Ping Identity Blog

Worried about Orphaned Accounts, Cost Cutting or M&A Integration?

2008-10-10T14:16:41-06:00

Federation to the Rescue!

I received a great email from John Haggard today, former co-founder of Vasco, and a 20 year veteran of the SSO industry. [Disclosure: John is a Ping Identity adviser]. His experience was too good to not share.

I lived through the 80's as a vendor when things got very tough. The security market grew, not diminished. When hard times hit, and companies are downsized, there are a lot of disgruntled employees, and that's a security risk, especially if automation of de-provisioning isn't in place. I think that will hold true this time as well. When companies go into survival mode, the one thing they are not worried about is anything having to do with "improving." Companies have a completely different mindset and things become a whole different playing field.
In the case of Ping, layoffs in organizations will trigger the de-provisioning issues. The FI consolidations will really hit the issues facing consumers - gluing/mapping together existing accounts. What really hit home for SKK was ACF2 required 1 admin per 800 users. RACF from IBM was 1 admin per 100 users (independently verified). When hiring freezes hit along with layoffs, the remaining security folks become frantic for administrative elimination.
What really concerns me this time around is the huge amount of numbers of accounts that are left vulnerable as everyone is in general panic. In the 80's, a small single digit percentage of all employee's had electronic identities. Now I'm sure the number is well over 100% if you count the duplicate accounts per person. And this doesn't even account for the exponential factor that shows up in "federated" systems (partners, consumers, etc.). Accountability will be the catch phrase so anything that supports accountability (single auth event and auditing the SSO steps) will be bankable. -- John Haggard

NEW Siteminder Integration Kit for PingFederate & SAML

2008-10-10T10:39:27-06:00

The Siteminder Integration Kit v2.3 is now available for immediate download from the Ping Identity Website.

New Features:

· Added support for realm protection level. If the user is not authorized for the realm protection level, the SiteMinder Adapter redirects to the Login URL for re-authentication.
· Modified implementation to correctly recognize a null or blank Max Timeout SMSESSION value on the Policy Server.
· Added support for setting SMSESSION token to the value LOGGEDOFF for SP-initiated Single Logout (SLO) instead of expiring the token.

The "CEO" Call

2008-10-01T15:40:13-06:00

I've spoken to a number of people lately about the importance of quality from the outset. How quality is more than just a bias, and how seemingly harmless compromises to quality come back to haunt you and your enterprise in unsuspecting ways -- often with interest.

Truth is it takes backbone to say "no", yet that little word, spoken at the right time, is sometimes all that stands between a smooth running company, and one that seems to struggle with the consequences of their decisions. Do this wrong, and it's inevitable you'll be getting the 'CEO' call from an unhappy customer. I've been fortunate here at Ping, in six years and 260 customers, I've not received that call. I think it's inevitable that someday I'll get it, and when I do, I'll blame myself, because it will likely be something I did, or allowed to happen, that triggered the call, even if it's now 50 steps removed.

I can talk about this, because I've made this exact mistake before. I've bowed to the pressure of a prospect asking for a feature that I wasn't sure I could deliver, only to have to deal with the issue later. These things can be a death spiral if you're not careful. While you might not realize it, or want to realize it, there's a very direct cause and effect beginning with your commitment to quality and how you set expectations. I've been fortunate here at Ping to have people that know how to say no, and know when to call out the fact that we are promising more than we can guarantee, and people who care about our reputation at ALL the times. These people have allowed Ping to enjoy tremendous success, with very little disruption to our growth. Not all my experiences have been this delightful.

Take this scenario as case in point:

It's a tight quarter, and you're not sure you're going to make your numbers

You've got a potential deal which could save you (on paper) in the near term, but you've got to promise a delivery schedule that you haven't thoroughly vetted, and you know you most likely won't make

Some companies would sign the deal, save the near-term embarrassment, and deal with the ramifications later. Others wouldn't take the deal, and would instead take the medicine early. Which company are you?

If you take the deal, and deliver a product that's either late, lacking a promised feature, or lacking in quality, the impact to your organization will be significantly higher than if you had just not done the deal to begin with.

First, your support lines light up, and your support engineers get hammered. This impacts their morale, the morale of those around them, and spills over into engineering, as support seeks answers.

Now your engineering team, taken off point for the current release, must change their schedule to accommodate the fire-drill. This is not only bad for them, and bad for your current release, but it's bad for your prospects, who are now being made promises around your next release -- see how the cycle perpetuates and gets worse?

Your sales team's integrity now is hit, because they are the ones that put their word on the line, promising something that wasn't ultimately delivered, so now they feel guilty. How do you think they are going to approach that same customer later at renewal time? Do you think they are going to discount perhaps, trying to make up for broken promises? Costing the company even more money down the road?

