It is an exciting time to be in the identity management business! And I have a new perspective in my role at Ping Identity as director of product marketing for our SaaS product — PingOne.
In August, I concluded my last Catalyst conference (in my role as a Gartner research vice president) with a forceful push on key identity topics, including cloud identity, identity bridges, SCIM, mobility, and the Amazon AWS identity system. I enjoyed working with my good friends and colleagues at Gartner, and I know those relationships will thrive.
I want to focus my first Ping blog post on our new service, Ping IdentityBridge for Salesforce, and how it complements Salesforce and its Identity offering.
Authentication and Provisioning: Crucial for SaaS Access
In my many interactions with enterprises, I am asked the question "how can we enable federated SSO to [insert favorite SaaS app here] for employee access?" The enterprise has two challenges.
First, employees must be provisioned into the SaaS application at administrative time, typically via a synchronization process between Active Directory (or less likely, another directory) and the SaaS application.
Second, the business must authenticate employees and securely transition them from their enterprise login into the SaaS session at runtime. In other words, two identity services are typically required: federated identity provider and directory synchronization. (Note, however, some SaaS applications can add the user to its identity store at runtime via SAML (i.e., just-in-time), but the business cannot delete users with this approach.)
Our new offering — Ping IdentityBridge for Salesforce provides both services. The offering includes the following capabilities:
- User provisioning. IdentityBridge updates the Salesforce identity store based upon your Active Directory environment. As users are added, modified and deleted in AD (based upon policy), the Salesforce identity store is updated, too.
- SAML-based SSO. By leveraging the user's initial authentication to AD, IdentityBridge provides SSO all the way to the Salesforce environment.
- Native administration console. The administration console runs on the Force.com PaaS, so there is no need for the administrator to leave the Salesforce environment to configure the offering.
You may have seen Chuck Mortimore’s announcement regarding Salesforce Identity, which is expected to be available in early 2013. Ian Glazer (my former colleague at Gartner) has an excellent post on the topic, too. Salesforce Identity will provide a set of identity services, including SAML/OAuth authentication for users under management and a SCIM provisioning interface.
Read Chuck's post for all the details. Salesforce Identity is a strong endorsement of standards-based, secure SSO and standards- based provisioning long championed by Ping Identity. All of our identity bridges—Ping IdentityBridge for Salesforce, PingFederate, and PingOne—will support Salesforce Identity, on the day that it becomes available.
But how do Ping Identity’s products complement Salesforce Identity?
Ping Identity products provide the crucial functionality necessary for businesses to connect to Salesforce from their on-premises environment. By delivering the missing link — the identity bridge between the on-premises environment and Salesforce — Ping Identity delivers SSO from the user’s desktop login to Salesforce and by extension to Salesforce Identity’s SAML-enabled applications.
Ping Identity products also deliver seamless user provisioning from Active Directory into Salesforce. Additionally, businesses can opt to leverage Ping Identity for SSO to SAML-enabled Force.com applications.
Ping IdentityBridge for Salesforce: