workshop: advanced federation use-cases with pingfederate

40
Workshop: Advanced Federation Use-Cases with PingFederate Craig Wu - Director, Product Development Peter Motykowski - Senior Engineer/Developer

Upload: craig-wu

Post on 15-Jan-2015

814 views

Category:

Technology


0 download

DESCRIPTION

Cloud Identity Summit 2012 Workshop

TRANSCRIPT

Page 1: Workshop: Advanced Federation Use-Cases with PingFederate

Workshop: Advanced Federation Use-Cases with PingFederate

Craig Wu - Director, Product Development

Peter Motykowski - Senior Engineer/Developer

Page 2: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.2

• Introductions

• New Features Overview– OAuth– Adaptive Federation– PingFederate 6.7 and beyond

Agenda

Page 3: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.3

• Demos– OAuth Authorization Code Flow– Adaptive Federation Use Cases

• Adapter Selectors• Composite Adapter• Multiple IdP data stores

Agenda

Page 4: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.4

• Extending PingFederate– Developing Plugins

• PingFederate SDK

– Building a custom adapter selector

Agenda

Page 5: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.5

INTRODUCTIONS

Who are these guys?

Page 6: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.6

• Director, Product Development• Been with Ping Identity since Feb 2007• Started with Integration Kits• PF STS integration• PingFederate Fall 2009 – PF 6.2

Craig Wu

Page 7: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.7

Peter Motykowski

• Senior Engineer/Developer• Been with Ping Identity since May 2007• Started with PingLabs• PF STS Integration, Adapter

Selectors, OAuth

Page 8: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.8

PingFederate Engineering Team

Denver, CO - Vancouver, BC - Moscow, Russia - Dublin, Ireland

Page 9: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.9

OAUTH

PingFederate 6.5

Page 10: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.10

OAuth - Drivers

Page 11: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.11

OAuth - Securing APIs

• Simple and Standard – exchange user credentials for tokens– Present token for access

• Scopes to limit access• Easily revoke access• Browser, mobile and desktop clients• PingFederate Authorization Server

– User authenticates with AS– Leverage existing PF authentication

Page 12: Workshop: Advanced Federation Use-Cases with PingFederate

OAuth Demo

12

Demo Overview

• Payment Gateway with REST API secured using OAuth 2.0

(Resource Server)

• Users authenticate to the PF Authorization Server, then approve issuance of an OAuth token (Client)

• Tunes Partner application can request:• One-time Payments• Perpetual Payments

• Initiated via Web or Native Mobile Application partner OAuth clients

Page 13: Workshop: Advanced Federation Use-Cases with PingFederate

Web One Time / Initial Payments

13

Page 14: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.14

ADAPTIVE FEDERATION

PingFederate 6.6

Page 15: Workshop: Advanced Federation Use-Cases with PingFederate

PingFederate Adaptive Federation

SAMLDefine rules for directing user to an authentication method

Examples• If user is from specific IP• If user is from outside firewall• If app requires specific type of

authentication

Create a “chain” of authentication adapters

Examples• Consumer - Facebook AND One

Time Password• Remote User - LDAP AND RSA

SecurID

Gather identity attributes from multiple sources allowing for smart attribute retrieval and reducing the need for deploying a virtual directory ExampleFulfill attribute contract with LDAP and RDBMS data sources

1 2 3

Page 16: Workshop: Advanced Federation Use-Cases with PingFederate

Adapter Selectors

• Administrators create authentication rules using adapter selectors

• Authentication Rules are evaluated during SSO transaction

• The result values are mapped to specific adapters to be used for authentication

