resource is to be protected

·(Bug fix) OpenToken session now uses the ‘cookie-domain’ property out of mod_plaa.conf rather than the agent configuration file, which would result in failure for the module to start up if the transport mode was set to “Query Parameter” in the OpenToken adapter setup

·(Bug fix) Shipped with OpenToken 2.2.2, which no longer appends a question mark “?” to the target resource URL, which Apache could not process

SaaS Vendors Select PingFederate for SSO

2008-10-29T08:51:17-06:00

Over 130 SaaS and BPO's have now selected PingFederate to provide single sign-on for their customers. Two SaaS vendors, Truist and RazorGator have made their own announcements recently.

Truist
PingFederate® is an obvious choice because it offers broad support for the latest open standards and commercial implementations of Single Sign-On, as well as ease of management," said Neal Griffin, Executive Vice President, Technology at Truist. "We are now positioned to rapidly integrate with all of the popular SSO providers and standards used by our clients. We implemented our second client on the platform in a single afternoon."

RazorGator
“Because Ping Identity’s technology is easy to implement, and works seamlessly with existing identity management environments, we recommend PingFederate® to all customers who want single sign-on into TicketOS,” said John Wallace, TicketOS General Manager. “PingFederate allows our corporate customers to easily access their ticket management software application in a reliable and simple manner. And Ping Identity provides fantastic support.”

Ping Customers Double Since December

2008-10-22T09:48:33-06:00

PING IDENTITY CUSTOMERS – 250 STRONG AND GROWING

Larger Numbers of Enterprises and SaaS Vendors Worldwide Choose PingFederate as the Proven Independent Choice for Internet SSO

Denver, Colo. – Oct. 21, 2008 – Ping Identity® today announced it has passed the 250 milestone for global customers using PingFederate for secure Internet single sign-on. Ping Identity’s customer base – now at 265 – includes 30-percent of the Fortune 100 and more than 130 SaaS and BPO providers.

Ping Identity SaaS partner RazorGator views PingFederate as a strategic business tool, providing single sign-on to its TicketOS corporate customers.

“Ping Identity’s technology is outstanding,” said John Wallace, general manager of RazorGator’s TicketOS. “Ping Identity allows our corporate customers to easily access their ticket management software application in a reliable and simple manner.”

Ping Identity’s growth has continued to accelerate as more companies implement on-demand business applications for cost savings, improved business flexibility, greater velocity and focus. The selection of Ping Identity demonstrates that companies value speed and simplicity, and understand the business value of secure Internet single sign-on.

“Securing external applications is becoming a much higher priority in today’s identity management initiatives, said Ping Identity CEO Andre Durand. “Unlike the last decade where we often saw overly complex provisioning, identity management and Web access management projects end in failure, many companies are rethinking their strategy, opting instead to focus on Internet single sign-on deployments that achieve success quickly.”

With SAML-based single sign-on connections to more than 220 customers, Rearden Commerce, the creator of the first Web-based personal assistant and leading choice among companies for managed spending, leverages PingFederate to ensure its customers’ success in gaining user adoption of the tool.

“After just one month of using PingFederate for Internet single-on, one of our customers achieved an 81-percent user adoption of its online air booking tools,” said Chuck Mortimer, director of platform services for Rearden Commerce. “Much of that success is attributed to our secure, standards-based capabilities, allowing seamless access and a smooth transition to our end users.” Ping Federate provides safe access to Internet applications without the need for repeat logins. Unlike other identity federation solutions that can take months to deploy, PingFederate is easy-to-implement and can be deployed in only a few days. The latest release, PingFederate 5.2, includes automated provisioning and advanced user access methods to support comprehensive SSO for Salesforce and Google Apps™.

About Ping Identity Corporation

Ping Identity is the market leader in federated identity management, delivering secure Internet single sign-on software and services to more than 250 enterprise customers, government agencies and service providers worldwide. PingFederate provides secure access to Internet applications through a single login. With PingFederate and PingEnable — Ping Identity’s expert support, services, and methodologies — external connections can be operational in less than a week. For more information visit www.pingidentity.com.

###

Ping Identity, PingFederate, PingEnable, the Ping Identity logo, SignOn.com, Auto-Connect and Single Sign-On Summit are registered trademarks, trademarks or servicemarks of Ping Identity Corporation. All other product and service names mentioned are the trademarks of their respective companies.

Spooky Ping

2008-10-17T21:52:58-06:00

We had a great spook day at Ping this afternoon with our children. The children really enjoyed the face painter, as did a few of the adults.

BOO!

Worried about Orphaned Accounts, Cost Cutting or M&A Integration?

2008-10-10T14:16:41-06:00

Federation to the Rescue!

I received a great email from John Haggard today, former co-founder of Vasco, and a 20 year veteran of the SSO industry. [Disclosure: John is a Ping Identity adviser]. His experience was too good to not share.

