Course Introduction

2 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Course Objectives
After completing this course, you should be able to:
§ Discuss industry standards: web single sign-on, SAML, OAuth, and OpenID
Connect
§ Provide an overview of PingFederate
§ Configure IdP and SP SSO connections
§ Connect to external data sources for attribute requests
§ Configure basic authentication policies for SSO transactions
§ Setup PingFederate as an OAuth authorization server
§ List some basic deployment scenarios
§ Configure directed clustering

3 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Course Lab Topology
PingFederate IDP PingFederate SP

Host: sso.int.wal-ping.com Host: sso.int.den-ping.com

Admin port: 9999 Admin port: 9998
Engine port: 9031 Engine port: 9032

Datastore
SP Connection IdP Connection Agentless
Configuration
from IdP from SP Integration
Kit

HTML
Form Adapter

LDAP DB Agentless Sample App

Host: ldap.int.wal-ping.com Host: servapp.int.den-ping.com

Port: 389 Port: 8444
User w/ Browser

4 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Course Topology Configuration Order
PingFederate IDP Components will be PingFederate SP

1 configured in the
order shown 2
3
Simple PCV Console
Console
7 8
Datastore
Agentless
Configuration SP Connection IdP Connection
Integration
5
from IdP from SP
Kit
6
9 HTML 4
Form Adapter

LDAP PCV Agentless Sample App

User w/ Browser

5 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Ping Identity Support Resources
Ping offers support resources at support.pingidentity.com.

6 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Documentation
The Documentation page includes links to each product.

7 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Community
Join the discussion by participating in Ping’s Community.

8 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Product Training
Ping offers instructor-led training, on-demand training, and certifications.

9 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Product Downloads
Downloads are available at https://www.pingidentity.com/en/resources/downloads.html.

10 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Summary

In this module, you discovered:

• Course objectives
• Ping Identity documentation
• Ping Identity Community
• Ping Identity product training
• Ping Identity product downloads

11 Proprietary | Do not distribute — Copyright © 2022 Ping Identity Corporation. All rights reserved.
 Federation Overview
v20220316

2 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe Federation

• Define Single Sign On process

• List roles defined by the Single

Sign On specification

3 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What is Ping Federate?

§ Identity Federation
§ Integration of access to applications
§ Browser-based SSO
§ OAuth and OpenID Connect authorization server

4 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Single Sign-On

§ What is Single Sign-on (SSO)?

– Single login to access multiple applications
– Remove the need to know/remember multiple
passwords
– Used in cross-domain access of applications
– Developers use standards to create trusted tokens
› SAML
› OAuth
› OpenID Connect

5 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 History of Single Sign-On

§ Traditionally:
– SSO was done within a
single company for
internal apps only
– Applications validate the
security token against a
central server
– External applications still
required a separate
account and login User session is verified against a central
source when trying to access an internal
application
6 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SSO: Across multiple domains

§ What about SSO outside the enterprise security realm?

– SaaS applications provided by third parties
› Payroll applications
› Travel organizations
– How do you allow users access to everything with a single login?
– How do you allow your customers access?
› CIAM — Customer Identity Access Management

7 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Identity Federation

§ Federation is a trust
relationship between two Employee
companies Organization

Trust Relationship
§ The user can:
– Authenticate to one SaaS
Partner
organization
– Access a resource at
another

8 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Roles: Identity Provider (IdP)

IdP is responsible for:

1. Authenticating the user

2. Sends target company
an assertion or security
Federation
token Server
Outbound
Assertion
– “This user has already
been authenticated”
Authenticate user
(e.g. Active Directory)
9 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Roles: Service Provider (SP)

SP is responsible for:

App
1. Receiving and verifying Server
assertions or security
tokens Federation
Inbound
– “Has already been Server
Assertion
authenticated”
2. Providing access to an
application or resource Database
Server
10 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SSO From The User’s Perspective
1. User authenticates to the Identity Provider
2. User clicks a link for the target application (e.g. Google Mail) and is
taken directly there without having to authenticate a second time

Identity Provider Service Provider

1. Authenticate 2. In the app

User App
Authentication Server

11 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SSO – Detailed Flow
1. User requests access to a web application and the IdP verifies the user
is authenticated

Identity Provider Service Provider

1. Authenticate

User App
Authentication Server

12 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SSO – Detailed Flow (cont.)
2. IdP looks up the user’s attributes (username, email, department, etc.)
and
3. The IdP sends an assertion or security token to the SP

Identity Provider Service Provider

3. Send token using standard protocol

1.Authenticate

2. Attribute Lookup

User App
Authentication Server

13 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SSO – Detailed Flow (cont.)
4. SP receives the assertion or security token with the user’s attributes
and creates an application session for the user

Identity Provider Service Provider

3. Send token using standard protocol

1.Authenticate
4. User placed
into application
2. Attribute Lookup
session
User App
Authentication Server

14 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Why use SSO/Federation?
§ Simplifies Administration
– Reduces number of accounts & passwords to maintain
– Partners manage their own users
– Replaces proprietary solutions with industry standard solutions and protocols

§ Increases Security
– Propagate strong authentication
– Reduce identity theft targets
– Extend enterprise security to hosted services
– Protects against password proliferation

15 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SSO Summary

§ IdP Federation Server: Creates and sends assertion

§ SP Federation Server: Receives and parses assertion
§ PingFederate: A Federation server
Identity Provider Service Provider

Federation Federation
Server Server

User App
Authentication Server

16 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SP vs IdP Initiated SSO
§ IdP-initiated SSO: § SP-initiated SSO:
1. Authenticate at IdP.
2. Assertion is sent to the SP 1. Start at SP. “Who are you?”
› Authentication request to
IdP: “Who is this?”
2. Authenticate at IdP
3. Assertion is sent to the SP

17 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Review

§ SSO (single sign-on) § Federation Server:

– Authenticating once and – Handles assertions
accessing all your – IdP Side: Creates and sends
applications
– SP Side: Receives and
§ IdP (Identity Provider) parses
– Authenticates users § SP- vs IdP-Init SSO
– Creates and sends – Where does the user start?
assertions – SP-Init has an extra
§ SP (Service Provider) authentication request
– Receives assertions
– Target application
18 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Introduction to
Adapters and
Integration Kits
v20220316

2 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe what an adapter is

• Describe how adapters are used by
PingFederate
• State what is an integration kit
• Illustrate use of integration kits
• Differentiate between adapters and
integration kits

3 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What is an Adapter?

§ Adapters integrate PingFederate with your environment

§ IdP adapter — first mile integration
§ SP adapter — last mile integration

Identity Provider Service Provider

IdP adapter interfaces SP adapter interfaces
with authentication with the target
system application

PingFederate PingFederate

Directory Application

4 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 IdP Adapters

§ Interfaces with the

companies
authentication system Identity Provider
Open Standards
§ Provides an SAML

authentication front- • Microsoft AD PingFederate

OAuth OpenID
Connect
• LDAP

end for the user •

•
X.509
PingID
• PHP

§ May collect attributes

• Java
• .NET
• Symantec VIP

that are later used in

assertions or security
tokens
5 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SP Adapters

§ Interfaces with an
application that users Service Provider
Open Standards
are trying to access SAML

§ Passes attributes OAuth OpenID

Connect PingFederate
Custom Apps
PHP .NET
Java

from PingFederate to Web Servers

Apache IIS

the target application WebSphere

Commercial
Citrix SharePoint
Slack

6 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What is an Integration Kit?

§ Packages that contain adapters, documentation, and

related files
– Source code, sample applications, etc.
§ Can be downloaded from the Ping Identity website
– https://www.pingidentity.com/en/resources/downloads/pingfederate.html

7 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Installing Adapters

§ Place the adapter jar file into PingFederate/server/default/deploy

§ Restart PingFederate

Adapter jar files

8 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What Will We Build In Our Labs?

Identity Provider Service Provider

wal-ping.com den-ping.com

rm Re
Fo r PingFederate PingFederate fer
L
M pte Ad ence
ap
HT Ada ter ID

OpenLDAP Application
Directory

9 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Review

§ Integrate PingFederate with application

– Integration kits are the downloadable package (adapter plugin,
documentation, code libraries, etc.)
§ IdP adapters — first mile integration
– Interfaces PingFederate with your authentication system
§ SP adapters — last mile integration
– Interfaces PingFederate with your application

10 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 PCVs and the HTML
Form Adapter
v20220316

2 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Identify Password Credential Validator

(PCV)
• Describe HTML Form Adapter
concepts

3 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Password Credential Validators

4 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What is a Password Credential Validator?

§ Used by certain PingFederate adapters

– HTML Form Adapter
– HTTP Basic Adapter
§ Password Credential Validators (PCVs) interface
PingFederate with the back-end user authentication
mechanism

5 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adapter Flow with PCV
1. User attempts to access an
application with no existing
Identity Provider session
2. PingFederate, via the
User HTML Form Adapter,
presents a login page
3. HTML Form Adapter uses
Authentication
the configured PCV to
PCV Service
Service Provider
validate the credentials
against the authentication
service
4. Once the user is
PingFederate
authenticated their session
is created (optional) and
they are forwarded to the
HTML Form
Adapter service provider

6 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Available PCVs

§ LDAP — authenticates against an LDAP server

§ RADIUS — authenticates against a RADIUS server

§ PingID — SaaS based MFA solution

§ PingOne Directory — SaaS based directory solution

§ Simple PCV — basic credential list maintained by
PingFederate

7 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Creating a PCV

§ PCVs are
created from
the System
screen
§ Configuration
options will
depend on the
type of PCV
selected
8 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 HTML Form Adapter

9 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What is the HTML Form Adapter?

§ HTML Form Adapter is included with PingFederate

§ Can be used in instances where the authentication
source does not have a web-based front-end (i.e.
LDAP, RADIUS, etc.)
§ Identity Provider only
§ Options for session management
§ Password self service

10 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adapter Configuration Tasks

§ Configuration wizards are broken down into tasks and steps

Tasks

Steps

11 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Selecting a PCV

§ The HTML Form and HTTP Basic adapters require at least

one PCV be selected
§ Multiple PCVs can be configured for failover and are used
in the order listed

12 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 HTML Form Adapter Customizations

§ Customizable templates for

login, password reset/recovery,
error page, etc.
§ Located in:
pingfederate/server/
default/conf/template

13 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Selecting Adapter Templates

§ Template files can be specified in the advanced fields of the

IdP Adapter task

14 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Attribute Contracts

§ Core contract represents

attributes always provided by
the adapter
§ HTML Form Adapter:
– username
§ Kerberos Adapter:
– Username
– SIDs
– Domain/Realm name

15 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Attribute Contracts (cont.)