And what about the executive team? Have they been pulled into the conversation too, taking them off of execution of the current objectives?

In the end, there is always a much higher price to pay for a lack of integrity up-front, and it's very hard to build a quality organization if you are unable to make tough decisions along the way. My VP of Engineering has a statement which captures this, "Go honest early." Wisdom.

SSO to Google Apps & Salesforce - Video Introduction

2008-09-26T13:03:50-06:00

Our very own Mike Donaldson provides this great 3 minute video overview of how to use PingFederate for SAML SSO into Google Apps or Salesforce. - SSO for Salesforce - SSO for Google

The Freedom to Choose

2008-09-22T11:00:04-06:00

Choice anyone?

Quite frankly, when I'm on the road, my food choices stink. It would be one thing if I had a choice, but often times I don't.

90% of what I'm presented as a "choice" is fast food. Yea I get it, it's fast, it's cheap and it scales, but at what cost to my health? Some fast food joints are trying to do their part, by offering up healthy choices on their menu, but often times, the paying public doesn't buy, confirming again why we have such a dismal choice.

With fewer exceptions than I would like, the average American doesn't reward quality food either. I know, this could be a gross over-generalization, but who am I to argue with the statistics on health and weight in the US?

It's not the same in Europe. Sure, they have fast food, but they also have a vibrant family operated restaurant community. Customers seek these venues out, and reward them with their checkbooks.

So what's this got to do with identity?

Well, simply put, maintaining choice is a choice. You simply cannot take the availability of choice for granted. You have to work for it.

Along those lines, I've noticed a tension (and awareness) within big enterprise recently, and it has everything to do with choice.

To understand the what's going on, you have to understand the players. Essentially, two conflicting agenda's are squaring off. On the one hand, you have IT. When making a purchasing decision, IT typically gravitates towards the best solution. This is the solution that installs quickly, works as promised and lowers their overall risk of failure. Purchasing on the other hand has a different agenda. They like choice too. They like to pit Choice A against Choice B when it comes to price. But, generally speaking, purchasing gives less consideration to the (often hidden) ancillary costs and ramifications of a poor selection. In many cases, purchasing is rewarded differently too, and there is clearly a disconnect as to how the two groups bonuses are calculated and on what.

Accounting for the hidden costs

In IT, more often than not, the real cost isn't from licensing technology. The real costs come from implementing, customizing and operating that technology over a sustained period of time. A 'total' cost to the organization would, if evaluated consistently, move to align IT's recommendations and purchasing, but in my observations, things are rarely that coordinated. Many times, I observe that purchasing would rather keep things simple and the number of vendor relationships they have limited. It makes their job easier, and if they buy more, they get bigger discounts.

Changing times?

So here's where I've noticed the pendulum is swinging away from a bias towards concentrated purchasing from a few large vendors and back again towards more vendor choice and best of breed solutions. Why is this happening? I believe there is an awareness by many enterprises that they do not want all their eggs in a single basket, and they are more than willing to support choice, where they have the option. Add to that the fact that they are being presented with vastly superior offerings by best of breed independent players in certain categories, and having been burned by the dismal landscape of choice over the past 5 years, they are willing to now consider going with the independent player.

Choosing Choice

So here is where some of my recent experiences support what I'm calling as a conscious effort by enterprises to maintain choice. In the past three months, Ping has been asked to participate in a number of executive level meetings. Unlike a year ago, we're being introduced several levels up from where we've normally engaged with enterprises. We're now meeting the boss, the bosses boss and the bosses, bosses, boss.

To me, this says two things. 1. federation is becoming strategic and 2. companies are realizing that they have a new partner in Ping, and they want to look us in the eye.

Many have explicitly stated that they want an independent providing federation technology.

It's a good time to be Ping.

X.509 (SmartCard) Integration Kit for PingFederate

2008-09-19T12:59:14-06:00

We recently completed an X.509 Integration Kit to allow for Certificate based authentication to PingFederate. The kit will be available for download shortly.

The PingFederate X.509 Certificate IdP Integration Kit provides an Identity Provider (IdP) Adapter for PingFederate. This Adapter allows a PingFederate IdP server to perform client X.509 certificate authentication for single sign-on (SSO) to Service Provider (SP) applications.

The X.509 Certificate IdP Adapter uses the PingFederate security infrastructure for certificate validation and management. PingFederate validates the trust of all certificates. A certificate is trusted if the root certificate of the issuing Certificate Authority (CA) is imported into the PingFederate trusted certificate store.

What he said

2008-09-19T11:47:04-06:00

Jeff Bohren responded to my recent post on centralized versus distributed projects.

