Wednesday, 31 October 2007
Skull for lunch. Yumm....
One of the benefits of working at Ping. We serve yummy lunches. Today's menu, skull-ala-mode. Thanks 'dude'.
PingFederate as an Identity Router
I was over in Barcelona recently and met with Hans Zandbelt (hans.zandbelt@surfnet.nl) and Jaap Kuipers (jaap.kuipers@surfnet.nl). Both of these gentlemen work for SURFnet, the national research and education network in The Netherlands.
Hans and Jaap have built an interesting business by connecting many of the identity providers and service providers in the Dutch higher education and research area. Most interestingly however, I discovered that they were able to take PingFederate (out-of-the-box), and with only a few small additions, turn it into a full-fledged identity router (identity gateway) with on-the-fly protocol translation. Below I've documented a bit of what they did.
SURFfederation (http://federatie.surfnet.nl)
- SURFfederation is comprised of a community of identity providers and service providers who have all agreed to the same federation policy, and distributed infrastructure in the Dutch higher education and research area
- IdPs are SURFnet customer institutions (universities, high schools, research institutes, other non-profit governmental organizations)
- SPs are content providers, mostly in the educational area (Elsevier, EBSCO, SURFdiensten, but also the institutes themselves)
- To connect IdPs with SPs, SURFnet offers a centralized federation hub capable of translating (on-the-fly) between multiple federation protocols such as SAML 2 and WS-Federation
- Both IDPs and SPs hook up to the central federation gateway using the federated IdM product and protocol of their choice
History
- Many institutions in the Dutch educational sector, until recently, have used a proprietary, but open source server called “A-Select” for web-based SSO. Think of A-Select as similar to Shibboleth, but it doesn’t use SAML, instead opting for a proprietary protocol (A-Select-Cross)
- A-Select educational market penetration = ~10%
- A-Select can act as a federation gateway between A-Select-cross IdPs/SPs and Shibboleth SPs
- IDFF/SAML1-2/WS-Fed extension to A-Select as a gateway have been foreseen but are hard to realize (difficult specs, no certification, no compliance) and hard to keep up
Use Case
- All interactions are for SP initiated SSO (SP list at the IDP does not fit the centralized model that we want to support)
- Both IdPs and SPs connect to a central federation hub that deals with subscriptions, policies and the different federated IdM protocols and products
- IdP Discovery is resolved by having a list of IdPs displayed at login at all SPs.
- No fancy protocol features are deployed, only authentication and attribute exchange! (lowest common denominator between all IdM protocols&hellip
Current State
New Developments
- Combining A-Select with PingFederate allowed SURFnet to achieve additional standard protocol support in a certified way
- With only a few modifications, SURFnet was able to configure PingFederate as a federation gateway, or ‘federation router’ for SAML2 and ADFS
- Furthermore, SURFnet was able to make a small extension to A-Select, effectively enabling it to connect with PingFederate using the PFToken IDP/SP interfaces. This integration allowed SURFnet to realize a full fledged federation gateway speaking all of the required protocols.
New Functional View -- coming December 1
SP initiated SSO steps
- Select is configured as PingFederate application endpoint for both IDP/SP SSO and SLO
- In SP-initiated SSO, PingFederate forwards the request to A-Select through the IDP SSO application endpoint
- Select presents a list of IDPs in the SP-initiated SSO scenario
- User selects an IDP and based on the type of the IDP the request is either handled by A-Select or re-directed back to PingFederate to the SP SSO application endpoint with an IdPEntityId parameter
What About PingFederate
- PingFederate could be positioned as a fully functional standalone federation gateway for SAML 2 and ADFS by embedding the sample code modified by SURFnet
- Other Ping Identity customers could hook-up SAML 2 IdPs and SPs to ADFS IdPs and SPs (and soon Shibboleth IdPs and SPs) together through a central gateway by deploying PingFederate out-of-the-box
- IdP discovery problem would be addressed in the PingFederate product (by offering the list of IdPs)
Technorati Tags: pingfederate ping identity pingidentity single signon sso saml ws-federation identity router
Wednesday, 24 October 2007
SAML Single Sign-On for Google Apps
Working with Google engineers over the past few days, one of our engineers today validated the use of PingFederate for establishing SAML single sign-on into Google Apps. Using our Integrated Windows Authentication (Windows IWA) integration kit, a user can log into Windows (to Active Directory), open their browser, and immediately gain secure SAML access to their Google email and other applications and documents. Below are the notes from the engineer who validated this interoperability. ======================
Configure an admin account for Googleapps. In the admin account, provide Google with the URL for its SSO service and upload your public key such that Google can verify your SAML.responses. That the only configuration necessary on the Googleapps account.