• Executed in ordered sequence

• Bundled 6.6 selectors– CIDR

– SAML AuthN Context

• Custom Selector SDK

Page 17: Workshop: Advanced Federation Use-Cases with PingFederate

CIDR Adapter Selector

Page 18: Workshop: Advanced Federation Use-Cases with PingFederate

SAML AuthN Context Adapter Selector

Page 19: Workshop: Advanced Federation Use-Cases with PingFederate

Adapter Chaining via Composite Adapter

• Administrators chain adapters to execute in ordered sequence

• Composite adapter instance treated as single adapter instance

• Required policy creates multi-factor authentication

• Sufficient policy supports OR condition

• Authentication context weight and override

Page 20: Workshop: Advanced Federation Use-Cases with PingFederate

Composite Adapter

Page 21: Workshop: Advanced Federation Use-Cases with PingFederate

Multiple Datastore Attribute Lookup

• Connect to multiple directories and databases

• Pull attributes from any number and combination of data sources

• Fulfill complex attribute requirements

• Benefits

– Easily aggregate identity attributes from multiple data sources

• Reduce need for:

• Virtual Directories

• Custom Data Sources

Page 22: Workshop: Advanced Federation Use-Cases with PingFederate

IdP Multiple Datastore Lookup

• SP Connection Attribute Contract Fulfillment– Browser SSO– WS-Trust– Adapter to Adapter– Attribute Query

• Use return values from one data store as a filter criteria for a subsequent data store query

Page 23: Workshop: Advanced Federation Use-Cases with PingFederate

LDAP Adapter Replacement• HTML Form Adapter

– Session Management• Global• Per Adapter• None

– Per instance form template

• HTTP Basic Adapter

• Password Credential Validators– Simple Username– LDAP Username– Can have multiple PCV instances per adapter

Page 24: Workshop: Advanced Federation Use-Cases with PingFederate

HTML Form Adapter

Page 25: Workshop: Advanced Federation Use-Cases with PingFederate

HTTP Basic Adapter

Page 26: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.26

Adaptive Federation Demo

Page 27: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.27

Monitoring Splunk App for PingFederate

• Support PF 6.3 and above– Based on audit log– Enable Splunk log4j appender

• SSO transaction and system report – current transactions– system health– system errors

• Service Reports– daily usage report– SP/IdP provider reports per connection

• Trend Reports– weekly/monthly usage report– trend analysis

Page 28: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.28

Splunk App for PingFederate

Page 29: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.29

Free on SplunkBase

http://splunk-base.splunk.com/apps/Splunk+App+for+PingFederate

Page 30: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.30

PINGFEDERATE FUTURES

PingFederate 6.7 and beyond

Page 31: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.31

• Two month releases– RTM Release to Marketing– Fully qualified and documented– Upgrade Utility

• Marketing determines GA

PingFederate 2012 Releases

Page 32: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.32

• Admin Console Optimizations– Large number of connections– Large number of adapters

• Splunk App for PingFederate

PingFederate 6.7 - RTM Feb 24, 2012

Page 33: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.33

• Centralized configuration for AD Domains/Kerberos Realms– IWA 3.0 Adapter– Kerberos Token Translator 2.0

• OAuth Client Management API– REST API for CRUD operations

PingFederate 6.8 – RTM April 27, 2012

Page 34: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.34

Centralized AD Domain Configuration

Page 35: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.35

IWA Adapter 3.0

Page 36: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.36

• Microsoft Office 365 Interoperability

• Upgrade Jetty • Remove JBoss

PingFederate 6.9 – RTM June 29, 2012

Page 37: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.37

EXTENDING PINGFEDERATE

PingFederate Software Development Kit (SDK)

Page 38: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.38

• Adapters• Token Translators• Custom Data Sources• Adapter Selectors• Password Credential Validators

PingFederate Plugins

Page 39: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.39

• HTTP Header Adapter Selector

Custom Adapter Selector

Page 40: Workshop: Advanced Federation Use-Cases with PingFederate

Copyright © 2011. Cloud Identity Summit. All Rights Reserved.40

Adapter Selector API Overview

Methods needing to be implemented for the com.pingidentity.sdk.AdapterSelector interface:

PluginDescriptor getPluginDescriptor();

void configure(Configuration configuration);

AdapterSelectorContext selectContext(HttpServletRequest req, HttpServletResponse resp, Map<String, String> mappedAdapterIdsNames, Map<String, Object> extraParameters, String resumePath);

void callback(HttpServletRequest req, HttpServletResponse resp, Map authnIdentifiers, String adapterInstanceId, AdapterSelectorContext adapterSelectorContext);