§ Attribute contracts can be extended to include additional

attributes
§ More on this in the Advanced Attribute Sources module

Core
Contract

Extended
Contract

16 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Review

§ Provides a web-based login page for authentication

systems that may not have one
§ The HTML Form Adapter requires one or more PCVs to
validate user credentials against
§ The adapter HTML and CSS files are fully customizable
– Different adapter instances can have different customizations
§ IdP adapter only

17 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 ReferenceID Adapter
v20220316

2 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe the Agentless Integration Kit

• Explain how the ReferenceID adapter
interfaces with an SP application
• Explain how the ReferenceID adapter
interfaces with an IdP application
• Describe the authentication and
attribute formats supported by the
ReferenceID adapter

3 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Agentless Integration Kit

§ ReferenceID Adapter is part of the Agentless Integration Kit

§ Works with any custom application regardless of language
§ No external code libraries or agents
§ No proprietary APIs
– All HTTPS, JSON, and Java properties
§ Can be used for both IdP and SP applications

4 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SP Application — Process Overview

1. The SP PF receives a SAML assertion from an IdP

Service Provider
2. The SP PF redirects user to the target application
with a reference to the user attributes:
Attribute
https://target.example.com?REF=<ABC123> Incoming Request
Assertion
3. The target app makes an authenticated direct
Attribute
HTTP(S) call to the SP PF to retrieve the user Response
PingFederate Custom
attributes: Application
https://pingfederate.example.com:9031/ext ith
c tw e
e c
/ref/pickup?REF=<ABC123> edir ren
R efe
r
4. PF uses that reference to look up the attributes and
provides them to the target app in the HTTP
response User
5. The target app creates the user session

5 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 IdP Application — Process Overview
1. The IdP PF receives an authentication request Identity Provider
2. PF redirects the browser to the IdP application,
Attribute Dropoff
including a resume path as a query parameter
3. The user authenticates Reference Returned
Custom PingFederate
4. The IdP app makes an authenticated direct HTTP Authentication
call to send the attributes to PF Application
Redirect to Resume
https://pingfederate.IdP.com/ext/ref/dropoff ( in Re Path
clu dir
din ect (including reference)
5. PF stores the attributes and returns a reference ID g r for
es Lo
um gi
in the HTTP response to the IdP app ep n
ath
)
6. IdP app redirects the browser to the PF resume
path with that reference id in the query string,
https://pingfederate.IdP.com/ User
[resume-path]?REF=<123ABCD>

6 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Application Authentication

§ An application can authenticate with the ReferenceID

adapter (for attribute pickup and drop-off) using one of three
methods:
– Basic HTTP Authorization
– Special request properties (ping.uname / ping.pwd)
– Trusted client certificates

7 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adapter Endpoints and Attribute Format

§ The adapter has two endpoints:

– IdP: http[s]://<pf-host>:<pf-port>/ext/ref/dropoff
– SP: http[s]://<pf-host>:<pf-port>/ext/ref/pickup

§ Attributes are transferred using one of two formats:

– JSON
– Java Properties

8 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Review

§ Usable for both IdP and SP applications

§ No agents or code libraries – language neutral

§ Passes a reference value between PingFederate and

application
– Application makes direct HTTPS authenticated call to drop off or
receive attributes

9 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Lab: Create IdP and SP Adapters

Identity Provider Service Provider

wal-ping.com den-ping.com
Create a Simple PCV
and HTML Form
Adapter instance
rm Re
Fo r PingFederate PingFederate fer
L
M pte Ad ence
ap
HT Ada ter ID

Simple PCV Application

10 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenToken Adapter
v20220316

2 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Cite what an OpenToken is

• Define process for connecting
application to PingFederate
• Explain what is required to
implement a Language Kit
• Review implementation of
OpenToken Adapter

3 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Language Integration Kits

§ One option for connecting PingFederate to custom IdP or SP applications

§ Supports three languages: Java, PHP, .NET
§ Uses the OpenToken adapter (IdP and SP)

Identity Provider Service Provider

wal-ping.com den-ping.com

en Op
ok r PingFederate PingFederate en
T
en te Ad Tok
ap en
Op dap ter
A

Custom IdP Custom SP

Application Application
4 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Language Integration Kit Contents

§ OpenToken Adapter
– JAR file can be deployed in PingFederate
– This adapter is also included with the PingFederate install
§ Language specific agent for your
application
– Custom code libraries
§ SP and IdP sample applications for
testing
§ Documentation and code examples
5 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenToken Concepts

§ OpenToken is a string containing user attributes

§ The token is passed between PingFederate and the custom application
§ The OpenToken is never passed between the federation servers
Identity Provider Service Provider
Standard Protocol
(SAML, WS-Federation, ETC.)
) (Dro Open
en es p-of T
f us oken
ok but
n T attri er a
e
Op user IdP SP ttrib
u te s)
t
llec PingFederate PingFederate
(Co

Custom
No OpenToken! Custom
Authentication Java, PHP, or .NET
Application Application

6 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Transport Options

§ Three options for transporting the OpenToken between

PingFederate and the custom application:
– Cookie
› Must be in same domain
› 4 KB size limit
– Form POST
› Unlimited data size (browser-dependent)
– Query parameter
› Available for testing, not recommended for production use

7 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenToken Adapter — IdP Flow
1. PingFederate redirects the user to
the custom authentication application
2. Application validates the user and
creates an OpenToken with the
Identity Provider
requested attributes
Open Standards
3. User is forwarded back to OpenToken SP Connection
PingFederate with the OpenToken SAML
OAuth OpenID
4. Attributes from the OpenToken are Custom Java,
PHP, or .NET PingFederate Connect
used to fulfil the connection contract authentication
application
5. Connection attributes are sent to the
SP partner using industry standard
protocols (SAML, WS-Federation,
etc.)

8 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenToken Adapter — SP Flow
1. PingFederate receives an SSO
request from an IdP partner
Service Provider 2. PingFederate takes the attributes
Open Standards from the incoming connection and
IdP Connection OpenToken uses them to fulfil the adapter
SAML
OAuth OpenID contract
Custom SaaS App
Connect PingFederate PHP .NET 3. OpenToken Adapter creates an
Java
OpenToken and redirects the user to
the application
4. Application takes the OpenToken
and uses the attributes to generate a
user session

9 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Installing the OpenToken Adapter

§ OpenToken adapter is bundled with

PingFederate
§ The latest jar plug-in is also available
as part of the Language Integration Kit
– Optional, install the latest adapter jar into the
pingfederate/server/default/deploy
directory
§ Restart PingFederate

10 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenToken Adapter Agent Configuration File

§ Used by the application developer and OpenToken Agent

code
§ Tells the application the parameters of the OpenToken
§ Downloaded as part of the adapter configuration wizard

11 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Application Considerations

§ Application will need to be integrated with the OpenToken

Agent to process requests

§ IdP application — needs to create OpenTokens and redirect

back to PingFederate

§ SP application — needs to accept incoming OpenTokens

and use the attributes to generate a user session

12 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Application Considerations (cont.)

§ OpenToken Adapter and Language Integration Kits only

support PHP, .NET, and Java applications
§ Requires the use of external libraries (from the application
perspective) to generate and interpret the OpenToken

§ Agentless Integration Kit is another option for custom apps

– No external libraries
– Supports all languages

13 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Additional Resources

§ Language Integration Kit User Manuals

– Contain information on configuring the adapter
– Also contain information on application integration including code examples
§ Java
– https://docs.pingidentity.com/bundle/javaIK25_sm_JavaIntegrationKit/page/
javaIK_c_JavaIntegrationKit.html
§ PHP
– https://docs.pingidentity.com/bundle/phpik25_sm_integrationKit/page/
phpik25_c_phpIntegrationKit.html
§ .NET
– https://docs.pingidentity.com/bundle/netik25_sm_NetIntegrationKit/page/
netik25_c_PingFederateNetIntegrationKit.html

14 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Review

§ Language Integration Kits are available for: Java, PHP, and

.NET
– Kits use the OpenToken adapter
– External application libraries contain the agent code
§ OpenTokens can be used for IdP and SP apps
§ OpenToken can be transported using a cookie, query
parameter, or HTML Form POST

15 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Kerberos Adapter
v20220316

2 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe what a Kerberos

Adapter is
• Define Usage of Kerberos in
PingFederate
• State flow of Kerberos or IWA
Adapter

3 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 What is Kerberos?

§ Computer network authentication protocol

§ Default authentication method in Windows
– Integral component of the Windows AD service
§ Flow:
– User signs in to computer; granted Kerberos ticket
› ‘Authenticated’ ticket cached on local computer
– User wants access to a service:
› Service requests ticket, then checks to be sure it’s still valid

4 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Adapter

§ Identity Provider side adapter only

§ Leverages Kerberos protocol for seamless SSO

§ Checks authentication against Windows Domain Controller

– Based on Active Directory credential tokens (specifically Kerberos
service tickets)

5 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 PingFederate Kerberos Flow Overview

§ User signs in to computer; granted Kerberos ticket

– Ticket is cached on local computer
§ User wants to SSO to an SP application:
– The IdP PingFederate needs to use the Kerberos ticket to
authenticate the user
› PingFedfederate is the service in the Kerberos flow
– PingFederate requests Kerberos ticket and verifies it is still valid
– PingFederate receives user’s username and domain from ticket

6 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Detailed Flow

1. User logs into their workstation and receives a Kerberos

ticket
Identity Provider Service Provider
3 4 5

Active SP SaaS
IdP
Directory PingFederate Federation Application
Server

2
1

User Kerberos
Ticket

7 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Detailed Flow (cont.)

2. User initiates an SSO request

Identity Provider Service Provider
3 4 5

Active SP SaaS
IdP
Directory PingFederate Federation Application
Server

2
1

User Kerberos
Ticket

8 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Detailed Flow (cont.)

3. PingFederate Kerberos adapter requests the Kerberos ticket from the

user’s browser and validates it with the Windows Domain Controller
Identity Provider Service Provider
3 4 5

Active SP SaaS
IdP
Directory PingFederate Federation Application
Server

2
1

User Kerberos
Ticket

9 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Detailed Flow (cont.)

4. PingFederate generates an assertion or security token (depending on

the protocol) and sends that to the SP federation server
Identity Provider Service Provider
3 4 5

Active SP SaaS
IdP
Directory PingFederate Federation Application
Server

2
1

User Kerberos
Ticket

10 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Detailed Flow (cont.)

5. SP federation server redirects the user to the application using the

attributes supplied by the IdP
Identity Provider Service Provider
3 4 5

Active SP SaaS
IdP
Directory PingFederate Federation Application
Server

2
1

User Kerberos
Ticket

11 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Adapter — Active Directory Configuration

§ Create a domain user account PingFederate will use to

contact the Kerberos Key Distribution Center (KDC)

§ Register a Service Principal Name (SPN) for PingFederate

# setspn –s HTTP/<pf-idp-domain.name> <pf-server-account>

§ Verify the registration was successful

# setspn –l <pf-server-account>

12 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Adapter Setup

§ Configure your Active Directory / Kerberos realm from the

System > Active Directory Domains/Kerberos Realms
screen

13 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Adapter Setup (cont.)