On the PingFederate side, create a new connection (in our test-case, we used the PingFederate IWA adapter) and defined the entityID and ACS URL for Google.
Below are the steps that describe how this works:
- User makes a request to reach to a Google host application. In this case I was trying to access to Gmail account I had, and the URL for that was http://mail.google.com/a/pingidentity.com.
- Google generates a SAML authentication request.
- We receive the SAML request and then authenticate the user. Since we are using the IWA adapter, the user already has a valid session.
- We generate a SAML response that contains the authenticated user's username and send it to Google ACS.
- Google's ACS verifies the SAML response using our public key and redirects the user to the destination URL.
- The user has been redirected to the destination URL and is logged in to GMail.
Of course, you can try all of this for free, just download PingFederate, get anactivation key, select an integration kit, and have at it. Future tech notes and a graphic explaining what we've done will follow.
Technorati Tags: google google apps pingfederate saml liberty id-ff openid single signon sso
Friday, 19 October 2007
Federated Single SignOn Solutions for Microsoft
Ping Identity has worked closely with Microsoft to fill in the gaps with regards federated single sign-on and Microsoft environments. A short list of our solution offerings.
SAML Single Sign-On for Active Directory
PingFederate® provides out-of-the-box integration with Active Directory to provide SAML & WS-Federation SSO with AD derived attributes on both the Identity Provider (IdP) and Service Provider (SP) side of a federated identity connection. Furthermore, PingFederate can use Active Directory to authenticate users in organizations that do not have full identity management systems.
WS-Federation and ADFS (Active Directory Federation Services)
In addition to SAML, PingFederate natively supports WS-Federation, enabling PingFederate users to federate with users and applications not natively running on Windows.
CardSpace & Information Cards
- Ping Identity has partnered with Microsoft to produce an Open Source CardSpace C Library, available at www.codeplex.com/InformationCard. The library enables developers to create applications that can accept Information Cards for single sign-on.
- The PingFederate CardSpace Plugin, a new optional authentication add-on, allows PingFederate to accept both self-issued and managed Information Cards (coming soon!).
- Ping Identity’s independent identity service, SignOn.com, leverages emerging identity technologies such as OpenID and Information Cards to help streamline and secure the login and registration process to commonly-used Web sites.
- The SourceID Apache Authentication Module for CardSpace, available from www.sourceid.org, allows applications using an Apache server for hosting or proxy to use Information Cards as an additional authentication mechanism.
COM Integration Kit
The PingFederate COM Integration Kit allows ASP applications that have not yet been migrated to ASP.NET to play both IdP and SP roles in SAML and WS-Federation secure Internet single sign-on use cases.
Internet Information Services (IIS) Integration Kit
he PingFederate IIS Integration Kit enables organizations to provide secure Internet single sign-on for employees, customers and business partners to applications running on an Internet Information Services (IIS) application server.
Integrated Windows Authentication (IWA) - Integration Kit
The PingFederate IWA Integration Kit leverages the Kerberos ticket generated from a user's authentication to a Windows domain to enable SAML and WS-Federation-based secure Internet single sign-on to applications running in other security domains, both inside and outside the organization.
.NET Integration Kit
The PingFederate .NET Integration Kit enables the integration of .NET applications with PingFederate. Applications that authenticate end users can securely pass their attributes to PingFederate, and applications that require user attributes can securely receive them from PingFederate.
PingFederate Web Services (formerly PingTrust&trade is a Security Token Server that extends Identity Management to Web services. PingFederate Web Services includes libraries for integration with both Java and .NET Web Service Clients and Providers.
Windows NT LAN Manager (NTLM) Integration Kit
The PingFederate NTLM Integration Kit enables a user's authentication to a Windows domain running NTLM to be used to single sign-on into Web applications that are internal or external to the organization.
SharePoint 2003 / 2007 Integration Kit
The PingFederate SharePoint Portal Server Integration Kit enables organizations to provide secure Internet single sign-on for employees, customers and business partners to applications running on SharePoint 2003 and SharePoint 2007 collaboration servers via SAML or WS-Federation.
SQL Server
Thanks to its built-in JDBC interface, PingFederate can obtain identity attributes from custom identity stores implemented on SQL Server running on either the IdP or SP side of a federated identity connection.
