A week or so ago when the Ping Marketing crew started rolling out our next version of PingFederate, version 6.6, I had one of those moments in product management when you realize you have underestimated the value of the new features prioritized for a release. You always expect to have a few new use cases emerge as you talk with existing and new customers, analysts and partners, but rarely do you get to see the number of use cases blossom as we have seen with this release. 

Like many great ideas, the new features in PingFederate 6.6 grew out of customer demand. As we started to see more and more requests for advanced authentication and complex attribute retrieval, our engineering team at Ping put their heads together and realized that they could add some unique management capabilities that leverage the flexible and extensive adapter framework that PingFederate is built on. Here are the highlights that I see:

  • Flexible authentication rules that provide the ability to define rules based on remote user location or context (data sensitivity), which would enable our customer's to ensure that their cloud-based services comply with corporate security and compliance policies. What makes this feature very cool is that "context" is any aspect of the authentication request that is presented to PingFederate. So, one could create a rules set that evaluates HTTP header values, or query parameters to determine how a user will authenticate to any application or service based on the risk of their context. For example, if you have an application or service being accessed by a user with a social media identity, or a location outside the firewall, you can step-up their authentication requirements to ensure that they are who they say they are before granting access.
  • Authentication chaining provides the ability to form "chains" of authentication methods (adapters) for creating unique multi-factor authentication patterns or fall-back scenarios. This gives our customers stronger security and higher availability. Tied with the new authentication rules, you can now address a variety of security policies based on the applications and services you need to protect.
  • Identity Attribute Aggregation doesn't seem as sexy as the other features, but the few customers we have shown this feature to tell us how much money and time it saves them. This feature allows quick and easy onboarding of new SaaS applications that requires additional user information. Customers have the ability to interact with multiple sources for gathering user profile data (attributes) needed to interact with identity and service providers.

As the 6.6 version of PingFederate is rolled out, I'm looking forward to hearing about more unique use cases customers are able to address with these new features. I'm sure I'll continue to be amazed at the creativity and ingenuity of the Ping community.

 

AUTHOR:
EMAIL: emerkle@bdo.com
DATE: 02/14/2012 02:19:47 PM


We need better documentation and configuration examples for these features. We have installed 6.6 but it is very hard to understand all the different ways we can use these features. Please provide step by step guides and examples of step-up and how do with it with different adapters.


Eric, thanks for your comments. As the product manager for PingFederate, I can promise you that we appreciate your time investment. We are working diligently to create supporting information for our new Adaptive Federation features. Some of the new content will work its way into the PingFederate Administrator's Guide, as you've requested. Some will take different avenues. For instance, you should see a new white paper on our product site soon (I hope to have it out this week). You will also begin to see content in other forms. Keep an eye out for new Knowledge Base articles, and posts on the Answers forum as well. We'll let you know when the white paper is out. Hopefully, that will fill the gap for you.

* Required Fields