im am currently using a evaluation version of the PingFederate software and reading documentation all the time but still struggling to understand how i can create multiple IdPs for my SP.
I am hosting services, and setting up PingFederate as an SP. Currently in my tests i have one single IdP and all is working fine... I have set up the IIS Agent to intercept traffic and it redirects to my SP to start SP initiated SSO and that all works ok (coming in on the default startSSO url).
However, im struggling to see how i can configure the system for multiple IdP's and was wondering if someone could give a high level overview or point me at some documentation?
I understand that i have to configure the second IdP connection and i somehow need to use the PartnerIdpId URL parameter to distinguish which IdP the user is sent to.... but im not sure where i do that control/configuration for routing to different Idps? Do i need multiple agents on my IIS box that listen on different urls and can then forward the requests themselves to the right SP urls (/startSSO?partnerIdpId=XYZ) within the agent config file?
Thanks for any help,
Craig
I think your question is more around how do you trigger SP-Init SSO for multiple IDPs when using the IIS Integration Kit.
As you've figured out, as the Service Provider, you can create multiple IDP Connections (each with its own unique EntityID). You trigger SP-Init SSO by calling the /sp/startSSO.ping Application Endpoint and pass in the appropriate PartnerIdpId value that matches the EntityID of the IDP you wish to issue the AuthnRequest. You can do this one of two ways -- either hard-code the URL into the IIS Kit pfisapi.conf file so that a single entity is called each time (not the best solution) or you can manually host the URL on a page that isn't protected by the IIS Kit. Unfortunately, a lot of this design decision comes down to how your IIS application is designed and the choice of integration kit.
I would suggest talking through this with your RSA as they can help show you the pros/cons of each integration kit to match up what works best for your application & customers.
HTH,
Ian
PS
I work for Ping.
Related
I'm using OneLogin for Single Sign On on my application. I'd like to have a different URL to authenticate users of the mobile app (infrastructure reasons). On the OneLogin app admin page it seems I can only define one ACS (Consumer) URL, whereas on IDP's like Azure I can have multiple. Is this possible on OneLogin?
I can confirm that OneLogin does not have this feature at the moment. I'm implementing a server cluster that would utilize a single multi-san certificate and we were hoping to be able to create a single connector with OneLogin but they say that they can't provide this at the moment and the best they can do is put in a feature request to their development team.
Regards,
Hunor
Looking today I can see that there are some application configurations that support multiple ACS URLs:
If you configure a new application with one of them it is possible to list multiple ACS URLs (although I can't see a way to specify the ACS Index for each of them):
I'm not sure if it's possible to repurpose one of those configurations for a completely different service but at this stage I think it would be the only possible way as I can't find a generic Multi ACS configuration.
Updated: Thanks for responding on my post. I am very sorry, as of today these were the requirement details. However, I can elaborate more on what I understand. I some idea on WIF, where I can write my own STS, RP and publish policies.
Couple of queries here. Do we need to have an IdP and should we connect STS to IdP. if not, can we go without IdP. I will have to use claim base authentication and federated identity mgmt in the application.we do not depend on AD/LDAP integration.
Imp Requirements are in this way. 1) we allow customers to do self registration who are direct users of this portal-M and the other set of users come from partner-X where the company claims are verified using SAML Req/Resp to access the portal-M. 2) once the direct user or user-thru-partner-X enters the portal-M, he/she should get access to another portal-N of partner-Y sending SAML request in similar fashion.
I have provided as much as details I know, since I am new to this technology of SSO/FIdM
I would happy to provide more information, if needed
Original
I have got a complex task to build a solution of externalized SSO with SAML that would be used by customers of different partners over web. the constraints are to build IdP/STS/Issuers/RP/Trusts/Policies with no open source or commercial product support choosing specific technology platforms such as Microsft or/and J2EE.
