 |
Our very own Mike Donaldson provides this great 3 minute video overview of how to use PingFederate for SAML SSO into Google Apps or Salesforce.
- SSO for Salesforce
- SSO for Google
Choice anyone?
Quite frankly, when I'm on the road, my food choices stink. It would be one thing if I had a choice, but often times I don't.
90% of what I'm presented as a "choice" is fast food. Yea I get it, it's fast, it's cheap and it scales, but at what cost to my health? Some fast food joints are trying to do their part, by offering up healthy choices on their menu, but often times, the paying public doesn't buy, confirming again why we have such a dismal choice.
With fewer exceptions than I would like, the average American doesn't reward quality food either. I know, this could be a gross over-generalization, but who am I to argue with the statistics on health and weight in the US?
It's not the same in Europe. Sure, they have fast food, but they also have a vibrant family operated restaurant community. Customers seek these venues out, and reward them with their checkbooks.
So what's this got to do with identity?
Well, simply put, maintaining choice is a choice. You simply cannot take the availability of choice for granted. You have to work for it.
Along those lines, I've noticed a tension (and awareness) within big enterprise recently, and it has everything to do with choice.
To understand the what's going on, you have to understand the players. Essentially, two conflicting agenda's are squaring off. On the one hand, you have IT. When making a purchasing decision, IT typically gravitates towards the best solution. This is the solution that installs quickly, works as promised and lowers their overall risk of failure. Purchasing on the other hand has a different agenda. They like choice too. They like to pit Choice A against Choice B when it comes to price. But, generally speaking, purchasing gives less consideration to the (often hidden) ancillary costs and ramifications of a poor selection. In many cases, purchasing is rewarded differently too, and there is clearly a disconnect as to how the two groups bonuses are calculated and on what.
Accounting for the hidden costs
In IT, more often than not, the real cost isn't from licensing technology. The real costs come from implementing, customizing and operating that technology over a sustained period of time. A 'total' cost to the organization would, if evaluated consistently, move to align IT's recommendations and purchasing, but in my observations, things are rarely that coordinated. Many times, I observe that purchasing would rather keep things simple and the number of vendor relationships they have limited. It makes their job easier, and if they buy more, they get bigger discounts.
Changing times?
So here's where I've noticed the pendulum is swinging away from a bias towards concentrated purchasing from a few large vendors and back again towards more vendor choice and best of breed solutions. Why is this happening? I believe there is an awareness by many enterprises that they do not want all their eggs in a single basket, and they are more than willing to support choice, where they have the option. Add to that the fact that they are being presented with vastly superior offerings by best of breed independent players in certain categories, and having been burned by the dismal landscape of choice over the past 5 years, they are willing to now consider going with the independent player.
Choosing Choice
So here is where some of my recent experiences support what I'm calling as a conscious effort by enterprises to maintain choice. In the past three months, Ping has been asked to participate in a number of executive level meetings. Unlike a year ago, we're being introduced several levels up from where we've normally engaged with enterprises. We're now meeting the boss, the bosses boss and the bosses, bosses, boss.
To me, this says two things. 1. federation is becoming strategic and 2. companies are realizing that they have a new partner in Ping, and they want to look us in the eye.
Many have explicitly stated that they want an independent providing federation technology.
It's a good time to be Ping.
The PingFederate X.509 Certificate IdP Integration Kit provides an Identity Provider (IdP) Adapter for PingFederate. This Adapter allows a PingFederate IdP server to perform client X.509 certificate authentication for single sign-on (SSO) to Service Provider (SP) applications.
The X.509 Certificate IdP Adapter uses the PingFederate security infrastructure for certificate validation and management. PingFederate validates the trust of all certificates. A certificate is trusted if the root certificate of the issuing Certificate Authority (CA) is imported into the PingFederate trusted certificate store.
Technorati Tags: SAML WS-Federation SSO Single Sign-On Federation Federated Identity Management
So Federation (loose coupling) is always the best way to go, right?Jeff, you're right. There is no 'one approach' that fits all. Both centralized and federated approaches have their pros and cons, depending on the situation. Most of life happens somewhere between black and white. I've just come to appreciate how to succeed in small increments, and this lesson isn't limited to IdM projects.No. It’s often the best way to go but there are many times that tight coupling simply must be done. Often that means using a provisioning system and a means of synchronizing accounts (IBM TIM, Sun SIM, MS ILM, etc). Sometimes that means configuring your systems to centralize the identity (Quest Vintella, Centrify, etc).
And here is where I will let you in on the dirty little secret of provisioning. It’s really all about deprovisioning. Typically enterprises don’t care if it takes weeks for you to get access to all of the resources you need to do your job. They care in the abstract (usually), but not enough to actually do anything about it. But the minute your employment is ended, your access to all your enterprise resources needs to be turned off.