§ Create a new Kerberos adapter and select the desired real

from the drop-down
§ Kerberos adapter core contract provides Username
Domain/Realm Name, and SID attributes

14 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Kerberos Adapter — Browser Configuration

§ User browsers need to be configured to provide the

Kerberos ticket to PingFederate on SSO requests
– Configuration will differ depending on the browser being used
§ For full browser configuration steps please see the
following Knowledge Base article:
– https://ping.force.com/Support/PingFederate/Integrations/How-to-
configure-supported-browsers-for-Kerberos-NTLM

15 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 IWA Integration Kit

§ Provides support for Kerberos and NTLM

– Note: If your authentication flow does not use NTLM it is
recommended to use the Kerberos adapter instead

§ NTLM provided for backwards compatibility / failover

§ IWA kit does not provide silent authentication

16 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Section Review

§ Kerberos adapter integrates with Windows Active Directory

to provide silent and seamless authentication for SSO
§ PingFederate will require a domain user account to
communicate with the KDC
§ PingFederate must have a registered SPN
§ Additional browser configurations are required

17 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 SAML Basics
v20220316

2 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe SAML (Security Assertion

Markup Language) and its part in
identity federation
• List the three roles defined by the
SAML specifications
• Differentiate between the different
types of SAML bindings
• Explain the components of a SAML
assertion

3 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What is SAML?

§ An open standard for exchanging security information

between online business partners
§ Information is usually exchanged between an Identity
Provider and a Service Provider
§ The Identity Provider is responsible for authentication of
users, this information is then passed to the Service
Provider
§ The Service Provider uses the authentication information to
allow users access to various resources
4 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Standards and History

§ Created by the OASIS (Advanced Open Standards for the

Information Society) consortium
– SAML v1.0— adopted in November 2002
– SAML v1.1— adopted in September 2003
– SAML v2.0— adopted in March 2005
› This is the latest and most current version of SAML
§ SAML Standards:
http://docs.oasis-open.org/security/saml/v2.0/

5 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Use Case — Browser SSO

§ Browser Single Sign On — User signs on in a single place

and is granted access to multiple applications

G Suite

User logs into

their employer’s Concur
network

Salesforce
Federation Server
e.g. PingFederate
6 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Roles and Terminology

7 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Roles

§ Subject/Principal — The entity requesting access to a

service, typically an end user
§ Identity Provider (IdP) — Authenticates the
subject/principal and provides identity information to the SP
§ Service Provider (SP) — Provides a service to the
subject/principal, requests authentication and identity
information from the IdP

8 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Roles (CONT.)

Service Providers
Subject/Principal (user)
(SP)
G Suite

User logs into

their employer’s Concur
network

Salesforce
Federation Server
Identity Provider e.g. PingFederate

(IdP)
9 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Entity ID and Base URL

§ Entity ID is a globally unique name for a SAML entity

§ Base URL is the external address of the server

10 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Terminology
Profiles
Combination of assertions, protocols, and bindings to support a Metadata
particular use case Configuration data that
can be shared
Bindings between IdPs and SPs
Mapping of SAML onto a standard message format

Protocols
Requests and responses for obtaining assertions Authentication
Context
Detailed data on the
Assertions type of authentications
Authentication, attribute, and entitlement
information

11 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Assertions

12 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assertion Overview

§ SAML allows a party to assert security information about a

subject
– The subject is named John Doe and was authenticated at 16:30 on
Tuesday
§ Assertions can contain more information about a subject in
the form of attribute statements
– John Doe has email address [email protected], and is a member
of the Marketing group

13 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assertion Statements

§ SAML defines three types of assertion statements:

§ Authentication statements — Created by the authenticating

party (normally an IdP)
– At a minimum, describes how the user was authenticated and when
the authentication took place

14 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assertion Statements (cont.)

§ Attribute statements — Contain specific identifying

attributes about the subject
– For example: email address, department, location, etc.

§ Authorization decision statements — Define something that

the subject is allowed to do
– This can be access to a particular resource or permission to
purchase a specific item

15 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Assertion Example

SAML Assertions created by

the IdPs federation server
G Suite

User logs into

their employer’s Concur
network

Salesforce
Federation Server
e.g. PingFederate

16 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assertion Elements

§ ID — The unique identifier for this assertion

§ IssueInstant — The time of issue in UTC
§ Version — The SAML version of this assertion
§ Issuer — The entity ID of the authority making the claims
(usually an IdP)
<saml:Assertion ID="R7mmeejstGaAk55RRoVk8nCEGjp"
IssueInstant="2017-09-19T17:34:41.216Z" Version="2.0"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://sso.int.wal-ping.com</saml:Issuer>
...
</Assertion>
17 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assertion Elements (cont.)

§ Subject — The subject of the statements in the assertion

– This could be the user’s username or any combination of attributes
that uniquely identifies the user
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-
format:unspecified">jsaml</saml:NameID>
</saml:Subject>

§ Signature — An XML signature for verifying the integrity of

the assertion
<ds:SignatureValue>mv5tlpFZIdl513g+h04A9Yww/6FirNkY4GCcVGb3ijU+ZSd+47K2N7XOnxQn8
3YWZkwlN/P/v9F+3wmZWuJun2KzV5EtU5IyRqNbuw6WMgPWgGlwyzL8Glau2JJ/RNZLaJFfZFwBuE/f8
kLu9Fu59xT6GycwqgJrpmmmAZcymuZU1k0W3qk7/TKAKf84hznXUhsL1TSsW264CRCEBqseG+lRMYLob
XOSzKP0aXqz01RnoGjhJKh8JMluI0QJvGGeJhxB59aXLugDKle/d47qadoKH/Cq52kcDCKNaoSjcp+cg
</ds:SignatureValue>
18 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assertion Elements (cont.)

§ AttributeStatement — A list of additional attributes relating

to the subject
<saml:AttributeStatement>
<saml:Attribute Name="Email"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string” xmlns:xs=http://www.w3.org/2001/XMLSchema
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">[email protected]
</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Name"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">Joe Saml
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>

19 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assertion Elements (cont.)

§ Conditions — Conditions under which the assertion is valid

<saml:Conditions NotBefore="2017-09-19T17:29:41.227Z"
NotOnOrAfter="2017-09-19T17:39:41.227Z">
<saml:AudienceRestriction>
<saml:Audience>https://sso.int.den-ping.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>

§ AuthnStatement — The authentication time

(AuthnInstant), can also include the method of
authentication (AuthnContext)
<saml:AuthnStatement SessionIndex="R7mmeejstGaAk55RRoVk8nCEGjp"
AuthnInstant="2017-09-19T17:34:41.097Z">
</saml:AuthnStatement>

20 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Bindings

21 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Binding Overview

§ SAML uses a request/response format to exchange

messages between parties

§ A binding describes how SAML messages are mapped into

existing transport protocols

22 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Binding Types

§ SAML messages are transmitted using the following

methods:
– HTTP POST – uses browser redirects and POST forms
– HTTP Redirect (SAML v2.0) – uses the URL and SAMLRequest and
SAMLResponse query parameters
– HTTP Artifact – by reference using back-end channels and SOAP
protocol
– SOAP (SAML v2.0) – protocol used by the HTTP Artifact binding for
back-channel communication

23 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 HTTP Post Binding

§ Messages are transported using HTTP form-control content

encoded in base-64. Most commonly used
§ <html>
<head>
<title>Submit Form</title>
</head>
<body onload="javascript:document.forms[0].submit()”
<form method="post" action="https://sso.jgd.home:9031/sp/ACS.saml2"><input
type="hidden" name="SAMLResponse"
value="PHNhbWxwOlJlc3BvbnNlIFZlcnNpb249IjIuMCIgSUQ9Ikk2SGhYZkM5TmhuYlhYSi00MWJPNFU4
SXNzdWVJbnN0YW50PSIyMDE0LTA1LTMwVDE0OjE2OjA0Ljk4NVoiIERlc3RpbmF0aW9uPSJodHRwczovL3N
qZ2QuaG9tZTo5MDMxL3NwL0FDUy5zYW1sMiIgeG1sbnM6c2FtbHA9InVybjpvYXNpczpuYW1lczp0YzpTQU
PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg=="/>
</form>
</body>
</html>

24 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 HTTP Artifact Binding

§ SAML request and response are transmitted by reference

§ The reference is a small stand-in, or pointer, called an
“artifact”
§ A separate binding, such as SAML SOAP, is used to
exchange the artifact for the actual protocol message
§ Artifact binding is rarely used in production

25 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 HTTP Redirect Binding (SAML 2.0)

§ Messages are transported by encoding them in a URL

§ This binding has limitations and is not recommended for
production use
https://sso.example.com:9031/idp/SSO.saml2?SAMLRequest=fZDLTsMwFER%2FJfI%2BDzsL4CqJFDUURWoLa
iOQ2FmpoaGObXyvBf17TLspG%2FZz5mimQjlrB22gg9mqz6CQkmflcbKmZiIrWNJ3NXtYhvU9vcyrxePx6Idhuf14E%2
Fvd7aY7xQBiUL1BkoYiU%2FCblBcp54MQIDiUd1lZ8leWfM%2FaIJx9NQvegJU4IRg5KwQaYdeuVxCV4LwlO1rNmuo3D
WeBv%2BL%2FxyWi8hQHsOZA5BDyHNFmk6Fsr0zqJvOejXau8qvyi8nBJrb13ZPV03hKWq3t18IrSapm5INieXOh%2Fh7
W%2FAA%3D&RelayState=URHSpnYqFvSvLzVmuf8B0DU327kWlY

26 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Profiles

27 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Profiles Overview

§ A SAML profile describes a particular use case, or

implementation, of the SAML protocol
§ The most common is Web Browser SSO — this is one of
the profiles PingFederate supports
§ SSO can be initiated from either the IdP or the SP
– SP initiated SSO is dependent on the SPs configuration

28 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 IdP Initiated SSO — Post
Identity Provider Service Provider

Federation Federation Concur

Server Server
User
Store

1 2 4 5

Browser Interface

29 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Summary

§ SAML is an open standard for exchanging user attribute

and authentication between IdPs and SPs
§ SAML defines three roles: subject/principal, identity
provider, service provider
§ SAML bindings describe how SAML protocol messages are
transmitted using other protocols
– E.g. HTTP Post, HTTP redirect, SOAP

30 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Summary (cont.)

§ SAML assertions are sent from IdPs to SPs

– Assertions contain information used to identify the user
– E.g. User name, attributes (location, department, etc.),
authentication method
– Assertions can also contain information on the method of
authentication used by the IdP

31 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Creating
Connections
v20220316

2 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Differentiate between and SP and

IdP connection
• Define the parameters needed for
an SP or IdP connection
• Describe the purpose and format
of SAML metadata
• Recognize common SSO
endpoints used by PingFederate

3 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Introduction to Connections

§ Both partners need to create connections

§ SP connection — created by the IdP to connect to the SP
§ IdP connection — created by the SP to connect to the IdP
Identity Provider Service Provider
SP connection
wal-ping.com from IdP to SP den-ping.com

rm Re
Fo r PingFederate PingFederate fer
L
M pte
IdP connection Ad ence
ap
HT Ada from SP to IdP ter ID

Simple PCV Application

4 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Introduction to Connections (cont.)