On top of these, IdP must have to use in house custom data store available on SQL Server and Oracle.
your ideas are appreciable and thanks in advance
So you want to implement a SAML stack without using any commercial or open source software?
That is a HUGE amount of work and you will need to spend a non-trivial amount of time getting your head around SAML.
In terms of a DB as your Identity repository, refer: Thinktecture IdentityServer.
In terms of SAML stacks, refer: SAML : A SAML stack .
We are using PingFederate to enable SSO. It's being mapped with the LDAP directory server and our site is able to use SSO. Now we are integrating a helpdesk software application which is being hosted somewhere within our own site. We want the help desk user to be able to login using our site credentials. For that I need to add the help desk as a partner (SP) in PingFederate acting as an IdP.
How can I achieve this? A brief explanation would be helpful. Thanks in advance.
You may want to check out the Getting Started - Part 3 recording from our website. It demonstrates how the setup a connection to a typical service provider.
https://www.pingidentity.com/support/training-center/index.cfm/103-creating-a-connection?id=1011570451001
In a nutshell, you would need communicate with your partner about federation and share some information like:
Federation Standard/Protocol,
Base URL, Entity ID, Endpoints,
Binding,
SSO profile,
Attributes,
and so on.
All of the above depends on what federation server your partner is using. Once you have all the information you can quickly setup the connection to your partner within PingFederate.
I hope this helps. I've also sent you a PM.
There's lots of good information in our documentation on managing SP connections: https://support.pingidentity.com/s/document-item?bundleId=pingfederate-92&topicId=adminGuide%2FmanagingSpConnections.html
How the connection is made largely depends on how you authenticate users, what attributes you're sending, and what the SAML capabilities/details are of your help desk software. If no SAML features are available, you may have to use one of our Integrations to either front end it (with a web server plugin, like Apache or IIS) or modify the app (using one of our language kits or agentless integration approach).
You may also want to consider sitting in one of our training sessions on PingFederate basics: https://www.pingidentity.com/en/resources/training.html
Should all else fail, our support centre is there to help if you have a valid contract.
I have a requirement where I need to implement SSO between two different websites.
One of the website say www.abc.com is written using ASP.NET and is hosted on IIS 7.0. The second website say www.xyz.com is written using PHP and uses Apache web server. Both the websites uses different databases and uses different algorithms to authenticate the user.
I cannot use a third party SSO as that would mean changing the authentication for both the websites. Wanted to know if this is possible and if yes, what should be the approach?
Thanks in advance...
We could find an alternative approach. Basically, we were trying to address this issue by using two cookies (one each for www.abc.com and www.xyz.com created by each site), but since we were unable to find a way for reading cross-domain cookies, we were stuck up.
But then, I stumbled upon the way forums.asp.net and hotmail works. They use the live.microsoft.com to set the authentication cookie.
Now, we plan to create a third website for authenticating the user. The login forms in both the www.abc.com and www.xyz.com will call the third website to set the authentication cookie. Using this authentication cookie, we will be able to allow user to have seamless browsing across both the websites.
Also, found a very good article on this implementation.
http://www.codeproject.com/Articles/114484/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic
I would like to have some guidance regarding how to handle authentication for my restful service to be able to support a couple of different scenarios, see included image?
I've been thinking about this problem for a couple of week without finding a solution for all of the cases and even if I'll make trade offs I'll be running into problems
If we skip the Mobile application and the use of Curl, there's no need to expose the service to the public and it would be possible to use basic authentication for the server to server communication. But we'll still need to put some responsibility at the "Web site for ninjas only" to pass the (openid authenticated user) as part for the http header?
In this case we're using Google apps to manage credentials for our co-workers and I don't like the idea to manage another username/password within the service if it's possible to avoid.
Is there any sustainable solution for my dreams, so that I can build awesome features for the client and implement a tight api that manages the authorization for different resources for a specific user?
Another possible to solution might be to integrate the service with the openid provider, but then I'll have problem with passing the user from "Web site for ninjas only"