platform extensibility

Connect all users to cloud, mobile and on-premises applications with one platform

authentication authority and sso

An authentication authority performs user identification in a secure, controlled and centralized manner across a diverse set of devices, networks, domains and platforms within an organization. It has can orchestrate complex authentication use cases and business logic that leverages diverse contextual attributes and signals. However, doing this for a complex enterprise with multiple applications, user populations and devices isn’t always easy.

 

Ping Identity is the authentication authority for many large enterprises. We deliver a seamless authentication and single sign-on (SSO) experience for enterprise customers by offering a wide range of out-of-the-box adapters to both identity providers (IdPs) and service providers (SPs). Our market-leading portfolio of IdP and SP adapters provide end-to-end integrations to quickly authenticate and connect your users to their applications via SSO.

ultimate guide to sso
On-premises to cloud enterprise.
authentication authority and sso

any user

PingFederate supports multiple cloud IdPs, data stores and password credential validators, so customers can authenticate with major cloud providers. You can also validate, retrieve and send user and device attributes during provisioning, and leverage existing IdPs to centralize credential validation, which improves the user experience.

Authenticate with all major cloud providers.
authentication authority and sso

any application

PingFederate integrates with a broad range of on-premises and cloud-based enterprise applications to support complex, hybrid IT environments. It supports multiple versions of open standard identity protocols, enabling you to support access to any application for a broad range of use cases and diverse user populations. PingFederate simplifies on-premises enterprise application integrations with best-in-class server integration kits (IKs) and software development kits (SDKs). Its SaaS connectors allow you to quickly and easily provision user and device attributes to all of your cloud applications, improving time to value across your enterprise. Plus, the SaaS connectors to PingID and PingID SDK enhance security for the user without disrupting the user experience. PingFederate can integrate with best-in-class hardware security modules (HSMs) to provide a standards-based single sign-on solution with protected token signing and encryption to both on-premises and cloud-based resources.

authentication authority and sso

any device

With enterprise users accessing sensitive business data from personal devices, securing business resources and managing access has become even more challenging. Mobile device management (MDM) software enables enterprises to create policies based on device posture to mitigate the risk of corporate resources being accessed from non-compliant mobile devices. As an authentication authority, PingFederate integrates with MDM providers for greater context to allow or deny access, and even step up authentication based on a range of device attributes maintained by the MDM solution. With additional device context, your enterprise can build advanced authentication policies in PingFederate to support your workforce BYOD initiatives.

 

  • MDM Integrations: Microsoft Intune, Airwatch, MobileIron
airwatch mobileiron
authentication authority and sso

legacy iam: coexist or migrate

PingFederate integrates with multiple legacy IAM infrastructure providers to support ongoing co-existence, phased or rapid migration timelines. It coexists with legacy identity federation solutions through a process of token translation, providing multiple options for authentication during the migration process. PingFederate also integrates with legacy multi-factor authentication solutions such as RSA SecurID and cloud-delivered, adaptive MFA solutions like PingID. To further support all of your identity federation needs, PingFederate connects users to web service providers (WSPs) and web service clients (WSCs) with a security token service (STS). All of these integrations allow you to quickly provide a seamless user experience to any protected application in your environment.

 

  • MFA Connectors:  PingID, RSA SecurID, Symantec VIP, Duo Security
  • Token Processors:  SAML 1.1, SAML 2.0, OAuth Bearer, JWT, Username, Kerberos, CoreBlox, OpenToken, SAS for JBoss, WAM, X.509, WS Token Proxy
  • Token Generators:  SAML 1.1, SAML 2.0
ca migration guide oracle migration guide
Ping Federate as a token mediator.

multi-factor authentication

Compromised credentials represent the most common source of breach in the enterprise today, and many are turning to multi-factor authentication (MFA) solutions for greater security. But legacy two-factor authentication solutions can have a negative impact on user productivity, and the associated total cost of ownership can often be prohibitive to implementing MFA everywhere. PingID is a cloud-delivered, adaptive multi-factor authentication solution that resolves these issues with a balance of security and convenience. Our enterprise-proven MFA solution supports all identity types and user populations within your enterprise, and it leverages existing authentication methods with out-of-the-box integrations and identity standards support.

  • Large enterprises need ways to authenticate workforce, partner and customer users accessing sensitive resources, no matter where they’re located. Whether those users are remote, require privileged access or need access to their Windows-based desktops and laptops, PingID can support them. It integrates with Microsoft Azure AD (AAD) and Active Directory Federation Services (AD FS), VPNs, Linux/Unix servers and Windows Login to provide secure access for all users and scenarios. PingID also supports offline MFA in scenarios when the network is unavailable.