§ Settings need to be agreed upon between the IdP and SP

– What attributes are sent in the assertion and what are they called?
› Name, email, department, etc.
– What protocol is being used?
› SAML 2.0, SAML 1.1, OpenID Connect, etc.
– What protocol settings are being used? If using SAML, what binding
is expected?
› POST, Artifact
– What is the entity ID and base URL of the partner?
– Is the assertion signed? Is encryption being used?
› Keys will need to be exchanged
5 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Connection Management

§ Connection management
screen allows:
– Filtering connections by
protocol or status
– Search connections
– Enabling/disabling connections
– Export connection metadata
– Update with metadata
– Export/import connections (PF
to PF only)
– Copy
– Delete

6 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SAML Metadata

§ Connections can be created or updated using metadata

from a partner
<md:EntityDescriptor ID="yF6LOaPkfHXwaqZf8MRdofbFfQw" cacheDuration="PT1440M" Entity ID
entityID="https://sso.int.den-ping.com"
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:AssertionConsumerService index="0" Location="https://sso.int.den-ping.com:9032/sp/ACS.saml2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" isDefault="true"/>
<md:AttributeConsumingService index="0">
<md:ServiceName xml:lang="en">AttributeContract</md:ServiceName> Base URL with ACS
<md:RequestedAttribute Name="Department"/> endpoint and binding
<md:RequestedAttribute Name="Email"/>
information
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:ContactPerson contactType="administrative"/>
</md:EntityDescriptor>
Attribute contract
Contact information
(optional)
7 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assertion Consumer Services (ACS) Endpoint

§ SP protocol endpoint that receives assertions

§ Defines the location where SAML assertions are sent
§ Must be defined on the IdP for the SP connection

Base URL: https://sso.int.wal-ping.com:9032

ACS Endpoint: /sp/ACS.saml2

SAML
Assertion
IdP SP
PingFederate PingFederate

8 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Single Sign-On Service Endpoint

§ IdP protocol endpoint that receives SSO related messages

from SPs
§ Must be defined on the SP for the IdP connection

Base URL: https://sso.wal.wal-ping.com:9031

ACS Endpoint: /idp/SSO.saml2

SP initiated SSO
(SAMLRequest / AuthnRequest)

IdP SP
PingFederate PingFederate

9 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Start SSO Endpoint

§ IdP application endpoint used for initiating an SSO transaction

§ Can accept variables as query parameters to change the SSO behavior
– Requesting a specific partner ID, target resource, ACS, etc.

Base URL
https://sso.int.wal-ping.com:9031
Base URL: https://sso.wal.wal-ping.com:9031 StartSSO endpoint
ACS Endpoint: /idp/startSSO.ping
/idp/startSSO.ping?
First parameter – requested partner ID
https://sso.int.wal-ping.com:9031 PartnerSpId=https://sso.int.den-ping.com
/idp/startSSO.ping?
IdP PartnerSpId=https://sso.int.den-ping.com Second paramter – requested adapter ID
PingFederate &IdpAdapterId=LDAPLogin

&IdpAdapterId=LDAPLogin
10 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SP Connections

11 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 IdP — Configuring SP Connections

§ SP connections are created on the IdP

§ Tells the IdP federation server how to contact and
communicate with the SP
Identity Provider Service Provider
SP connection
wal-ping.com from IdP to SP den-ping.com

rm Re
Fo r PingFederate PingFederate fer
L
M pte Ad ence
ap
HT Ada ter ID

Simple PCV Application

12 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 IdP — SP Connection Configuration Flow

Configure Configure
Select SAML Set Token
Token Protocol
Profile Lifetime
Creation Settings

• Single Sign-On • Minutes before • Identity mapping • ACS URL

• Single Logout • Minutes after • Attribute contract • SAML bindings
• Etc. • Authentication • Signature
source mapping • Encryption

13 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 IdP Connections

14 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SP — Configuring IdP Connections

§ IdP connections are created on the SP

§ Tells SP federation server how to contact and communicate
with the IdP
Identity Provider Service Provider
wal-ping.com den-ping.com

rm Re
Fo r PingFederate PingFederate fer
L
M pte
IdP connection Ad ence
ap
HT Ada from SP to IdP ter ID

Simple PCV Application

15 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SP — IdP Connection Configuration Flow

Configure
Select SAML User Session Target Session
Protocol
Profile Creation Mapping
Settings

• Single Sign-On • Identity • Adapter mapping • SSO service

• Single Logout mapping • Policy contract URL
• Etc. • Attribute mapping • SAML bindings
contract • Target session • Signature
fulfillment • Encryption
(attribute
mapping)
16 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Review

§ Connections needs to be created on both sides (IdP and

SP)
§ Certain settings need to be agreed upon by both parties
– Attribute values and names, protocol, binding, etc.
§ Metadata can be generated by one party and used by the
other to facilitate creating connections
§ Endpoints are used to communicate with different services
on the federation server

17 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Lab: Creating IdP and SP Connections

Identity Provider Service Provider

wal-ping.com den-ping.com

rm Re
Fo r PingFederate PingFederate fer
L
M pte Ad ence
ap
HT Ada ter ID

Simple PCV Application

Create the connections
from the IdP to the SP
And from the
SP to the IdP

18 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 PingFederate Logs
v20220316

2 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe what logs are available

to an Administrator
• Define what is captured in Admin
log
• Evaluate 4 modes of logging
connections in transaction
• Identify alternate logging methods

3 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Log Files

4 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Server Log

§ Records all PF runtime and administrative server activity

– Information is also sent to terminal or command window running the
PingFederate server
– Main troubleshooting log used by Support and Client Services
– Send *entire* server.log to support (not just snippets)
§ Sample:
2013-08-20 16:53:45,635 INFO [com.pingidentity.appserver.jetty.SocketConnector] Not starting listener class
com.pingidentity.appserver.jetty.SocketConnector because port was set to -1
2013-08-05 16:45:34,788 tid:d381f3492 INFO [org.sourceid.websso.servlet.IntegrationControllerServlet]
org.sourceid.websso.servlet.RenderPageException: Unable to resume processing because saved state was not
found for key: hIXsF0tcwpj9wSWN6ni0xD - rendering state.not.found.error.page.template.html

5 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Admin Log

§ Records events about PF Admin activity

– Password change/reset
– Account activation/deactivation
– Login attempts
– Data store create/modify/delete
– Certificate management actions
– Connection create/modify/delete, etc
§ Sample:
2013-08-19 18:20:48,390 DEBUG [AuditLogger] Administrator | UserAdmin,Admin,CryptoAdmin | Login attempt |
Login was successful
2013-08-19 18:21:29,109 DEBUG [AuditLogger] Administrator | UserAdmin,Admin,CryptoAdmin | Data store created
| LDAP-67771C232937987C915999B1E1D7120215F6689B

6 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Transaction Log

§ Configurable both globally and per-connection

§ 4 Modes:
– None
– Standard — Time stamp, Hostname and port, Log mode, Connection ID, SAML status
code (for SAML responses only), Context, Message type, SAML ID (for SAML
messages only), Endpoint (for outbound messages only), Target URL (if SSO
transaction)
– Enhanced — SAML_SUBJECT, Binding, Relay state (if available), Signature policy,
Signature status, HTTP request parameters (outbound messages only)
– Full — Includes everything logged at the Enhanced level plus the complete XML
message for every transaction
2013-08-24 13:34:28,546 | 192.168.238.132:9041 | S | Sent Request | Connection ID: idp:saml2 (IDP) | AuthnRequest | Target URL:
http://sm6.pinggcslab.sp.com:81/PFIsapiSample/Default.aspx?LOGON_USER=PFuser | Endpoint:
http://sm6.pinggcslab.idp.com:9030/idp/SSO.saml2

7 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Transaction Logging Mode – Connection

§ Logging mode
for connections
can be
changed on
the General
Info screen

8 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Transaction Logging Mode – Globally

§ Per connection
settings can be
overridden from the
Connection
Management screen
§ Logging mode
override affects all
connections for the
IdP or SP role
9 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Request log

§ <date>.request.log records all HTTP requests for the given

date
§ Contains Jetty (web server) log messages
§ Errors caused by URL typos may be found here and not in
the server log
192.168.89.128 - [21/Sep/2013:14:21:33 +0000] "GET /IdpSample/ HTTP/1.1" 302 0
192.168.89.128 - [21/Sep/2013:14:21:38 +0000] "POST /pf-ws/services/SSODirectoryService HTTP/1.0" 200 0
192.168.89.128 - [21/Sep/2013:14:21:35 +0000] "GET /IdpSample/MainPage HTTP/1.1" 200 3860

10 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Audit Log

§ Provided for security analysis and regulatory compliance

purposes
§ Elements configured in log4j.xml file
§ Sample elements:
– Target SP app
– User attributes sent/received
– Type of transaction (e.g. SSO)
– Protocol (e.g. SAML 2.0)
– Status of transaction: success or failure

11 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Admin API log

§ Actions performed using the administrative API

– Time the event occurred on the PingFederate server
– Administrator username performing the action
– Authentication method
– Client IP
– HTTP method
– REST endpoint
– HTTP status code

12 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Managing Log Files

13 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Log File Location

§ Default directory: <pf_install>/pingfederate/log

§ Location can be changed in run.properties by setting the

pf.log.dir option

14 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Logging Configuration — log4j2.xml

§ Located in pingfederate/server/default/conf
§ The log4j2.xml file is used to configure logging elements
and logging level (info, warn, debug, etc.)
– Note: Raising the logging above INFO level may have a performance
impact depending on your implementation
– Information on how to enable debug logging can be found in the
PingFederate Admin Guide
§ For more information about log4j2 please refer to the Log4j
2 open source project

15 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Log File Rolling

§ The transaction.log, the admin.log, the audit.log and the

provisioner.log files roll over at midnight each day.
– These files can become quite large, backup or remove older files on
a routine basis.
§ Other PingFederate log files roll over when they reach
10MB.
– The five most recent files are kept before overwriting the oldest.
§ This number can be changed in the log4j2.xml file

16 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Alternate Logging Options

17 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 PingFederate Logging Options

§ PingFederate uses Log4j2 and logs to the file system by

default
§ Audit, provisioner audit, provisioner, and server logs can
also be written to a JDBC capable database
– Additional info in the PingFederate Admin Guide
§ Some logs can also be written to the Common Event
Format (CEF)
– Available for the audit and provisioner audit logs

18 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Section Review

§ Admin Log § Request Log

– Tracks changes made in – Date record
Admin console
§ Audit Log
§ Server Log – Security compliance
– Tracks all runtime – Regulatory compliance
information as well as
Administration data § Admin API Log
– Actions performed from
§ Transaction Log Admin API
– Federated Identity
transactions
19 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Lab: Server Logs for SSO Transactions

§ Use the server.log file to trace an SSO transaction through

the IdP and the SP

Identity Provider Service Provider

wal-ping.com den-ping.com

Re
F orm PingFederate PingFederate fer
ML pte
r Ad ence
ap
T
H Ad a ter ID

OpenLDAP Application
Directory

20 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Attributes and Data
Sources
v20220316

2 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe how simple expressions

can be used to create attributes
• Explain how PingFederate can
use external data stores
• Explain the difference between
mapping attributes in a
connection or in an adapter

3 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Attribute Expressions

4 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Expressions Overview

§ PingFederate offers two types of expressions for

manipulating attributes:
– Simple expressions
– Object-Graph Navigation Language

§ Expressions can be used to create more complex attributes

using simpler building blocks

5 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Simple Expressions

§ Hard-coded text strings

– Results in the same string being sent for every SSO transaction
– Useful for testing or in cases where every SSO transaction needs to
have the same value for a specific attribute

6 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Simple Expressions (cont.)

