While federation has long been the key to consistent access management, we have discovered room for innovations. We have loaded our release of Ping Federate 7.2 and Ping Access 3.0 with new feature sets that give enterprises new capabilities including new session management, revocation options, and URL-level authorization for both Web and API-based applications.
Like many things we do at Ping Identity, standards are at the core of Federated Access Management. We've exceled at SAML, WS-Trust and WS-Federation and having technology to back up our expertise. Recent trends around mobile computing, application programming interfaces (APIs) and consumer identities have brought SCIM, OAuth 2.0 and OpenID Connect into our mix. With the new capabilities in PingFederate 7.2 and PingAccess 3.0 we're addressing some common challenges that customers face when deploying these technologies.
Federated single sign-on (SSO) by nature has created a very decoupled, complex session management experience for end users. For example, when a client performs a SAML 2.0 based sign-on from an identity provider (IdP) to a service provider (SP), the sessions that represent that user's active state in that system as a whole resides independently on both sides of the organizational boundary.
While Single Logout (SLO) is defined in the standard, it's rarely implemented in practice due to challenges in usability, replicating session information across the partners (IdP and SP), and the single point of failure nature of front-channel binding profiles. As organizations look to apply federated standards to enable SSO into internal applications--a better approach is needed for security and usability.
Our unique approach to session management addresses the scenario presented above in a lightweight and highly scalable fashion. Based on the OpenID Connect standard, we enable both the tracking of logged-in states for applications, as well as, the revocation status of end users once they have logged out.
These two capabilities can be used independently or together to balance security and scalability based on the requirements of your environment. An asynchronous SLO mechanism avoids the single-point-of-failure issues that plague SAML 2.0, but still provides a complete cleanup of client-side cookies used for session tracking. The revocation list approach to logout tracks only the invalid sessions--which typically are a much smaller, more easily replicated amount of data than trying to cluster active-session information across a globally deployed infrastructure.
On the access management side of application programming interfaces (API), we've added some great capabilities to ensure OAuth 2.0 tokens can be easily revoked. A new access-grants REST API enables administrators to easily revoke end user associated tokens, as well as, entire client applications. Support for RFC 7009 provides a mechanism for applications themselves to clean up issued tokens they currently have.
Going a level deeper beyond front-door access, our policy engine provides URL-level authorization capabilities within both Web and API-based applications. We've improved the modeling with this latest PingAccess release so policies can be globally applied across applications themselves, or associated with individual resources within them. The rich set of drag and drop templated rules can be used to craft policies.
Think you might have custom needs? No problem. Our new PingAccess add-on SDK enables enterprises to build their own rule templates. We've gone to great lengths to make sure this new SDK is modern and developer friendly--with built-in user interface (UI) controls and validation that takes only a couple lines of annotation-based Java code. The end result are templates that can be used over and over again without having to script anything in policy definitions.
All of the power I detailed in this blog is packaged in a loosely coupled, flexible architecture of lightweight components designed to work together.
Please explore these capabilities and tell us what you think.
See today's other Ping Identity blogs and product releases: