And so begins the complex tango of establishing federated trust for SSO.
Unless, that is, you use Ping Identity's federation server, PingFederate®.
With the PingFederate server, you can answer "yes" to the SAML metadata question--hopefully your partner can, too. SAML metadata provides a standardized way of synchronizing the moving parts to establish federated trust between parties. And that's like the difference between learning a challenging cha-cha and doing a hap-hap-happy dance.
PingFederate can import SAML metadata to bootstrap the creation of the partner connection, as well as export metadata to enable the partner. It also smooths the critical exchange of keys with your federation partners by easing the sharing of X.509 certificates and their associated public keys.
But establishing certified trust is never a one-time event. Because keys are wrapped in X.509 certificates, they have defined lifetimes. When they expire, SSO services may be broken. So, keeping with our dance theme, the more partners you have, the more keys and certificates you'll have to dance with.
If your organization supports anchored trust, you can use an issuer's certificate authority (CA) to root trust of the certificate and keys used for signature validation. This option has appeal, because CA certificates have 10-20 year lifespans, compared to 1-3 years for end-entity and self-signed certificates. This also allows you to take advantage of certificate revocation checking. However, this all comes at a high price.
Many organizations don't use a CA because of cost and other considerations, instead opting for self-signed certificates. If this is your situation, the PingFederate server will have you jitterbugging for joy yet again. With the metadata URL features added in version 8.1, management of metadata URLs can be completely automated. The new and improved PingFederate can publish and consume metadata at URLs, and even monitor them for changes.
Establishing federated trust and creating connections are largely the same. Except instead of importing a local metadata file that you may have received via email from your partner, you can refer to a URL where they host their metadata. Administratively, a policy will now dictate how frequently you poll this URL for changes.
When changes are detected, PingFederate will automatically update certificates, keys and contact information for this partner connection. If anything else has changed (service URLs, attribute contract, etc.), the local PingFederate administrators will be notified by email. This creates an opportunity to review partner changes and apply them to the connection configuration as necessary.
Have partners in research or higher education? If so, you're probably familiar with InCommon. InCommon's trust fabric includes metadata aggregation services, where participants publish their SAML metadata to form a trust network. As part of the PingFederate 8.1 metadata URL consumption features, we've ensured interoperability with InCommon metadata so you can easily create connections from it and monitor for changes.
Last but not least, PingFederate 8.1 provides the ability to define Rotation Policies on the self-signed certificates used for encryption and signing within your connections. If you're going to offer metadata URLs to your partners, this enables automated certificate and key management. As certificates and keys approach expiration, PingFederate will generate new ones and publish them in the metadata. Partners consuming the metadata will be able to transition seamlessly with no interruption of SSO services.
So go ahead. Take your new business partners and their applications to the dance floor, and salsa with SSO. With PingFederate 8.1, you can confidently grow your business, knowing you're making all the right moves as you scale your federation network.