§ Referencing contract values

– You can use ${variable} notation to reference a value from an
attribute contract
– Attribute values are case sensitive
– Multiple values can be concatenated
§ Example: Assertion provides FirstName and LastName
attributes but the application requires a FullName attribute

7 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Simple Expressions (cont.)

§ Referencing values from a datastore lookup

– Value must already be defined for lookup in the Attribute Sources &
User Lookup task
– Uses ${ds.source-id.attribute} syntax
› source-id is the value entered for the Attribute Source ID within the
adapter or connection

8 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Object-Graph Navigation Language (OGNL)

§ Based on java
§ Disabled by default
§ Allows advanced attribute processing and manipulation
within PingFederate
§ Language documentation available from Apache Commons
– http://commons.apache.org/proper/commons-ognl/

9 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 OGNL Examples

§ Force upper case:

#this.get("attribute name").toString().toUpperCase()

§ Extract the domain from an LDAP mail attribute

#temp=#this.get("ds.OpenLDAP.mail").toString(),
#atSign="@",
#ix=#temp.indexOf(#atSign),
#domain=#temp.substring(#ix+1,#temp.length())

10 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 External Data Sources

11 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 External Data Sources

§ PingFederate can make use of external data sources for

user attribute lookup
– LDAP — Active Directory, PingDirectory, etc.
– JDBC — Microsoft SQL, Oracle MySQL, PostgreSQL, etc.
– Custom implementation using the PingFederate SDK

y A tt
Q uer ribu
t eQ
u te uer
A ttrib y
PingFederate

LDAP JDBC
Directory Database
12 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 LDAP Data Sources

§ Required parameters:
– Hostname(s)
› Supports multiple entries seperated
by a space for failover
– LDAP Type
› Generic, PingDirectory, Active
Directory, Oracle Directory Server
§ Use LDAPS specifies to use the
LDAPS protocol
§ User DN/Password are used when
Bind Anonymously is unchecked

13 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 JDBC Data Sources

§ JDBC drivers can be obtained

from your database vendor
– Installed into
pingfederate/server/default/deploy
directory
– PingFederate must be restarted
§ JDBC URL and Driver Class
are vendor specific
– Please consult your database
documentation for information
14 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Data Sources – Connection Mapping

§ On the IdP Adapter Mapping – Mapping Method step

§ Select Retrieve additional attributes from multiple data
stores using one mapping

15 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Data Sources – Connection Mapping (cont.)

§ Attribute Source ID is used to reference the data store

within the connection
– i.e. for use with simple expressions or OGNL

16 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Data Sources – Connection Mapping (cont.)

§ Base DN and Search Scope

define where in the directory
to search
§ Desired attributes are added
from the drop-down lists
– Drop-down lists are
populated automatically
using the directory schema
§ Attribute contract can be
viewed in a separate
window
17 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Data Sources – Connection Mapping (cont.)

§ LDAP Filter defines how PingFederate will identify a user within the
data store
§ This example tells PingFederate to search for a user who’s CN
(common name) in the LDAP directory matches the username entered
on the HTML Form Adapter

18 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Data Sources – Connection Mapping (cont.)

§ Attributes from the external source can now be used for

contract fulfillment

19 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Adapter Contract Mapping

20 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Connection vs. Adapter Mapping

§ Attributes in PingFederate can be mapped in several places depending

on how and where they will be used
§ Connection mapping
– Attribute is only mapped within a connection
– If the same attribute is used for multiple connections it will need to be
mapped in every connection
§ Adapter mapping
– Attribute is mapped in the adapter configuration
– The adapter can pass the attribute to any connection that uses the adapter

21 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Connection Mapping
Adapter Connections
Username SAML_SUBJECT
Email

SAML_SUBJECT
Email

Data Store

displayName SAML_SUBJECT
Email
mail

Attributes are mapped directly into the connection. Multiple connections

using the same attributes still have to be mapped on a per connection
basis.
22 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Adapter Mapping
Adapter Connections
Username SAML_SUBJECT

Email Email

SAML_SUBJECT
Email

Data Store

displayName SAML_SUBJECT
Email
mail

With adapter mapping an attribute can be mapped, or looked up, by the

adapter. This attribute can then be passed to any connection that needs
it.
23 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Summary

§ PingFederate supports simple expressions for user

attributes
– Can be used for concatenation of two or more attributes into a single
attribute
– Can reference an attribute that is already present in the connection
or adapter configuration
§ Attributes can be mapped at several levels
– Connection vs adapter
– Policy contracts are covered in the next module

24 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Lab: Using External Data Sources for Attributes and
Authentication

Identity Provider Service Provider

wal-ping.com den-ping.com

rm Re
Fo r PingFederate PingFederate fer
L
M pte Ad ence
ap
HT Ada ter ID

Simple PCV Application

25 Proprietary | Do not distribute. Copyright ©2022, Ping Identity Corporation. All rights reserved.
 Authentication
Policies
v20220316

2 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• List the SSO endpoints

• Describe an authentication
selector, policy contract, and
authentication policy
• Introduce issuance criteria

3 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Endpoints

4 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Introduction to Endpoints

§ Endpoints provide a means, via standard HTTP, for external

applications to communicate with the PingFederate server
§ Two categories:
– Application endpoints — services that apply to the server in general
or a particular server role (IdP, SP, etc.)
– Protocol endpoints — endpoints that are used by specific protocols
(SAML, OAuth, etc.)
§ Some endpoints accept query parameters
§ Full documentation and parameter lists can be found in the
manual
5 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 IdP Endpoint — StartSSO

§ The basic URL to start an SSO transaction:

BaseURL:port/IdP/startSSO.ping?PartnerSpID=PartnerEntityID
§ You have used this bookmark in the labs:
https://sso.int.wal-ping.com:9031/IdP/startSSO.ping
?PartnerSpID=https://sso.int.den-ping.com
§ We can also specify an adapter:
https://sso.int.wal-ping.com:9031/IdP/startSSO.ping
?PartnerSpID=https://sso.int.den-ping.com
&IdpAdapterID=LDAPLogin

6 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Policies, Selectors, and Contracts

7 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Introduction to Authentication Policies

§ An authentication policy is a tree of authentication sources

and selectors
§ Policies and selectors can be used to customize how users
are authenticated
§ Policies can be used for:
– IdP and SP initiated SSO
– OAuth authorization code and implicit grants
§ Order matters, policies are executed from top to bottom

8 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Policy Paths

§ Authentication policies start with a selector or

an authentication source
§ Most auth. sources and selectors have two
results: success or fail, yes or no
§ A path is open-ended if it contains only
selector instances (no auth. sources)
– In this scenario the engine continues to the next
applicable policy, if any
§ A path is closed-ended if it contains one or
more auth. sources
– A closed-ended path can optionally end with a policy
contract or local identity profile
9 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Authentication Selectors

§ Selectors allow PingFederate to evaluate conditions related

to a request
§ Bundled selectors allow for decisions based on HTTP
headers, query parameters, client network address, and
more
§ Custom selectors can be created using the PingFederate
SDK

10 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Authentication Selectors (cont.)
Selector Type Description
CIDR Choose authentication sources based on the IP address of an incoming request.
Cluster Node Decision based on the cluster node servicing the request.
Matches between the target SP connection used in the request and SP connections configured in
Connection Set
PingFederate. Allows you to override authentication selection on an individual connection basis.
Decision made based on specific browser headers included in the request. Example: can be used
HTTP Header to choose an authentication source based on the user’s browser identified by the User-Agent HTTP
header.
HTTP Request Parameter Choose a policy path based on the value of a supplied query parameter.
Choose a policy path based on a match found between the client information in an OAuth request
OAuth Client Set
and the OAuth clients configured on PingFederate.
Decision based on the scopes requested by an OAuth client. Example: Requesting admin or write
OAuth Scope
access will trigger an adapter with a stronger form of authentication.
Requested AuthN Choose authentication sources based on the authentication context requested by an SP.

11 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Authentication Policy Contracts

§ List of attributes
§ Policy Contracts can be mapped
at the end of an Authentication
Policy branch
§ Contracts can be used in multiple
places in the policy tree and can
be used in multiple connections
§ Attributes can be mapped from
adapters or external data stores

12 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Using Authentication Policies
Policy starts with a selector. This
CIDR selector returns YES if the 1. Create Authentication
request comes from an internal
IP, otherwise returns NO.
Selectors and Policy
Contract
2. Create needed adapters
Depending on the selector output
different authentication methods 3. Create Authentication
can be chosen. Policy for your use case

Successful authentication results

in attributes being mapped into a
Policy Contract. Notice that the
same contract is used to
terminate both branches.

13 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Using Authentication Policies (cont.)

§ Multiple Authentication
Policies can be created
§ If a policy path is open-
ended PingFederate
will automatically move
to the next applicable
policy in the list

14 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Using Authentication Policies (cont.)

§ Authentication Policy Contracts can be mapped into a

connection on the Authentication Source Mapping screen

15 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Policy Contract Mapping
Adapter Connections
Username SAML_SUBJECT

Email Email
Policy Contract

SAML_SUBJECT
SAML_SUBJECT
Email Email

Data Store Name

displayName SAML_SUBJECT
Email
mail Name

Policy Contract mapping uses the Authentication Policy tree to make

authentication and mapping decisions during runtime based on
configured Authentication Selectors.
16 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Policy Fragments

§ Fragments allow you to define a subsection of a policy and

then multiple policies can reference that fragment
§ A fragment itself is not a policy that can be executed in
PingFederate
– A fragment is invoked from a normal authentication policy
§ Fragments are managed individually

17 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Fragments and Contracts

Inputs defines the attributes

this fragment wants to know
about. They are mapped and
fulfilled when a fragment is
chosen in a policy.
Outputs defines the attributes
this fragment will fulfill. These
attributes will be available
downstream in a policy: rules,
mappings, issuance criteria,
etc.

18 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Fragments vs. Policies

§ Inputs — Calling members can pass variables/attributes into a

fragment via an input mapping
§ Outputs — The fragment will have an output contract that it will fulfill on
all successful branches
§ Failure — Choosing Done on a branch means a failure case for the
fragment
§ Success — Mapping to the output contract means the fragment
succeeded
§ No Continue/Restart

19 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Using Policy Fragments

Policies can end on a fragment

When selecting Done after a

fragment, that means the output
contract from the fragment will
be used to map attributes and
finish the transaction

20 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Using Policy Fragments (cont.)
Fragments do not have to have
authentication sources. Fragments
can be used to combine selectors
into an output that the parent policy
can use.

