Ping Identity Federal ABAC Solution

style

bg-pattern,bg-grad-cool-101-right,full-bleed

title

Table of Contents

theme

default

Attribute-Based Access Control

Attribute-based access control (ABAC) is a flexible approach to enable fine-grained authorization decisions for a requester (end entity/user) and a targeted resource/data/object. Each requester and resource has a set of associated attributes. These could include persistent attributes stored within a directory or contextual attributes such as time of request, type of multi-factor authenticator, device information, etc.

Dynamic authorization diagram showing that access decisions are based on the context of the user, the resource, and the action being requested.

Historically, authorization decisions have been driven by Role-Based Access Control (RBAC), which evaluates factors like group membership, organizational role, and admin rights. While effective in certain contexts, RBAC’s scope is often too limited to address today’s complex threat environment. The US Federal Zero Trust Strategy, outlined in OMB Memorandum M-22-09, directs agencies to adopt ABAC for more granular, context-aware authorization decisions.

style

compact

quote

When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.

attribution

OMB M-22-09

job-title

organization

Ping Identity offers solutions designed to implement and enforce ABAC. Built on open standards, they can be deployed independently or in combination, enabling organizations to modernize their Identity Credential and Access Management (ICAM) capabilities. Whether across mobile, desktop, or web applications, Ping’s controls can be enforced via standards-based federation protocols like SAML and OIDC, header-based URL controls, or within the API layer—extending security across an organization's entire footprint.

Ping's ABAC Solutions

There are different technologies involved in a modern ABAC deployment. These include a master use record (MUR) single sign-on federation engine (SSO) and inbound and outbound ABAC policy engines.

Chart of Ping Identity's software offering ABAC solutions.

Master User Record – PingDirectory

PingDirectory is a fast, scalable directory used to store identity and rich profile data. PingDirectory is a fast, scalable directory used to store identity and rich profile data. Organizations that need maximum uptime for millions of identities use PingDirectory to securely store and manage sensitive customer, partner, and employee data. PingDirectory acts as a single source of identity truth, and can be leveraged to create a Master User Record, or MUR, to store an aggregate of attributes for users, which can be used as an authoritative source of truth for supporting ABAC authorization decisions.

Having a MUR is an essential foundation for ABAC as it allows more holistic views and lifecycle management of users across an organization. The MUR is the logical integration point for identity governance and administration (IGA) engines, for quickly managing entitlements of users, as well as centralized policies for onboarding and offboarding.

Users get loaded into PingDirectory through import, API connection, manual entry or bidirectional, real-time synchronization from LDAP, RDBMS, JDBC, or SCIM data stores. Both structured and unstructured user data are secured and stored by leveraging encryption, password validators, cryptographic log signing, and more. PingDirectory helps organizations eliminate identity silos, and can become the authoritative record to be used for authorization decisions across the enterprise.

Single Sign On – PingFederate

PingFederate is an enterprise federation server that streamlines user authentication and single sign-on (SSO). It integrates seamlessly with enterprise applications, third-party authentication sources, user directories, and existing ICAM systems, all while supporting both current and legacy identity standards.

With PingFederate, organizations can pull attributes from diverse sources such as multiple directories, databases (including the MUR), external identity providers, and user-provided credentials during authentication. Its advanced policy orchestration engine also enables the integration of endpoint protection platforms (EPP), extended detection and response (XDR), and other security solutions into the adaptive authentication process, ensuring device authentication before user credentials are exposed.

These attributes can then be leveraged for ABAC decisions and enforcement, enhancing security across the organization.

Supported federation standards include OAuth, OpenID, OpenID Connect, SAML, WS-Federation, WS-Trust, and System for Cross-Domain Identity Management (SCIM). Additionally, PingFederate directly supports x.509 authenticators like the PIV and CAC, and can act as a federation hub to connect external identity providers into a centralized authentication policy engine.

Inbound ABAC – PingAccess

PingAccess is a centralized access security solution with a comprehensive authorization policy engine. It provides secure access to applications and APIs down to the URL level, and ensures only authorized users can access the resources they need. PingAccess allows organizations to protect web apps, APIs, and other resources using rules and other authentication criteria, and can be leveraged through agent-based and web access gateway-based deployments.

PingAccess enforces authorization by sitting between the user and the protected application. This enforcement is referred to as inbound ABAC, and it intercepts the requests between the user and the application and interjects a dynamic authorization decision to determine if the requesting user should have access to the requested resource within the application.

PingAccess enables and enforces course and medium-grained ABAC through its flexible authorization policy engine. The attributes examined by these policies can be pulled directly from assertions, tokens, and backchannel APIs sent from the federation engine, such as PingFederate, and/or from available directories, including the MUR. This allows PingAccess to augment the data provided from the federation engine with additional attributes available through configurable sources.

Outbound ABAC – PingAuthorize

PingAuthorize provides fine-grained access control using real-time context about users and the resources accessed to provide security and ensure compliance. It operates as a fine-grained authorization solution; leveraging real-time data to make authorization decisions for access to data, services, APIs, and other resources. PingAuthorize empowers administrators to set dynamic authorization policies to allow, block, filter or obfuscate an access request based on behavior, activity or any other attribute.

PingAuthorize enforces authorization by sitting between the protected application and the data/resources being requested. This enforcement is referred to as outbound ABAC, and it intercepts the requests between the application and the data/resource being requested; typically handled by API requests. PingAuthorize builds in a dynamic authorization decision at this API level, and intercepts and modifies the requests based upon what the requesting user is authorized to access.

Dynamic authorization policies configured and enforced through PingAuthorize can evaluate any identity attribute, consent, entitlement, resource, or context to make ABAC decisions in real-time. PingAuthorize gives you centralized control over your digital transactions and application access to data.

Flexible Deployment

These solutions are deployed on Ping Identity’s DoD IL5/FedRAMP High SaaS platform, private clouds, traditional on-premises setups, and air-gapped, DDIL, or network-segmented environments—all with full functional parity. Each solution is manageable through a userfriendly graphical interface or via automated configurations using RESTful APIs.

Supported Deployment Methods

FedRAMP High, DoD IL5 SaaS
Private Cloud
On-premises
Hybrid (on-premises and cloud/hosted)
Disconnected, Disrupted, Intermittent, and Limited (DDIL)
Air-gapped or network-segmented environments

Technical diagram illustrating a complex identity and access management (IAM) architecture using Attribute-Based Access Control (ABAC). It maps the flow of data from identity providers through a central hub to various applications.

A Modernized ICAM built around ABAC

Ping Identity’s unique portfolio allows external and internal identities to be centralized through a federation hub and master user record (MUR) with dynamic authorization through inbound and outbound attribute-based access control.

Ping Identity enables federal entities’ distributed workforces to perform secure, interoperable mission-critical work from anywhere. We do this by providing the ICAM solutions and services organizations need to modernize their complex, hybrid environments and facilitate the move to a Zero Trust architecture.

style

bg-pattern,bg-pattern-plus-sign-field-horz-01,full-bleed

title

Modernize Federal Access Management with ABAC

body

Ping Identity's ABAC solutions help agencies meet Zero Trust mandates with dynamic, attribute-based authorization across every layer of the enterprise.

Supporting text

See how PingDirectory, PingFederate, PingAccess, and PingAuthorize work together to deliver a complete, FedRAMP High-authorized ICAM solution.

primary-link

https://www.pingidentity.com/en/company/contact-sales.html

primary-link-text

Request a Demo

primary-link-title

Request a Demo

use-tertiary-arrow-button-style

secondary-link

secondary-link-text

secondary-link-title

use-tertiary-arrow-button-style-2