I lived through the 80's as a vendor when things got very tough. The security market grew, not diminished. When hard times hit, and companies are downsized, there are a lot of disgruntled employees, and that's a security risk, especially if automation of de-provisioning isn't in place. I think that will hold true this time as well. When companies go into survival mode, the one thing they are not worried about is anything having to do with "improving." Companies have a completely different mindset and things become a whole different playing field.
In the case of Ping, layoffs in organizations will trigger the de-provisioning issues. The FI consolidations will really hit the issues facing consumers - gluing/mapping together existing accounts. What really hit home for SKK was ACF2 required 1 admin per 800 users. RACF from IBM was 1 admin per 100 users (independently verified). When hiring freezes hit along with layoffs, the remaining security folks become frantic for administrative elimination.
What really concerns me this time around is the huge amount of numbers of accounts that are left vulnerable as everyone is in general panic. In the 80's, a small single digit percentage of all employee's had electronic identities. Now I'm sure the number is well over 100% if you count the duplicate accounts per person. And this doesn't even account for the exponential factor that shows up in "federated" systems (partners, consumers, etc.). Accountability will be the catch phrase so anything that supports accountability (single auth event and auditing the SSO steps) will be bankable. -- John Haggard

NEW Siteminder Integration Kit for PingFederate & SAML

2008-10-10T10:39:27-06:00

The Siteminder Integration Kit v2.3 is now available for immediate download from the Ping Identity Website.

New Features:

· Added support for realm protection level. If the user is not authorized for the realm protection level, the SiteMinder Adapter redirects to the Login URL for re-authentication.
· Modified implementation to correctly recognize a null or blank Max Timeout SMSESSION value on the Policy Server.
· Added support for setting SMSESSION token to the value LOGGEDOFF for SP-initiated Single Logout (SLO) instead of expiring the token.

The "CEO" Call

2008-10-01T15:40:13-06:00

I've spoken to a number of people lately about the importance of quality from the outset. How quality is more than just a bias, and how seemingly harmless compromises to quality come back to haunt you and your enterprise in unsuspecting ways -- often with interest.

Truth is it takes backbone to say "no", yet that little word, spoken at the right time, is sometimes all that stands between a smooth running company, and one that seems to struggle with the consequences of their decisions. Do this wrong, and it's inevitable you'll be getting the 'CEO' call from an unhappy customer. I've been fortunate here at Ping, in six years and 260 customers, I've not received that call. I think it's inevitable that someday I'll get it, and when I do, I'll blame myself, because it will likely be something I did, or allowed to happen, that triggered the call, even if it's now 50 steps removed.

I can talk about this, because I've made this exact mistake before. I've bowed to the pressure of a prospect asking for a feature that I wasn't sure I could deliver, only to have to deal with the issue later. These things can be a death spiral if you're not careful. While you might not realize it, or want to realize it, there's a very direct cause and effect beginning with your commitment to quality and how you set expectations. I've been fortunate here at Ping to have people that know how to say no, and know when to call out the fact that we are promising more than we can guarantee, and people who care about our reputation at ALL the times. These people have allowed Ping to enjoy tremendous success, with very little disruption to our growth. Not all my experiences have been this delightful.

Take this scenario as case in point:

It's a tight quarter, and you're not sure you're going to make your numbers

You've got a potential deal which could save you (on paper) in the near term, but you've got to promise a delivery schedule that you haven't thoroughly vetted, and you know you most likely won't make

Some companies would sign the deal, save the near-term embarrassment, and deal with the ramifications later. Others wouldn't take the deal, and would instead take the medicine early. Which company are you?

If you take the deal, and deliver a product that's either late, lacking a promised feature, or lacking in quality, the impact to your organization will be significantly higher than if you had just not done the deal to begin with.

First, your support lines light up, and your support engineers get hammered. This impacts their morale, the morale of those around them, and spills over into engineering, as support seeks answers.

Now your engineering team, taken off point for the current release, must change their schedule to accommodate the fire-drill. This is not only bad for them, and bad for your current release, but it's bad for your prospects, who are now being made promises around your next release -- see how the cycle perpetuates and gets worse?

Your sales team's integrity now is hit, because they are the ones that put their word on the line, promising something that wasn't ultimately delivered, so now they feel guilty. How do you think they are going to approach that same customer later at renewal time? Do you think they are going to discount perhaps, trying to make up for broken promises? Costing the company even more money down the road?

And what about the executive team? Have they been pulled into the conversation too, taking them off of execution of the current objectives?

In the end, there is always a much higher price to pay for a lack of integrity up-front, and it's very hard to build a quality organization if you are unable to make tough decisions along the way. My VP of Engineering has a statement which captures this, "Go honest early." Wisdom.

SSO to Google Apps & Salesforce - Video Introduction

2008-09-26T13:03:50-06:00

Our very own Mike Donaldson provides this great 3 minute video overview of how to use PingFederate for SAML SSO into Google Apps or Salesforce. - SSO for Salesforce - SSO for Google

The Freedom to Choose

2008-09-22T11:00:04-06:00

Choice anyone?