So Federation (loose coupling) is always the best way to go, right?
No. It’s often the best way to go but there are many times that tight coupling simply must be done. Often that means using a provisioning system and a means of synchronizing accounts (IBM TIM, Sun SIM, MS ILM, etc). Sometimes that means configuring your systems to centralize the identity (Quest Vintella, Centrify, etc).
And here is where I will let you in on the dirty little secret of provisioning. It’s really all about deprovisioning. Typically enterprises don’t care if it takes weeks for you to get access to all of the resources you need to do your job. They care in the abstract (usually), but not enough to actually do anything about it. But the minute your employment is ended, your access to all your enterprise resources needs to be turned off.
And for that you need centralization of some sort.

Jeff, you're right. There is no 'one approach' that fits all. Both centralized and federated approaches have their pros and cons, depending on the situation. Most of life happens somewhere between black and white. I've just come to appreciate how to succeed in small increments, and this lesson isn't limited to IdM projects.

Palin's Hacked Email

2008-09-18T14:54:44-06:00

I just read an article about Palin's Yahoo email account being hacked, and the contents posted to the net.

"Details of the break-in, if authentic, are consistent with speculation by computer security experts who said Yahoo's "forgot-my-password" service almost certainly was exploited.

The mechanism allows customers to retrieve or change their password if they can verify their identity by confirming personal information such as birthdate, zip code and the answer to a "secret question," such as a childhood pet's name or school mascot. Palin's hacker was challenged to guess where Alaska's governor met her husband, Todd. Palin herself had recounted in her speech at the Republican National Convention that the pair began dating two decades ago in high school in Wasilla, a town near Anchorage.

Politics and party lines aside, the intersection of what has been traditionally thought of as 'low risk' accounts (e.g. personal email), privacy and even security are about to all collide. Ashish Jain had a good post on this some time back. He discussed the inherent weakness with using facts (readily available, some even by search engines) for KBA rather than things like opinions or preferences for example.

Hacked personal email accounts can expose a number of other security weaknesses related to password-only security, especially since email accounts are often used as part of the password reset process.

It's inevitable (and healthy IMO) that these sorts of events drive the adoption of stronger forms of authentication over the Internet. Federation will only increase the need to protect the front-door better.

One Important Difference between Federation & Internal IdM Projects

2008-09-18T09:53:07-06:00

We've met with a lot of companies recently who have now decided to ramp their federation efforts. They've mostly tinkered for the past 2 years, but they are now planning to really turn the crank.

What's interesting about our conversations is that invariably, they talk about one or more of their internal provisioning, IdM or WAM projects that is basically not meeting their expectations. What I find interesting about this is that federation deployments, by their very distributed nature, are taking an entirely different approach. Most if not all centralization projects are large, costly, complex and long. This makes them inherently more risky, and introduces higher and higher probabilities of failure at one or more levels.

On the contrary, federation has never over-sold it's promise. We (Ping and our customers) experience success one-connection at a time.

Even though Ping now offers "federated provisioning" in PingFederate 5.2 to Salesforce and Google Email (& Apps), don't somehow put PingFederate into the 'provisioning' bucket. We don't promise the world. We promise to automate provisioning and federated identity life-cycle to 2 SaaS applications (more coming of course, but the number will be measured in dozens, not hundreds or thousands). We're happy to succeed, one connection at a time.

PingFederate 5.2 - Able to leap tall buildings in a single bound

2008-09-09T09:26:44-06:00

We released PingFederate 5.2 this morning. Don’t be fooled by the “.2”. This is big release, so I felt compelled to emphasize.

Essentially, this release completes the integrated of the advanced provisioning and de-provisioning features we acquired from Sxip Identity for Salesforce.com and Google Apps. And marks the beginning of a whole new direction for PingFederate, namely, account lifecycle management for Enterprises looking to better secure and integrate with SaaS vendors.

We already have most of the top 100 SaaS vendors using PingFederate for Internet SSO. Now, beginning with this release, which focuses on Salesforce and Google initially, we have the foundation to provide similar provisioning services for other SaaS vendors.

For enterprises this is a big deal, as we essentially extend their pre-existing identity management activities in Active Directory (or other directory services) to now include complete identity lifecycle management and SSO to Salesforce and Google (with more SaaS vendors on their way).

Here’s the ‘official’ stuff....

Ping Identity Simplifies Secure Internet Single Sign-On for Software as a service Users PingFederate 5.2 Automates Account Provisioning & De-Provisioning for Salesforce and Google Apps Denver, Colo. – SEPT 9, 2008 – Ping Identity® today announced it has released PingFederate 5.2, the most complete Internet single sign-on software solution for SaaS users and SaaS vendors. Downloadable now at www.pingidentity.com, PingFederate 5.2 incorporates key technologies from Ping Identity’s recent acquisition of Sxip Access to offer automated provisioning and de-provisioning, as well as advanced user access methods – critical components for effective SSO to Salesforce and Google Apps™.

