“Congratulations, you’ve been invited to the first annual
where you’ll also have a chance to compete for the 2014 PingCup and get your offering in front of our customers.”
These were the words that arrived in my in-box back at the end of May. As a Ping Identity Platinum Services Partner, we look forward to these types of events as it gives us insight into Ping’s roadmap as well as a great opportunity to share our expertise with Ping’s customers we might not otherwise have.
We knew we weren’t going to miss PingCon, so that left one question, “What do we present for PingCup?”
While our CoreBlox Token Service (CTS) has received great reviews from both Ping Identity and CA Technology customers, (see, Webinar: How TIAA-CREF Successfully Connects On-Premises and Cloud Identity Technology), we wanted to come up with something that 1) No one else is doing and 2) Something that is simple, powerful and scalable.
With CoreBlox’s history and expertise in Identity and Access Management consulting, we’ve been very excited about Ping’s Federated Access Control product, PingAccess. PingAcces brings a standards-based approach (like all things Ping Identity does) to the SSO/Access Control space. With support for OpenID Connect (OIDC) for user Authentication as well as a Reverse Proxy and/or “Agent” based deployment option, it’s a powerful piece of technology. Ping has made it as simple to deploy and upgrade as their PingFederate product which means organizations of all sizes will find it an attractive entrant to the IAM space.
In the process of exploring PingAccess, we realized that for customers that choose to utilize both PingAccess and SiteMinder (or are migrating from one to the other), we had an opportunity to simplify the integration between the two by leveraging our CTS solution in the form of a custom Site Authenticator.
PingAccess Site Authenticator – Some Background
PingAccess has a feature called the “Site Authenticator”. Site Authenticator’s are used when PingAccess is deployed in “Gateway” mode (a.k.a. Reverse Proxy) and the web resources being protected by PingAccess have their own token/session requirements for authenticated users that must be kept in place.
PingAccess ships with the Token Mediator Site Authenticator, which allows PingAccess to leverage the Security Token Service (STS) built into PingFederate and exchange the PingAccess session token (called PA Token, which is a signed or encrypted JSON Web Token (JWT)) for the required back-end token type utilizing an available PingFederate Token Translator. For customers using the CoreBlox Token Service, PingAccess, PingFederate and CA SiteMinder, the token exchange looks something like this:
PingAccess Token Mediator Site Authenticator
The notable piece here is that PingAccess calls PingFederate in order to utilize the CoreBlox Token Translator. The CoreBlox Token Translator is then calling CTS in order get the necessary SMSESSION information from SiteMinder. All this info is returned to the Token Mediator Site Authenticator which injects the SMSESSION cookie into the backend request without the user ever being prompted by SiteMinder to authenticate.
While this works today to give customers seamless SSO between PingAccess and SiteMinder, it does have some drawbacks:
- Limited to WAM systems where a PingFederate Token Translator exists
- Extra protocol translation from WS-Trust to JSON REST
- Extra traffic/hops that must pass through PingFederate
- Another service that needs to be configured, monitored and troubleshot
- Potentially new license file to enable STS in PingFederate that must be applied
We think there’s a simpler way to achieve the same thing: The PingAccess CTS Site Authenticator
PingAccess CTS Site Authenticator
We thought to ourselves, “What if there was a way to directly integrate PingAccess to the CoreBlox Token Service without having to pass through PingFederate?” This would eliminate issues #1-#5 listed above AND be simpler/quicker for customers to configure. So we went ahead and wrote the custom integration using the brand new PingAccess 3.0 SDK that Ping Identity just released at the Cloud Identity Summit and presented it to all the attendees at PingCon.
Now, when customers need to provide seamless access between PingAccess and SiteMinder, they can utilize our CTS Site Authenticator for PingAccess. With the custom Site Authenticator in place, the flow now looks like:
PingAccess CTS Site Authenticator
In the flow above, you’ll notice that PingFederate is no longer used as an intermediary to CTS. By using the CTS Site Authenticator PingAccess has the ability to interface directory with the CoreBlox Token Service.
This setup has the following benefits:
- Support for CA SiteMinder today via CTS. Additional WAM support is being planned.
- No protocol translation required. Simple JSON REST call from PingAccess to CTS
- Reduced traffic load on PingFederate
- 2 fewer configuration points. No need for Token Processor & Token Generator in PingFederate STS
- Uses the existing PingFederate license. No additional features required.
If you’d like to find out more about our CTS Site Authenticator and/or CoreBlox Token Service, email sales@coreblox.com or dial 1-877-TRY-BLOX.
Ian Barnett
Ping Identity Practice Director