Rearden Commerce wins with PingFederate
Rearden Commerce was the recipient of the 2007 Liberty Alliance IDDY award at Digital ID World. They won the award and was recognized for the speed with which they deployed a SAML-based single sign-on solution based on PingFederate from Ping Identity. Rearden Commerce's initial deployment of Ping Identity's PingFederate went live on July 9, 2007 and within one month, Rearden Commerce federated with 15 companies supporting 10-20 percent of all user sessions. Through PingFederate, the Rearden Commerce platform provides single sign-on capabilities via a wide variety of industry open standards, including SAML (Security Assertion Markup Language) 1.0, 1.1 and 2.0 protocols or the WS- Federation protocol, enabling corporations to provide secure seamless access to their employees without any additional user authentication. I'd love to say that great software alone made this possible, but the reality is, Chuck Mortimore of Rearden Commerce is an exceptionally bright guy, who simply knows how to get things done.
More on Rearden Commerce
Delivered as Software as a Service (SaaS) to more than half a million employees in more than six hundred companies, the Rearden Commerce Personal Assistant leverages federation technology to help users find and purchase the services they need based on their preferences and company policies. Identity federation allows enterprises a standards-based approach to securely link and exchange identity information across partner, supplier and customer organizations. It effectively bridges separate security domains to provide companies with the ability to secure their cross- boundary interactions -- removing friction, improving productivity, gaining efficiency and enabling competitive differentiation.
Through the use of federation technology, organizations deploying the Rearden Commerce Personal Assistant have been rapidly achieving high levels of user adoption. By making it easy for their employees to find and buy services from preferred providers offering negotiated discounts, organizations typically save 20-30 percent on the services purchased through the system.
Technorati Tags: liberty sso single signon ping identity pingfederate federation federated identity saml
Tuesday, 16 October 2007
SiteMinder Federated SSO Solutions Webinar
SAML-based Single Sign-On for SiteMinder Applications
REGISTER
SiteMinder is the most widely deployed Web Access Management system on the market. This free Webinar will show how to leverage PingFederate and SAML to extend SiteMinder single sign-on to support both internal and external applications. It will include a live demonstration and Q&A session with a Ping Identity lead developer. PingFederate's support for SiteMinder is used by dozens of Fortune 1000 companies, and offers one of the most cost-effective ways to leverage federated identity.
Topics include:
- What options do SiteMinder shops have for deploying federated identity?
- What federation endpoint solutions are available for the partners of SiteMinder users?
- What alternatives exist to deploying proprietary SSO agents to business partners?
- What is required to deploy Ping Identity's SiteMinder solutions?
Thursday, Nov. 1, 2007 at 11 AM U.S. EDT (UTC/GMT-4 hours)
REGISTER
Technorati Tags: siteminder sso single signon ping identity pingfederate saml
Open Source C Library for CardSpace Relying Parties
We today announced the release an open source CardSpace Relying Party C Library implementation. This component helps Web developers create applications that can accept Information Cards for single sign-on. Ping Identity partnered with Microsoft to produce a core C library that can be used generically with any Web site or service. This open source software is available under a BSD license and can be downloaded at http://www.codeplex.com/InformationCard.
“Microsoft was pleased to work with a vendor like Ping Identity who has deep experience with federation and CardSpace technologies. They are providing technologies that deliver on Microsoft’s Open Specification Promise that seeks to build more interoperable identity infrastructure,” stated Vijay Rajagopalan, PM Architect Developer Platform Strategy, Microsoft.
“These releases build on Ping Identity’s CardSpace expertise and market presence. Later this year, we will deliver a PingFederate CardSpace module that adds support for accepting both self-issued and managed Information Cards,” said Andre Durand, CEO, Ping Identity.
Monday, 15 October 2007
Internet SSO Seminar -- NYC, November 7
I'll be in NYC Wednesday, November 7th giving a short seminar on how to implement secure Internet SSO in 30 day's or less. Details follow.
Thursday, 11 October 2007
Whitepaper: Federation Server vs. Open Source Toolkit
To give companies new to Secure Internet Single Sign-on (SSO) a better picture of the differences between a Standalone Server and Open Source Toolkit options, Ping Identity conducted a qualitative study of both implementation approaches. This paper introduces typical implementation steps, timelines, and a set of associated assumptions. The results are normalized against two federation scenarios: a "first federation" consisting of a single partner connection and a "federation at scale" scenario consisting of the deployment of ten partner connections.
Key Findings
- "Zero cost" toolkits often require significant expenditures in areas of maintenance, administration, documentation, and incremental coding.
- Toolkits provide raw SAML object code for a limited set of profiles.