Quite frankly, when I'm on the road, my food choices stink. It would be one thing if I had a choice, but often times I don't.

90% of what I'm presented as a "choice" is fast food. Yea I get it, it's fast, it's cheap and it scales, but at what cost to my health? Some fast food joints are trying to do their part, by offering up healthy choices on their menu, but often times, the paying public doesn't buy, confirming again why we have such a dismal choice.

With fewer exceptions than I would like, the average American doesn't reward quality food either. I know, this could be a gross over-generalization, but who am I to argue with the statistics on health and weight in the US?

It's not the same in Europe. Sure, they have fast food, but they also have a vibrant family operated restaurant community. Customers seek these venues out, and reward them with their checkbooks.

So what's this got to do with identity?

Well, simply put, maintaining choice is a choice. You simply cannot take the availability of choice for granted. You have to work for it.

Along those lines, I've noticed a tension (and awareness) within big enterprise recently, and it has everything to do with choice.

To understand the what's going on, you have to understand the players. Essentially, two conflicting agenda's are squaring off. On the one hand, you have IT. When making a purchasing decision, IT typically gravitates towards the best solution. This is the solution that installs quickly, works as promised and lowers their overall risk of failure. Purchasing on the other hand has a different agenda. They like choice too. They like to pit Choice A against Choice B when it comes to price. But, generally speaking, purchasing gives less consideration to the (often hidden) ancillary costs and ramifications of a poor selection. In many cases, purchasing is rewarded differently too, and there is clearly a disconnect as to how the two groups bonuses are calculated and on what.

Accounting for the hidden costs

In IT, more often than not, the real cost isn't from licensing technology. The real costs come from implementing, customizing and operating that technology over a sustained period of time. A 'total' cost to the organization would, if evaluated consistently, move to align IT's recommendations and purchasing, but in my observations, things are rarely that coordinated. Many times, I observe that purchasing would rather keep things simple and the number of vendor relationships they have limited. It makes their job easier, and if they buy more, they get bigger discounts.

Changing times?

So here's where I've noticed the pendulum is swinging away from a bias towards concentrated purchasing from a few large vendors and back again towards more vendor choice and best of breed solutions. Why is this happening? I believe there is an awareness by many enterprises that they do not want all their eggs in a single basket, and they are more than willing to support choice, where they have the option. Add to that the fact that they are being presented with vastly superior offerings by best of breed independent players in certain categories, and having been burned by the dismal landscape of choice over the past 5 years, they are willing to now consider going with the independent player.

Choosing Choice

So here is where some of my recent experiences support what I'm calling as a conscious effort by enterprises to maintain choice. In the past three months, Ping has been asked to participate in a number of executive level meetings. Unlike a year ago, we're being introduced several levels up from where we've normally engaged with enterprises. We're now meeting the boss, the bosses boss and the bosses, bosses, boss.

To me, this says two things. 1. federation is becoming strategic and 2. companies are realizing that they have a new partner in Ping, and they want to look us in the eye.

Many have explicitly stated that they want an independent providing federation technology.

It's a good time to be Ping.

X.509 (SmartCard) Integration Kit for PingFederate

2008-09-19T12:59:14-06:00

We recently completed an X.509 Integration Kit to allow for Certificate based authentication to PingFederate. The kit will be available for download shortly.

The PingFederate X.509 Certificate IdP Integration Kit provides an Identity Provider (IdP) Adapter for PingFederate. This Adapter allows a PingFederate IdP server to perform client X.509 certificate authentication for single sign-on (SSO) to Service Provider (SP) applications.

The X.509 Certificate IdP Adapter uses the PingFederate security infrastructure for certificate validation and management. PingFederate validates the trust of all certificates. A certificate is trusted if the root certificate of the issuing Certificate Authority (CA) is imported into the PingFederate trusted certificate store.

What he said

2008-09-19T11:47:04-06:00

Jeff Bohren responded to my recent post on centralized versus distributed projects.

So Federation (loose coupling) is always the best way to go, right?
No. It’s often the best way to go but there are many times that tight coupling simply must be done. Often that means using a provisioning system and a means of synchronizing accounts (IBM TIM, Sun SIM, MS ILM, etc). Sometimes that means configuring your systems to centralize the identity (Quest Vintella, Centrify, etc).
And here is where I will let you in on the dirty little secret of provisioning. It’s really all about deprovisioning. Typically enterprises don’t care if it takes weeks for you to get access to all of the resources you need to do your job. They care in the abstract (usually), but not enough to actually do anything about it. But the minute your employment is ended, your access to all your enterprise resources needs to be turned off.
And for that you need centralization of some sort.

Jeff, you're right. There is no 'one approach' that fits all. Both centralized and federated approaches have their pros and cons, depending on the situation. Most of life happens somewhere between black and white. I've just come to appreciate how to succeed in small increments, and this lesson isn't limited to IdM projects.