In this example, users not on the

corporate network or transactions
that requested MFA will fulfill an
output attribute of MFA/BYPASS.
These values can then be used in
the parent policy to define rules.

21 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Issuance Criteria

22 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Issuance Criteria

§ Conditionally allowing or disallowing the issuance of

security tokens (SAML assertion, adapter contracts, token
generation, etc.)

§ Can evaluate attributes and other run-time variables

§ If enabled for the server, OGNL expressions can be used

23 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Issuance Criteria (cont.)

24 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Summary

§ Authentication policies are a decision tree that can be used

to make complex authentication decisions
– Step-up, MFA, etc.
§ Authentication selectors can be used to make decisions in
the policy tree
§ A policy contract is a list of attributes that is populated by
the authentication policy
– Contracts can be used in multiple places in the tree
§ Issuance criteria provides course grained authorization
25 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Lab: Authentication Policies

Identity Provider Service Provider

wal-ping.com den-ping.com

rm Re
Fo r PingFederate PingFederate fer
L
M pte Ad ence
ap
HT Ada ter ID

Simple PCV Application

26 Proprietary | Do not distribute. Copyright © 2022, Ping Identity Corporation. All rights reserved.
 Introduction to OAuth
v20220316

2 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe the OAuth protocol

• Explain OAuth use cases
• Recount the components of OAuth

3 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What is OAuth 2.0?

§ OAuth is an industry standard authorization protocol

§ Generally used to protect access to APIs
– In the cloud
– Mobile
§ Protecting against password sharing
§ Grant authorization to a resource by means of requiring the
requester to hold an access token

4 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Why OAuth 2.0?

§ Industry standard
§ REST friendly
§ Provide application access without giving the application
your password
– Instead a token is issued to the application on behalf of the user
§ Can be used for applications that do not support SAML

5 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth 2.0 Standards

§ IETF OAuth Working Group

§ Standards and information available at https://oauth.net/2/
OAuth 1.0a OAuth 2.0
• Released June 2009 • Released Dec 2010 from IETF
• Requires applications to use cryptographic signature • Signatures are optional
• Requires SSL
• Web applications • Web apps
• JS/widget apps
• Native/Mobile apps
• server-server
• Resource server issues and verifies every token • Split Authorization Server and Resource Server

6 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Terminology

7 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Role — Resource Server (RS)

§ The server hosting end-user

resources
Authorization
Server
Resource
Server
§ Resources are protected by
Oauth 2.0
§ Normally, an API provider that
Token
holds and protects data
– User profile information (contacts,
calendar, photos, etc.)
Client
Resource
Owner – Payment access
– Etc.
8 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Role — Resource Owner (RO)

§ Usually the end user of the

application
Authorization
Server
Resource
Server
§ Owns the resource the client
needs access to
§ Has the ability to grant access to
Token
own data
§ Data stored on the resource
Client
server
Resource
Owner

9 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Role — Client

§ Application or server requesting

access to protected resources
Authorization
Server
Resource
Server
§ Done through the use of API
requests
§ Performs different actions on
Token
protected resources
§ On behalf of the resource owner
Client
Resource
§ With resource owner’s
authorization/permission
Owner

10 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Role — Authorization Server (AS)

§ API server that gives controls

tokens
Authorization
Server
Resource
Server
§ Many resource servers may
share the same authorization
server
Token

Client
Resource
Owner

11 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Access Token

§ Credential used by client to

access protected resources on
Authorization Resource
the resource server
Server Server

§ Issued to the client by the

authorization server
Token
§ Authorized by the resource
owner
Client
Resource
Owner

12 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Refresh Token

§ Special type of token stored securely by the client

§ Used by client to obtain a new access token when the old
one expires
§ Allows for continued access by the client without
reauthorization by the resource owner
§ Refresh token can be revoked by the client or the resource
owner

13 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Client ID and Client Secret

§ Client Id
– A value used by the client to identify itself to the service provider

§ Client Secret
– A secret used by the client to establish ownership of the client ID

14 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Scopes

§ Maintained by the authorization server

§ List of actions/permissions the client is allowed to perform
on the resource server
§ Client can request one or more scopes when requesting an
access token
– Scopes are associated with the access token
– If no scopes are requested the access token will be given the
“default” scope

15 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Problem Statement

§ You want to purchase an item from a merchant website

using an account on a web payment service (e.g. PayPal)
§ How do you securely give the merchant website its
payment, without compromising the security of your web
payment service?

16 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Answer
er
e cts us
edir
lie nt r AS for and
2. C to ation
c n
enti atio
auth uthoriz
a
s
acces t
rns lien
1. User initiates a
S retu o the c Authorization
checkout 3. A ken t Server
to

Resource Client Token

Owner 4. C
lient
u
to co ses the
m to
tran plete th ken
sact
ion e

Resource
Server

17 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Summary

§ Built on industry standards

§ Allows users to grant access to a resource
without having to compromise account
credentials
§ Resource owners authorize clients to
perform actions on a resource server
§ Uses bearer tokens supplied by an
authorization server

18 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Scopes and
Access Tokens
20220316

2 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Define an OAuth scope list

• Create access tokens
• Map attributes from adapters to the
persistent grant store
• Map attributes to an access token

3 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Configure Scopes and Access
Tokens
4 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Authorization Server Responsibilities

§ Maintain scope list

§ Maintain client list
§ Issue authorization
codes
§ Issue access and
refresh tokens
§ Possibly,
authenticate user

5 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Scopes on the Authorization Server

§ Clients can only request configured scopes

§ Can request any combination of the list
§ Example scopes:
User Permission Description

publish_actions Enables your app to post content, comments, and likes to a user's
stream and to the streams of the user's friends

user_location Provides access to the user's current city as the location property

ads_management Provides the ability to manage ads and call the ads API on behalf of
a user

6 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adapter Mapping

7 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth and Adapters

§ Authorization server needs to authenticate the user

– Who is authorizing this transaction?
§ Authentication done using the same adapters you
configured for SSO
– Adapters are mapped to access tokens
– Similar to mapping a SAML assertion

8 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Adapter Attributes

§ Two attributes are included

in the contract:
– USER_NAME
› The name presented to the
user on the authorization
page
– USER_KEY
› A unique identifier for the
user (e.g. username, email
address, or other unique
value)

9 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Adapter Mapping

USER_KEY: Value for persistent grant

USER_NAME: Value presented to user on authorization page

10 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Example: OAuth Mappings in PingFederate
Adapter
Username

Persistent Grant

USER_KEY
USER_NAME
Data Store

displayName
mail

Copyright © 2017 Ping Identity Corp. All rights reserved

11 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Access Token Mapping

12 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Access Token Mapping

§ Access tokens need attributes

– Account number, frequent flier number, etc.
– The resource server will see this when the token is validated
§ These values need to come from somewhere

13 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Example: OAuth Mappings in PingFederate
IdP Adapter Persistent Access Token
Adapter Mapping Grant Contract Mapping Access Token

Username USER_KEY UserID

USER_NAME Email
DateOfBirth

LDAP / AD Etc.
SQL DB

displayName
mail Birthday

14 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
Copyright © 2017 Ping Identity Corp. All rights reserved
 Example: OAuth Mappings in PingFederate
Adapter
Username

Persistent Grant
Access Token
USER_KEY
USER_NAME UserID
Email
Account Number

Data Store
Data Store
displayName
mail Account Number

Copyright © 2017 Ping Identity Corp. All rights reserved

15 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Order of Operations

§ Client sends request for access token, e.g. a GET request

like:
client_id=tunespartner&response_type=code&redirect_uri=t
unespartner.com/callback|url&scope=charge10
§ PingFederate checks client list
§ PingFederate checks scope and grant type requested
§ PingFederate uses adapter for authentication
– Maps USER_KEY and USER_NAME
§ PingFederate maps the access token
16 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Managing Grants

17 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Persistent Grants Table
§ Stored in a local SQL table: <pf-
home>/pingfederate/server/default/conf/access-grant/sql-scripts
§ Single table – pingfederate_access_grant
§ For production an external DB is required
Column Type
guid VARCHAR(32)
hashed_refresh_token VARCHAR(256)
unique_user_id VARCHAR(256)
scope VARCHAR(1024)
client_id VARCHAR(256)
grant_type VARCHAR(128)
context_qualifier VARCHAR(64)
issued TIMESTAMP
updated TIMESTAMP
expires TIMESTAMP
18 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 User Management of Persistent Grants
§ https://<pfhost:port>/as/oauth_access_grants.ping
§ Template:
pingfederate/server/default/conf/template/
oauth.access.grants.page.template.html

19 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Client Management of Persistent Grants

§ Client Application can revoke refresh and access tokens

– An example is application removed from a device and cleans up
after itself
§ Client can only revoke tokens issued to it

20 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Authentication Selector

21 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Advanced: OAuth Scope Authentication Selector

*IdP Configuration -> Selectors

22 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Advanced: OAuth Scope Authentication Selector

*IdP Configuration -> Policies

23 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Summary

§ PingFederate, as an authorization server, maintains a list of

scopes for clients to request
§ IdP adapters are used for authentication
§ USER_KEY and USER_NAME are mapped into the
persistent grant contract
§ Access tokens can have additional attributes mapped

24 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Lab: Scopes and Access Tokens

§ Create a list of scopes

§ Create an access token
§ Use your existing HTML Form Adapter to create mappings for persistent
grants and access tokens
Authorization Server
wal-ping.com

rm
L Fo r PingFederate
M pte
HT Ada

PCV

25 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Grants
v20220316

2 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Configure each of the OAuth grant

types in PingFederate
• Use the OAuth Playground to test
grant flows
• Configure refresh tokens for
supported grant types

3 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Grant Types

4 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What is an OAuth Grant?

§ The process used by a client to obtain an access token

§ Different grants designed for different use cases
– Authorization Code — Applications
– Client Credentials — Server-to-Server use cases

5 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Access Token Validation

§ OAuth client
application sends
s ac ces
s
the access token
eive om AS
nt r
ec
n fr to resource
Clie toke
Authorization
Server
RS server
validate
s token
§ Resource server
Clie
Client
nt u with AS validates the
toke ses an
n
reso to acc access access token with
urce ess
serv th the authorization
er A e
PI server
6 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved. Resource
Server
 Client Credentials

§ Client application sends

its own credentials
(client ID and secret) to
authorization server in Client sends ID and
request for access token secret

§ Authorization server
returns access token to Client receives access
token from AS
client server Client Authorization
Server

§ No user is involved

7 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Authorization Code

§ Client redirects user to the Client uses authorization

authorization server code to obtain access
token
§ User authenticates, then
authorizes the request
i e nt
l e
§ Authorization server to c cod
redirects user back to web cted ation
e
Client
redir horiz Authorization
app with an authorization er ut AS Server
Us ith a o
d t tion
code w te
i rec ntica
d e
§ Client sends authorization er re auth
code to authorization Us for
server with client secret
§ Authorization server
returns the access token
8 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved. Resource
Owner
 Refresh token

§ Long lived grant

§ Additional optional grant for clients using:
– Authorization code
– Resource Owner Password Credentials
§ Resource owner authorizes only once
§ When a client requires a new access token it exchanges its
refresh token for a new access token (and optionally, a
replacement refresh token)

9 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Playground

10 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Playground

§ Web-based tool to simplify experimentation with the OAuth

2.0 protocol
§ APIs that use the protocol, like the REST API can be tested
§ OAuth 2.0 Playground 4.0 needs little configuration
§ Only setup needed is to the calling the Identity Service and
REST API

11 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OAuth Playground

12 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 What’s in the Playground?