     

    • VPNs: Cisco, Juniper, Checkpoint, Palo Alto, RADIUS
    • Linux/Unix Servers: SSH Ubuntu, SSH Debian, Pluggable Authentication Modules (PAM), ForceCommand
    • Windows Login Server: Windows 7, 8, 10, Windows Server 2008, 2012, 2016, desktops and laptops, Local and RDP

     

    get the technical brief
  • To accelerate business and exceed the expectations of their customers and partners, today’s enterprises have deployed hundreds of commercial and homegrown applications on-premises and in the cloud. As a cloud-delivered, enterprise-proven MFA solution, PingID easily integrates with any of your APIs, web, mobile and SaaS applications, no matter where they’re hosted through a range of APIs, SDKs and SSO integrations with PingOne and PingFederate.

     

    • Web-based Services and Applications: PingFederate and PingOne offer thousands of SSO integrations including AWS, Azure AD and AD FS, Box, Concur, Coupa, Dropbox, Egnyte, Google, Jive, Office 365, PingOne Directory, Salesforce, ServiceNow, Slack, WebEx, Workplace by Facebook, Zendesk and more
    • APIs: Authentication and User Registration and Administration
    • Customer Mobile Application: PingID Mobile SDK

     

    See how Ping can put the power of MFA into your mobile application.

  • Your enterprise has evolved, but your multi-factor authentication (MFA) system is stuck in the past. You’d like to deploy multi-factor authentication everywhere, but legacy MFA methods such as hardware tokens still persist, and you’re now looking for a way to integrate during migration to a modern multi-factor authentication solution. PingID integrates with legacy multi-factor authentication systems using coexistence adapters, making it possible for enterprises to leverage their existing MFA solutions while they migrate to an adaptive, cloud-delivered MFA solution.

     

    • MFA Coexistence Adapters: RSA SecurID, Symantec VIP, Duo Security, Entrust IdentityGuard, OAM Multi-Authentication Scheme Service Provider Adapter

     

    RSA SecurID Symantec VIP
Secure access control for a hybrid IT environment.

access security

Traditional access management solutions were designed to authorize access to on-premises web applications for on-premises users. With the rapid deployment of cloud-based applications and APIs, enterprises need a flexible, modern access solution that centralizes administration of contextual policies for accessing cloud-based applications, APIs and on-premises applications. PingAccess can centrally manage authorization capabilities and secure both your applications and APIs in any domain, for users in any location.

ultimate guide to modern access
access security

any user

Today’s workforce and consumers need digital access everywhere, which means you need to ensure that your digital assets are both accessible and secure. PingAccess centrally manages authorization capabilities for any user identity, based on various attributes from users, devices, resources and more. And PingAccess offers identity mapping capabilities that can expose a number of user attributes and make them available to applications for authentication.

 

  • Open Standards Support: OpenID Connect and OAuth allow us to integrate with many identity federation providers like PingFederate, PingOne for Enterprise, Microsoft Azure AD, Google and other standards-compliant identity federation providers to on-premises applications
  • Azure AD Graph API: Enables PingAccess to securely connect users from Azure AD to on-premises applications
  • Identity Mappings: JSON Web Token (JWT), Header (HTTP)
PingAccess USE CASES PingAccess & Azure AD
access security

any application

Whether your enterprise applications are deployed with agents or are expecting unique HTTP headers, X.509 client certificates or legacy WAM tokens, PingAccess provides multiple ways to integrate without code or application architecture changes. It also provides agent SDKs to extend access control policies to any of your applications written in Java or C.

PingAccess provides multiple ways to integrate.
  • Agent SDKs: For Java, For C
  • X.509 Certificates: In either Binary Encoded DER or Base 64 Encoded DER format to support secure connections to all applications
  • Request/Response Manipulation: Request Uniform Resource Identifier (URI), Cookie domain, Cookie path, Response headers, Response content
access security

coexist with existing iam

PingAccess supports a range of token providers and site authenticators to provide authorization services to a wide range of applications, APIs and single-page applications across your existing infrastructure.

A wide range of token providers leads to a wide ride of application access.
  • Token Providers: PingFederate, OAuth AuthZ Server, OpenID Connect

  • Site Authenticators: Basic AuthN, Mutual TLS, Token Mediation

     

modernize legacy wam

directory & data governance

Large enterprises often have numerous directories deployed to support a variety of applications and their unique user profile and management requirements. With unmatched scale and performance, schema flexibility and support for structured and unstructured data, PingDirectory can be used as an identity store for all of your applications. It also provides bi-directional synchronization capabilities for use during migration, and to create and manage a unified profile for your workforce, partner and customer identities.

  • Identity data often lives in a number of enterprise data stores that were built over time, including relational databases like PostgreSQL, legacy directories, MDM systems and more. User profile sprawl across multiple data stores can result in poor, inconsistent user experiences across your digital properties. To provide exceptional user experiences, you need to create a unified profile that centralizes data from each of these directories. PingDirectory provides the ability to bi-directionally synchronize data from multiple directories and heterogeneous data sources to create a single, unified profile.