And for that you need centralization of some sort.
The mechanism allows customers to retrieve or change their password if they can verify their identity by confirming personal information such as birthdate, zip code and the answer to a "secret question," such as a childhood pet's name or school mascot. Palin's hacker was challenged to guess where Alaska's governor met her husband, Todd. Palin herself had recounted in her speech at the Republican National Convention that the pair began dating two decades ago in high school in Wasilla, a town near Anchorage."Details of the break-in, if authentic, are consistent with speculation by computer security experts who said Yahoo's "forgot-my-password" service almost certainly was exploited.
Politics and party lines aside, the intersection of what has been traditionally thought of as 'low risk' accounts (e.g. personal email), privacy and even security are about to all collide. Ashish Jain had a good post on this some time back. He discussed the inherent weakness with using facts (readily available, some even by search engines) for KBA rather than things like opinions or preferences for example.
Hacked personal email accounts can expose a number of other security weaknesses related to password-only security, especially since email accounts are often used as part of the password reset process.
It's inevitable (and healthy IMO) that these sorts of events drive the adoption of stronger forms of authentication over the Internet. Federation will only increase the need to protect the front-door better.
What's interesting about our conversations is that invariably, they talk about one or more of their internal provisioning, IdM or WAM projects that is basically not meeting their expectations. What I find interesting about this is that federation deployments, by their very distributed nature, are taking an entirely different approach. Most if not all centralization projects are large, costly, complex and long. This makes them inherently more risky, and introduces higher and higher probabilities of failure at one or more levels.
On the contrary, federation has never over-sold it's promise. We (Ping and our customers) experience success one-connection at a time.
Even though Ping now offers "federated provisioning" in PingFederate 5.2 to Salesforce and Google Email (& Apps), don't somehow put PingFederate into the 'provisioning' bucket. We don't promise the world. We promise to automate provisioning and federated identity life-cycle to 2 SaaS applications (more coming of course, but the number will be measured in dozens, not hundreds or thousands). We're happy to succeed, one connection at a time.
Essentially, this release completes the integrated of the advanced provisioning and de-provisioning features we acquired from Sxip Identity for Salesforce.com and Google Apps. And marks the beginning of a whole new direction for PingFederate, namely, account lifecycle management for Enterprises looking to better secure and integrate with SaaS vendors.
We already have most of the top 100 SaaS vendors using PingFederate for Internet SSO. Now, beginning with this release, which focuses on Salesforce and Google initially, we have the foundation to provide similar provisioning services for other SaaS vendors.
For enterprises this is a big deal, as we essentially extend their pre-existing identity management activities in Active Directory (or other directory services) to now include complete identity lifecycle management and SSO to Salesforce and Google (with more SaaS vendors on their way).
Here’s the ‘official’ stuff....
According to Gartner, Inc., "Software as a service is forecast to have a compound annual growth rate of 17-percent through 2011 for small-and-midsize-business CRM, ERP and SCM software markets, more than double the growth rate for total enterprise application software as a whole.”*
“Along with the efficiencies they provide, SaaS applications can present some unique challenges to IT,” said Ping Identity CEO Andre Durand. “Because most SaaS applications have their own user directories, IT administrators may be manually adding, updating and deleting hundreds or thousands of user accounts. Ping Identity has responded with the only SaaS SSO solution that’s up and running in days, and includes automatic provisioning to eliminate that extra work.”
PingFederate 5.2 builds on proprietary Salesforce and Google Apps APIs to deliver automated SaaS provisioning. It works with Microsoft’s Active Directory, or any existing user directory and authentication mechanism the company already uses for its own applications.
“PingFederate 5.2 makes it easier for users to securely access Google Apps for communication and collaboration, while streamlining administrative requirements and easily scaling as companies grow," said Scott McMullan, Google Apps Partner Lead.
In addition to automated provisioning, PingFederate 5.2 introduces new SaaS Connectors for Salesforce and Google. These new modules further expedite deployment of PingFederate for these SaaS applications by including Quick Connection templates that simplify and streamline configuration by pre-populating connection settings, user/account provisioning parameters and SSO endpoint parameters.
Specific to Salesforce, with PingFederate 5.2, Ping Identity has expanded its list of supported Salesforce access methods to include desktop and mobile browsers, remote users, Salesforce Connect for Microsoft Outlook and emailed report URLs.
This is a really significant release, as it effectively takes the meaning of federated identity in a whole new direction. We're finally moving beyond simple federated single sign-on.
You'll also not want to miss Patrick Harding and Ashish Jain, both whom are speaking at DIDW.
CTO Talk
By Patrick Harding
Identity in Motion
by Andre Durand
Identity Ticker
by Ashish Jain