§ Download includes:
– Documentation
– Product
§ Read pre-requisites for installing
§ Set appropriate parameters
§ Proceed with installation
§ Bring up Web-based browser to begin testing

13 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Configure OAuth Clients

14 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 General Client Configuration

§ A client will initially send a request

§ PingFederate will check its client list

15 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 General Client Configuration

§ Client ID
§ Client secret
§ Redirect URI:
– Callback URL
§ Grant type

16 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Client Credentials

17 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Client Credentials Grant Client

§ Client secret: yes

§ Refresh token: no
§ Redirect URI: no
– No browser

18 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Lab: Create a Client Credentials Client

§ Review OAuth Playground settings that we will use in the

OAuth labs
§ Create client using Client Credentials grant type
§ Configure client settings
§ Assign access token
§ Test in OAuth Playground
– Get access token
– Validate access token, which will fail!
– (We will fix this in the next lab)
19 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Resource Server

20 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Access Token Validation Client

§ Client secret: yes

§ Refresh token: no
§ Redirect URI: no
– No browser

21 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Lab: Create a Resource Server Client

§ Create client for resource server using Validate Access

Token grant type
§ Configure client settings
§ Assign access token
§ Re-test Client Credentials client in OAuth Playground
– Get access token
– Validate access token: Success!
– We now have an OAuth client defined for our resource server

22 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Authorization Code

23 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Authorization Code Grant Client

§ Client secret: yes

§ Refresh token: allowed
§ Redirect URI: yes

24 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Lab: Create an Authorization Code Client

§ Create client using Authorization Code grant type

§ Configure client settings
§ Assign access token
§ Test in OAuth Playground

25 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Other Configurations

26 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Assigning an Access Token to a Client

§ Clients can be
assigned specific
access tokens
§ This allows for
different tokens
for different
clients/purposes

27 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Refresh

§ Refresh token can be added as to clients using a supported

grant type
– ROPC
– Authorization Code

28 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Summary

§ OAuth grants define the process clients use to receive

access and refresh tokens
§ The Resource Server grant is a special grant type
– Allows the resource server to validate tokens and receive mapped
attributes
§ Refresh tokens can be used for the ROPC and
Authorization Code grant types

29 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Appendix: Deprecated Client Types

30 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Resource Owner Pssword Credentials

§ Application collects the

Application uses client’s
user’s credentials and credentials to
uses them to authenticate
authenticate
§ Intended only for trusted Client receives access
1st party apps Client token from AS Authorization
Server

Client collects user’s

credentials

31 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved. Resource
Owner
 Implicit

§ Browser application
redirects user to
authorization server Token returned directly
§ User authenticates, then to the client
authorizes the request
§ Authorization server Client Authorization

o AS Server

redirects user back to te d t tion

i rec ntica
web app with the access d
r re auth
e
e
token embedded in the Us for
query string

32 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved. Resource
Owner
 OpenID Connect
v20220316

2 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe the OpenID Connect

standard
• List key features to OpenID
Connect
• Discuss OAuth tokens given to
OpenID Connect

3 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect Standard

§ OpenID connect standard for identity federation

§ Simple identity layer on top of OAuth 2.0 standard
§ OpenID Connect is next generation of OpenID
§ Users are empowered to authenticate
– Use same login identity
– Allow access to multiple applications

4 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect

§ Identity providers are trusted by users and applications

§ Provides for optional signing and encryption
§ ID tokens as security tokens (similar in purpose to SAML
Assertions)
§ Userinfo endpoints with claims
§ Passing of permissions for access authentication
§ Modular by design for ease of development

5 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect Use Case

- and -
“Thanks for your purchase, unknown person!” I have no metrics on which types of people
buy this type of music

Versus

“Thanks for your purchase, Joe!”

- and - We should cater our marketing to 25+ males
in the southern United States

6 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 ID Tokens

§ What user is this access token for

Aut
Auth henticate
orize
s (lik s and
Authorization Server
e nor
mal)
AuthZ
Endpoint
User

Token PingFederate
Endpoint
en
ac c ess tok
es
lient receiv n id_token Validation
C lso a Endpoint
OAuth Client
and a

7 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 ID Token (cont.)
Authorization Server
"iss": "https://as.idtel.com",
AuthZ
(‘issuer’. Did this come from the right
Endpoint authorization server (AS)?)

“sub”: "24400320",
Token PingFederate (Which user did the AS authenticate?
Endpoint
Also called “sub” for “subject”. Will
OAuth Client decode to “joe”, for instance.)
Validation
Endpoint
"aud": "s6BhdRkqt3",
(‘audience’. This should decode to
HTTP/1.1 200 OK Content-Type: application/json Cache- “tunes_partner” – my client_id, so this
Control: no-store Pragma: no-cache Base64url
{ decode token was meant for me)
"access_token":"SlAV32hkKG",
"token_type":"bearer", "expires_in":3600,
"refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
"id_token":"eyJ0 ... NiJ9.eyJ1c ...
"exp": 1311281970,
I6IjIifX0.DeWt4Qu .”
}
(‘expiry time of token.’ Is this token
still valid?)
• A security token
• JSON Web Token (JWT) "iat": 1311280970
8 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved. (‘issued at time’)
 Endpoint — Userinfo
Authorization Server
AuthZ {
Endpoint ”user_id":
"248289761001",
Token PingFederate "name":
Endpoint ”Joe Saml”,
"preferred_username":
Validation Userinfo "j.saml",
Endpoint Endpoint
"email":
”[email protected]",
“age”:
Access token is “27”
exchanged for user “location”:
“Florida”
claims
}
OAuth Client

9 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect Scopes

§ In OAuth, requests are made to access protected resources

by requesting access to scopes
§ “openid” scope gets the client an ID token
§ To request claims, the client needs to include those as
scopes
– Email address, profile, location

10 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Normal Authentication and Authorization

11 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect Example

§ Client uses the openid scope to request an ID token along

with the access token

12 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect Example (cont.)

§ Client receives the access token as well as the ID token

13 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect Example (cont.)

§ Validating the ID token gives the username (sub attribute)

14 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect Example (cont.)

The user’s ID is dflutie But what’s their birthday?

§ The openid scope gets us the ID token, but what about

more claims?
§ ID token currently only for username
§ If we want the user’s birthday, we need to include a scope
for that

15 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Getting User Claims

§ No special “birthday” scope

– “birthday” is an attribute contained in another scope – the profile
scope
§ The OpenID Connect documentation lists scopes and their
components
§ “Profile” includes:
– the End-User's default profile claims, which are: name, family_name,
given_name, middle_name, nickname, preferred_username, profile,
picture, website, gender, birthdate, zoneinfo, locale, and updated_at

16 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Requesting Additional Claims

17 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Obtain User Profile Information

§ Now the client can use the access token to retreive the
user’s profile from the userinfo endpoint

18 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect Application Flow
Authorization Server
AuthZ 1) Web app launches browser, in which
Endpoint user authenticates to the
1 authorization server (and grants
PingFederate authorization)
2
Token
Endpoint 2) Authorization server returns Auth
Code to web app through browser
Validation Userinfo 3) Web app exchanges code for access
3 Endpoint Endpoint token and id token
4) Instead of sending the access token
4 to the resource server, the web app
User 5 sends the access token to the
userinfo Endpoint
OAuth Client
5) Authorization Server returns
requested user information
(claims) from the userinfo endpoint

Copyright © 2017 Ping Identity Corp. All rights reserved.

19 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 PingFederate as a Relying Party

20 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 OpenID Connect and SSO

§ Single Sign on to third party client 1. User clicks “Log in with

____ account”
- Google, Facebook, etc.
Authorization Server
2. OpenID Connect request:
1
AuthZ
- Scope: openid
Endpoint - “I need the userID”

2 Token PingFederate 3. Client receives access

Endpoint token and id token:
3
- Doesn’t use/need access
User
Validation Userinfo token
Endpoint Endpoint
OAuth Client

21 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 PingFederate’s Role

§ PingFederate is an authorization server

§ But also could be:
– Relying Party (RP)
› Will be a RP on behalf of a target application
› Acts as a client in this use case
– Use browser SSO
› Gets user info in OIDC scenario
› Maps this to a last mile option (e.g. an RefID adapter)
› Sends user info to target applications from last mile option

22 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 SSO With OpenID Connect

1) OIDC request
2) User authenticates and
3rd Party authorizes with the 3rd party
OIDC Provider provider. Client receives
access token and ID token.
1
AuthZ 3) Client sends the access token
Endpoint to the Userinfo Endpoint
4) Authorization Server returns
2 Token requested OIDC claims
Endpoint
5) Client logs user in
3 Validation Userinfo
Endpoint Endpoint
PingFederate
as a relying
party

23 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Relying Party Requirements

§ PingFederate 8.2+:
– Needs to be set up for SP role
– Check OpenID Connect under SP in Roles and Protocols section
– Requires an SP adapter for “last mile” option
– Build a connection in PingFed and choose “OpenID Connect”
instead of a protocol like “SAML”

24 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Summary

§ OpenID Connect is an identity protocol built on top of Oauth

§ OpenID Connect works by using claims, which are
additional information about a specific user
§ OpenID Connect clients can request claims by specifying
the OAuth scopes assigned to the specific claims

25 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Server Administration
v20220316

2 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe how to change configuration

parameters
• Review connections and modifications
• Evaluate Admin API operations

3 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Changing Startup Parameters

§ Administrative console and runtime behavior controlled by

pingfederate/bin/run.properties
§ Restart the server for changes to take effect
§ Property

4 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Runtime Notifications

§ Notifications can be set up to send an email warning.