     

    • JSON Object Support: Manage a unified profile with a flexible schema that combines structured and unstructured identity profile data from multiple data sources.
    • Bi-directional Synchronization: Synchronize to and from multiple data sources to build a unified profile, including one-time migration, scheduled or periodic sync or real-time ongoing sync.
    • Use Plugins for: Custom data transformations, virtual attributes, uniqueness or other data constraints, and more.
  • Supporting data requirements for numerous enterprise applications while creating a unified profile for all users can be a significant challenge. Many enterprises with legacy application portfolios leverage a range of directory solutions, many of which don’t offer support for new developer-friendly REST APIs for provisioning and managing identities inside the directory. On the other hand, enterprises with new application initiatives want to take advantage of modern APIs and modern development frameworks. With open standards support, SDKs and APIs, plugins and extension points, PingDirectory integrates with all legacy and modern applications, allowing you to build a unified profile and establish a high-performance, scalable directory solution for all future applications.

     

    • Support Modern Applications via APIs: REST API, SCIM 1.1, Server SDK
    • Legacy Application Support LDAP SDK and client connection-based policies such as Search Filter Restriction, Resource Limitations, Server SDK
    • Use Plugins for: Custom data residency algorithms, password storage formats, password quality validation, external authorization services, infrastructure and application monitoring integration, centralized logging integration
  • Directory sprawl has drastically increased your enterprise’s infrastructure and administrative costs. But with many production applications relying on these identity stores, consolidating to a single directory can be a scary prospect. To resolve concerns of downtime during migration, PingDirectory enables you to bi-directionally synchronize identity data from multiple directories, and/or support ongoing coexistence scenarios with legacy directories with zero downtime and no client changes. To further ease the transition, PingDirectory can mimic proprietary behavior that applications might expect from their original directory servers.

     

    • Migration and Bi-directional Data Synchronization: Schedule a one-time migration, periodic syncs or real-time ongoing syncs.
    • Use Plugins for: Custom data transformations, pass-through authentication, rate control during synchronization, alternate data sources and destinations, and more.

     

    read the customer story user managed consent
  • Providing applications unrestricted access to your users’ identity and profile data can lead to privacy violations, increased risk of breach and loss of trust. Together, PingDirectory and PingDataGovernance enable your enterprise to centralize control over who gains access to user identity and profile data and under what circumstances. PingDataGovernance leverages your existing identity infrastructure by correlating user attributes from multiple directory servers using primary and secondary store adapters. Consent can then be enforced to make fine-grained decisions about which identity attributes within a user profile can be accessed by certain applications to meet privacy regulations, manage delegated administrator access, and more.

     

    • Native PingDirectory Support: Manage REST API resources independently from LDAP object classes, and filter data at object- or attribute-level with flexible expression-based policies.
    • Primary/Secondary Data Store Adapters: Advanced SQL Datastore, REST API Data Store, and others. If you need a data store adapter not listed here, contact professional services.
    • Use Plugins for: Custom policy information providers, data filtering or partial obfuscation, bearer token validation, and more.

     

    balance personalization & privacy

IDaaS SSO

Today’s enterprises have to support hundreds of applications and need to provide fast, secure access to all users regardless of their location or device. With multiple identity bridge options and an extensive list of connectors for SaaS applications and provisioning, PingOne offers an easy-to-manage cloud service that simplifies SSO for enterprise users and administrators.

IDaaS SSO

any identity

It’s common in today’s enterprise for legacy identity stores to coexist with cloud directories. Whether your workforce, partner and customer identities are stored in a homegrown directory solution, Microsoft Active Directory or cloud directories, PingOne has several identity bridges to connect all of your user identities to any application they require.

Connect all of your user identities to any application they require.
  • Identity Bridges: PingFederate, Third-party SAML, OpenID Connect, PingOne Directory, Google (OpenID Connect), AD Connect (SAML, WebSocket Agent, IWA Integration)

  • MFA: PingID for additional security

     

IDaaS SSO

any application

Users are increasingly mobile and need access to more applications than ever. PingOne supports standards-based and proprietary provisioning connectors for many popular SaaS applications, allowing you to add the apps you need and provide access to them from anywhere.

 

  • Standards Protocols: Connect thousands of applications via common protocols such as SAML and OpenID Connect
  • SaaS Connectors: AWS, Box, Concur, Coupa, Dropbox, Egnyte, Evernote, Google, Jive, Office 365, PingID and the PingID SDK, PingOne Directory, Salesforce, SCIM, ServiceNow, Slack, WebEx, Workplace by Facebook, Zendesk, Zscaler, and more
see our app catalog