According to Gartner, Inc., "Software as a service is forecast to have a compound annual growth rate of 17-percent through 2011 for small-and-midsize-business CRM, ERP and SCM software markets, more than double the growth rate for total enterprise application software as a whole.”*

“Along with the efficiencies they provide, SaaS applications can present some unique challenges to IT,” said Ping Identity CEO Andre Durand. “Because most SaaS applications have their own user directories, IT administrators may be manually adding, updating and deleting hundreds or thousands of user accounts. Ping Identity has responded with the only SaaS SSO solution that’s up and running in days, and includes automatic provisioning to eliminate that extra work.”

PingFederate 5.2 builds on proprietary Salesforce and Google Apps APIs to deliver automated SaaS provisioning. It works with Microsoft’s Active Directory, or any existing user directory and authentication mechanism the company already uses for its own applications.

“PingFederate 5.2 makes it easier for users to securely access Google Apps for communication and collaboration, while streamlining administrative requirements and easily scaling as companies grow," said Scott McMullan, Google Apps Partner Lead.

In addition to automated provisioning, PingFederate 5.2 introduces new SaaS Connectors for Salesforce and Google. These new modules further expedite deployment of PingFederate for these SaaS applications by including Quick Connection templates that simplify and streamline configuration by pre-populating connection settings, user/account provisioning parameters and SSO endpoint parameters.

Specific to Salesforce, with PingFederate 5.2, Ping Identity has expanded its list of supported Salesforce access methods to include desktop and mobile browsers, remote users, Salesforce Connect for Microsoft Outlook and emailed report URLs.

New PingFederate Coming

2008-09-04T15:23:02-06:00

Next week at Digital ID World we'll announce a new version of PingFederate. As with all of our announcements, it will be available for immediate download.

This is a really significant release, as it effectively takes the meaning of federated identity in a whole new direction. We're finally moving beyond simple federated single sign-on.

You'll also not want to miss Patrick Harding and Ashish Jain, both whom are speaking at DIDW.

Ping Globe Trotters

2008-08-08T11:39:38-06:00

PingIdentians are spreading out all over the globe.

Jackson Shaw review of the SSO Summit

2008-08-08T09:06:35-06:00

Jackson Shaw of Quest Software literally climbed mountains to attend the SSO Summit in Keystone this year. He does a nice job with a review of the event on his blog. Participation by companies such as Quest Software, and their customers is critical to the success of any industry event, so I really appreciate both his participation and his kind words.

I especially appreciated these comments.

"All of the presentations on Day 2 were awesome and I must say I especially liked the customer presentations and the fact there were a lot of customers presenting. To me, this makes it all worthwhile.

and

"p.s. I'll be back next year!"

Time's fun when you're having flies

2008-08-06T21:48:42-06:00

It's been 6 years since Ping Identity was started with my old friends, Bryan Field-Elliot, Eric Norlin (now Defrag) and an investment from Phil Becker. I just discovered this photo tonight. I didn't even remember it existed. Gosh I look young here. The photo is of the first $100k that started Ping Identity. A lot of water, coffee, sweat, tears and good times have since passed under this bridge.

Mr. X Kudo's for Ping Support

2008-08-06T11:07:34-06:00

I've received a number of unsolicited customer kudo's recently. In my experience, people are quick to call out the mistakes, but rarely if ever go out of their way to tell you your doing something right. Which makes the below email that much more special. I've changed the gentleman's name and company to avoid needing corporate approval to reproduce the email.

-------

My name is and I am part of the Global IT Security team at . I wanted to write and let you know about the outstanding service provided to us recently by Mark in your support group.

We are currently working on a project to enable SSO between and a partner that is hosting a web application for us. Some technical issues were encountered in trying to get the authentication via SAML to work correctly, and we were up against a deadline to start UAT testing for the implementation. Dealing the technical staff from the web application provider was very difficult. They seemed to be over their heads in trying to make things work and were withdrawing into a very defensive posture as the troubleshooting progressed and signs were pointing to an issue on their end. It was a difficult situation.

However, I wanted to let you know what a great job Mark did for us. He was very helpful in providing troubleshooting assistance while we were trying to determine what the issues were. He was a wealth of knowledge for us, not only in dealing with the PingFederate product and our implementation, but also regarding SAML in general. Even as it was clear that the problem was on the web application provider's end, Mark still made himself available to us for whatever we needed. It was frustrating for all of us (including Mark), but he did a great job supporting us.

Many vendors would have walked away from the issue once it was clear that the problem lay elsewhere. Mark did not. He knew that we needed help, and he did all that he could to help us lead the application vendor where they needed to go to get things working. He went above and beyond for , and I greatly appreciate his efforts. I just wanted to make sure that you were aware of the outstanding service that he has provided to us.

Regards, 

Mr X., CISSP, CISA
Associate Director, Global IT Security