Examples:
– When license is about to expire
– Certificate expirations
§ When a certificate expires, PingFederate always writes an
error in the server log

5 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Administration Accounts

§ Option for multiple administrators with role based access control

§ Alternate:
– LDAP
– RADIUS
– Client certificates

6 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Importing and Exporting Connections

§ When/why?
– Moving from a development server to test or production
– Adding additional servers to your environment and allocating certain connections to
other servers
§ The resulting XML data is a PingFederate-proprietary format

7 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Copy Connections

§ Creates immediate copy (not exported) of connection

§ Must change the entity ID, at least

8 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Administrative API

9 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Restful Administrative API

§ CRUD support for administration of PingFederate

– Alternative to using the administrative console
§ Examples include:
– Server settings
– Connections
– Keys and certificates
– OAuth settings
– Cluster management
– OAuth grant management
§ Requires Admin Authentication using HTTP Basic Authentication, X.509
certificate, or RADIUS
10 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Operations and Endpoints

§ GET - read; get list of all items or specific id

§ POST - add/create
§ PUT - change; requires that all content is provided in change
§ DELETE - delete

11 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 API Documentation

12 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 API Operation

13 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Summary

§ Describe how to change configuration parameters

§ Review connections and modifications
§ Evaluate Admin API operations

14 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Lab: Admin. API

§ Locate and change configuration parameters

§ Recall connections and modifications
§ Review Admin API operations

15 Confidential | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Deployment and
Optimization
v20220316

2 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Objectives
After completing this module,
you should be able to:

• Describe three deployment options

• Explain directed clustering
• Provide an overview of adaptive
clustering
• Designate state servers in a directed
cluster
• Create cluster sub-groups in a
directed cluster

3 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Deployment Options

4 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Stand-Alone Deployment

§ Users access PingFederate via a Web application server (and/or an

Enterprise Identity Management system)
§ PingFederate may, in turn, retrieve information from a data store to use
in processing the transaction

5 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Behind a Proxy Server

§ The proxy is accessed by users and Web browsers

§ The proxy, in turn, communicates with PingFederate to request SSO

6 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Proxy Server Configuration

§ Base URL is set to publicly-accessible URL of the proxy

7 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Converting from Stand-alone to Cluster

§ It is possible to convert a standalone server to a cluster

configuration

8 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Clustered

§ Cluster consists of one or more engine

nodes and a single console node
Engine Node Engine Node
Index: 1 Index: 2

§ Multiple engine nodes provide increased

availability and scalability
Engine Node Engine Node
Index: 3 Index: 4

Engine Node Console Node

Index: 5 Index: 100

9 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Directed Clustering

10 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Clustering Configuration

§ Each PingFederate instance, or node, is either:

– Runtime engine
– Console server
– A cluster may contain one or more runtime nodes but only one active
console node
§ Advantage is simplicity, including straightforward load-
balancing strategies

11 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Clustering Configuration (cont.)

§ One license per server cluster

§ Configure the run.properties
file
– CLUSTERED_CONSOLE
› Only one!
– CLUSTERED_ENGINE

12 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Clustering Configuration (cont.)
Run.properties file property Description
pf.operational.mode • Controls the operational mode of the PingFederate server
(CLUSTERED_CONSOLE or CLUSTERED_ENGINE)
pf.cluster.node.index • Each server in a cluster must have a unique index number
• Used to identify peers and optimize inter-node communication (Range: 0-65535)

pf.cluster.auth.key • Sets the password that each node in the cluster must use to authenticate when
joining the group
• This prevents unauthorized nodes from joining a cluster
pf.cluster.encrypt • Indicates whether or not to encrypt network traffic sent between nodes in a cluster
• When set to true, communication within the cluster is encrypted with a symmetric
key derived from the value of the pf.cluster.auth.pwd property.
• All nodes in a cluster must have the same value set for this property.

pf.cluster.bind.address • Controls the network interface to which the group communication should bind.
• For machines with more than one network interface, you can use this property to
increase performance (particularly with UDP) as well as improve security by
segmenting group-communication traffic onto a private network or VLAN.
• If left blank, the first available network interface is used

13 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Directed Clustering — Designating State Servers

§ You can select a few

engine nodes to operate
as state servers Network Load
Balancer

§ Designated state servers

should be isolated from
end-user traffic Engine Node Engine Node Engine Node
Index: 1 Index: 2 Index: 3
§ Provides better scalability
and reduced back-end Session-state information

overhead
Engine Node Engine Node
Console Node Index: 5 Index: 6
14 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved. Index: 100
 Directed Clustering — Defining Subclusters

§ You can use node indices to divide a cluster into subgroups, or subclusters
§ This requires a network management solution that sticks, or persists, user
sessions to a specific subcluster

Network Load
Balancer
Network Load Network Load
Balancer Balancer
EMEA Region US Region

Console Node
Index: 100

Engine Node Engine Node Engine Node Engine Node Engine Node Engine Node
Index: 1 Index: 2 Index: 3 Index: 4 Index: 5 Index: 6

Session-state information Session-state information

15 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Cluster Admin. Node

§ Admin console
§ Lists all the nodes in the cluster

16 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Cluster Replication — What is Replicated?

§ Configuration Set:
– All the things defined in the admin. console GUI
– E.g. server settings, adapter instances, partner connections,
certificate keystores, etc.
§ Runtime session and state data
§ License file

17 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Cluster Replication — What is NOT replicated?

§ All adapter files

§ Velocity template files
§ Changes to run.properties/run.bat
§ Database drivers

18 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adaptive Clustering

19 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adaptive Clustering Overview

§ Default setting for new installation

§ Automatically distributes session-state information to multiple nodes
(replica sets)
– Administrators do not need to modify individual configuration files to specify
which nodes should participate in tracking user sessions
§ Supports geographically disperse cluster architectures
§ Eliminates the need to manually configure state servers and sub-
clusters
– Cross-region support can be used to fulfil the same purpose as a sub-cluster

20 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Introduction to Adaptive Clustering

§ Built around “consistent hashing”

§ State has keys – nature of those keys varies:
– PF session cookie
– Reference-style OAuth Access Tokens
– Account locking
– Assertion replay
§ Keys can be consistently hashed to identify a logical
location for storing the corresponding state

21 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adaptive Clustering — Replica Sets

§ Built around consistent User

hashing

Incoming Transaction
§ State has various keys
which can be hashed to
determine where the state
information is stored
– E.g. PF session cookie
Engine Node Engine Node Engine Node
Index: 1 Index: 2 Index: 3

Engine Node Engine Node

Index: 4 Index: 5
22 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adaptive Clustering — Replica Sets (cont.)

§ State information for a transaction is

User
stored in a replica set within the
cluster (green)

Incoming Transaction
– Default set size is three nodes, this
can be configured
§ Replica sets are determined based
on the transaction hash
– Two sessions will most likely have
their state stored on different replica
sets Engine Node Engine Node Engine Node
Index: 1 Index: 2 Index: 3
§ Replica sets serve to equally
distribute the state information
across all nodes Engine Node
Index: 4
Engine Node
Index: 5
23 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adaptive Clustering — Replica Sets (cont.)

§ When a transaction is
resumed (say after a User

redirect) any node can use

Resumed Transaction
the key/hash to retrieve
state data for the
transaction from the replica
set
§ The engine looks for Engine Node
Index: 1
Engine Node
Index: 2
Engine Node
Index: 3

consensus on returned
states Engine Node
Index: 4
Engine Node
Index: 5
24 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adaptive Clustering — Replica Sets (cont.)

§ If a node in a replica set

fails the data is copied
(rebalanced) to another
node in the cluster Engine Node
Index: 1
Engine Node
Index: 2
Engine Node
Index: 3

§ If the failed node rejoins the

cluster the replica set is
once again rebalanced
Engine Node Engine Node
Index: 4 Index: 5

25 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Adaptive Clustering Configuration

§ Configured in the run.properties file

– pf.cluster.adaptive=true

§ New Installs = true (default)

§ Upgrade = preserves existing config (false)

26 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Node Discovery

§ Nodes need to “discover” each other in a cluster

§ Uses existing mechanisms:

Static (docs) Dynamic (docs)

TCP AWS_PING – recommended
• pf.cluster.tcp.discovery. • AWS IAM roles
initial.hosts
NATIVE_S3_PING
UDP
• AWS w/ shared secrets
• mcast

SWIFT_PING
• OpenStack
27 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Section Summary

§ PingFederate can be deployed stand-alone, behind a proxy,

or in a clustered configuration
§ Clustering can be directed or adaptive
– Adaptive clustering and dynamic discovery can be used for cloud
deployments to rapidly respond to changes in demand

28 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Optional Lab: Create a Directed Cluster

§ Copy another instance of your IdP PingFederate to quickly

create another node
§ Change run.properties files accordingly
§ Admin console has configuration
§ Engine node performs SSO

29 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved. Copyright © 2015 Ping Identity Corp. All rights reserved. 29
 Troubleshooting Lab
Hints
v20220316

2 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Lab 8: SAML Troubleshooting

§ 3 very common SAML issues

§ Follow lab instructions to stop working PingFed instances
§ Start broken PingFederate instances and fix them!
§ Hints given as we go

3 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 Troubleshooting lab:

§ Scenario A:
– Hint 1:
› Check the error page URL to know which server.log to look at.

4 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 § Scenario A:
– Hint 1:
› Check the error page URL to know which server.log to look at.
– Hint 2:
› The SP is checking to validate the signing certificate. What it’s configured
to check – does that match what the IdP is configured to send?

5 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 § Scenario A:
– Problem:
› In its connection configuration, the IdP is signing the assertion with a certificate.
› The SP is checking to validate the assertion’s signature – “Does what came match what I was expecting to come?”
- These don’t match.
– Solution:
› In the IdP Admin Console:
- Go to the connection summary for the connection to the Denver SP.
- Scroll to the bottom – go to the header for Digital Signing &...
- Get to a ‘manage certificates’ page and export the signing certificate (NOT the cert + key).
› In the SP admin console:
- Go to the very bottom of their connection summary, to the signature verification certificates page.
- Get to a ‘manage certificates’ page;
- import the correct certificate. Save.

§ à On to scenario B!
6 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 § Scenario B:
– Hint 1:
› “Unable to lookup metadata” means that the assertion is coming from an
issuer the service provider doesn’t recognize (not a problem with any
metadata itself).

7 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 § Scenario B:
– Problem:
› The SP is getting an assertion from an entity ID it doesn’t have in its connection list.
› i.e. What is entered in the Service Provider-side connection does not match the actual identity
provider’s entity ID.
– Solution:
› On the SP Admin Console, open your IdP Connection to Waltham.
› Click the blue General Info tab at the top.
› Change the partner’s entity ID back to https://sso.int.wal-ping.com
- Note: How would you know this?
» it’s configured on the Identity Provider admin console in server settings
» It’s also listed in the server.log as what’s coming in the assertion.
» In a production scenario, you would ask the IdP what their entity ID is

§ à On to scenario C!
8 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 § Scenario C:
– Hint:
› The log shows that the assertion is getting to the SP PingFederate with
all its attributes – but not all those attributes are getting to the application.
What’s between the SP PingFederate and the target application?

9 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.
 § Scenario C:
– Problem:
› The SP adapter doesn’t have all the attributes configured in its extended contract,
so while it’s working, it is not passing additional attributes.
› We have to add the attributes to the adapter, then map then in the connection.
– Solution:
› In the SP admin console, go to Adapters.
› Choose the OpenToken Adapter.
› Click the Extended Contract tab.
› Enter Email, add. Enter Fullname, add.
› Done, save.
› You’ll have to remap the assertion (follow the red text prompts).

10 Proprietary | Do not distribute — Copyright ©2022 Ping Identity Corporation. All rights reserved.