- Full implementations still require development of application integration, clustering, attribute look-up, and security processing functions.
- Large, complex, incremental coding effort, greatly increases attack plane and security risks of the toolkit approach.
At scale, a standalone federation server can speed total implementation time 5x faster than a toolkit approach.
Download Whitepaper
Technorati Tags: saml opensaml sourceid pingidentity ping identity sso single signon federated identity management fim
Wednesday, 10 October 2007
SignOn.com Enhancements
We have added a couple of new features to SignOn.com. Your comments/suggestions are always welcome.
- Support for SeatBelt
SeatBelt is a Firefox plug-in by Verisign. It assists you while logging in to OpenID RP sites. You can find more information as well as download it from here:
In a nutshell, it allows for the following:
- One click to get to your IdP.
- Status indicator if you are currently logged in to your IdP.
- Convenient way to switch OpenID providers.
- OpenID form-fill at the OpenID RP. If you are not logged in to your IdP, it challenges for authentication. If you are already have a browser session with your IdP (e.g. SignOn.com), it does form-fill at the RP. - Support for OpenID Provider Authentication Policy Extension (PAPE)
PAPE is an OpenID extension that allows the RP to specify an authentication policy. It allows the IdP to inform the RP what authentication policy was used. It’s similar to the concept of AuthnContext in SAML. Since SignOn.com support multiple means of authentication (username/password and information cards), we update the OpenID response accordingly. Currently, there aren’t many RPs today that leverage this feature. That should be changing soon. You can find more information on PAPE here. - About Me
This is one of the most requested feature by our users. The ‘About’ page allows you to share your information with the world. Consider it the digital equivalent of your business card. Once logged in to SignOn.com, you can fill in your information in the ‘My Profile’ section and click on the
image to publish it and share it with the world. As an example, checkout http://ashish.signon.com .
Technorati Tags: openid information cards cardspace saml sso single signon
DynoFed Technology - only from Ping
We held our semi-annual technical summit in Boston this week. This is an event that all of our solutions architects gather for to get a two day brain-dump on everything happening in customer accounts around the country and to hear from our engineers and project managers about all of the great stuff coming in PingFederate 5.0.
During the summit, we discussed dynamic federation, a game-changing new set of features coming from Ping to completely streamline how to perform single sign-on with partners. Just for fun, one of the guys produced the following image.
Tuesday, 2 October 2007
Ping Innovation Day
We held our first innovation day two weeks ago. This is something Bill and I have been talking about for several months, so I was quite excited to finally kick it off. One of the challenges of serving the enterprise market is how to balance innovation and the backlog of enterprise requirements that inevitably come your way. This program will for the first time, allow our engineers to step outside of the constraints of marketing and the customer backlog and work directly on those things they think will move the needle the most. With some success, we hope to expand upon this program.
Family Day at Ping
Last Friday we invited all of the Ping children into the office for lunch with mom or dad. We moved the couches and setup banquet tables near the windows. The children had a ton of fun, and each got a surprise gift basket, as well as a chance to see where their parents worked during the day. We're still cleaning up the spaghetti. Thanks for Mark Hotchkiss for the photos!
Technorati Tags: ping identity
Forget 30 Days. Federate in 30 Minutes!
We typically check up with people who have downloaded PingFederate a day or so after the download, just to see how they're doing. We received the following response this morning from one such individual, when asked if he needed help getting PingFederate integrated and operational. To be fair, installing and integrating PingFederate is only the first step in federating with partners, but when the installation could take days, weeks or even months with toolkits or stack vendor software, this is quite an accomplishment. 
"It took me less than 30 minutes to get it going." -- PingFederate Downloader
Syndication
Ping Identity Blogs
CTO Talk
By Patrick Harding
Identity in Motion
by Andre Durand
Identity Ticker
by Ashish Jain
Most Viewed:
Recently Posted:
- Skull for lunch.
Yumm.... - PingFederate as an
Identity Router - SAML Single Sign-On
for Google Apps - Federated Single
SignOn Solutions for
Microsoft - Rearden Commerce
wins with PingFederate - SiteMinder
Federated SSO Solutions
Webinar - Open Source C
Library for CardSpace
Relying Parties - Internet SSO
Seminar -- NYC, November 7 - Whitepaper:
Federation Server vs. Open
Source Toolkit - SignOn.com
Enhancements - Open House at Ping
Identity - Thursday, October
11, 2007 - DynoFed Technology
- only from Ping - Ping Innovation Day
- Family Day at Ping