Ping Identity > Support Center > Join a Discussion 

Join a Discussion

Post!

This forum is intended to provide peer to peer discussion of technical topics.  While Ping Identity employees will monitor this forum and comment as appropriate, the expectation is that the community will provide most responses.  Real life production experience is extremely valuable and you are encouraged to share your experiences here.

If you need technical support, please open a case with our Product Support Engineers.


Showing 81 - 90 of 220 answers Sort by:     Show category:

Deeper understanding of the SiteMinder Adapter needed

I am new to Ping Identityfederate, in a solution preparation and currently have not installed the components to play around. So I am talking only from theory and documentation.

If I do understand the SiteMinder adapter documentation correct Ping IdentityFederate checks if SM cookie is available and extracts the attributes from the cookie. If no cookie is found or the session has expired the authentication is done by Ping IdentityFederate according the configuration.
Currently I don't understand if authentication can be delegated to SiteMinder to utilize the Siteminder policies.

I have a requirement where a user access a SaaS application from internet (i.e. Home Office). The SaaS will redirect to the IdP which should be Ping located in the users corporate network. To achieve SSO Ping should use the SiteMinder Agent to check if an SSO session is in place which is not the case because user directly did access SaaS. If not 2 factor authentication should be done. The requirement is that Ping should delegate this authentication to SiteMinder too. The next requirement is that a Web SSO session should be established.

Now I am a bit confused because how should SiteMinder create a Web SSO session if the SaaS is not a protected resource of Siteminder and access was direct from the user browser to the SaaS bypassing Siteminder?
My understanding is that Ping will autenthicate the user and create the SSO Session itself and not a SM SSO.
SiteMinder is only used to check if a Siteminder session is already in place and Ping use the attributes in the SM cookie to create a SAML assertion. From Ping documentation I see no way to request a WebSSO session from SiteMinder if no SM session is already established.
If user than access another SaaS application and will be redirected to Ping IdP again my understanding is that Ping which holds its own SSO session won't ask SM again and would not ask the user again for authentication.

Any comments to that?
2 replies »  Posted by Thomas Liebeck on 6/18/2012 11:02 AM Reply Category: Other

SSL certificate format

What shall be the SSL certificate format to import in Ping Identity,,pkcs7 or pkcs12 ?
2 replies »  Posted by MUKUL MARAIYA on 6/8/2012 5:25 PM Reply Category: Other

Migration projects question

Hello,
 
1) Currently, our ping servers are running on solaris. We are planning to migrate them to new windows servers from solaris, do we have to request new software for installation on new servers or we can copy the existing ping software from solaris and use the same for windows servers.
 
2) Do we have any migration specific projects documentation that specify required changes and guidelines etc. ? Thanks
1 reply »  Posted by satish paladugula on 5/31/2012 3:58 PM Reply Category: Other

Migration projects question

Hello,
 
1) Currently, our ping servers are running on solaris. We are planning to migrate them to new windows servers from solaris, do we have to request new software for installation on new servers or we can copy the existing ping software from solaris and use the same for windows servers.
 
2) Do we have any migration specific projects documentation that specify required changes and guidelines etc. ? Thanks
 
1 reply »  Posted by satish paladugula on 5/31/2012 3:55 PM Reply Category: Other

Error when clicking Next during setup of RSA Adapter with PingFederate 6.2.3

On the screen for SecurID Config File, Test Username and Test Passcode, get the following error when clicking Next

"Unable to invoke method onNext on com.pingidentity.page.Frame$Enhance_0@4ceda5b[Home]: null"


This is Step 10 of the "Step 3 -- Install the Adapter and Configure PingFederate" instructions from the RSA Integration Toolkit. In the previous step, the "SecurId Authentication Adapter 1.0" appears correctly in the drop-down.

Any ideas what could be the cause and how to troubleshoot it?
1 reply »  Posted by Smita Agrawal on 5/30/2012 3:37 PM Reply Category: Other

pingagent not working Citrix Integration Kit

Hi,

We are using v2 of the Citrix Integration kit and have accurately followed the instructions in the user guide however, when we try to run the webservice as the pingagent domain account that we created SSO does not work.  We get an error in the Event viewer  that simply says "Default" and then the login screen in the browser give the "could not obtain credentials from opentoken" error.

If we change the service to run as LOCAL SYSTEM then it all seems to work fine...that is until we try to run our application GPOs; which fail due to the LOCAL SYSTEM account being unable to access Active Directory.

Has anyone else had an issue with the pingagent account or had to modify the configuration?

Cheers,

Rob
1 reply »  Posted by Rob Blankson on 5/16/2012 9:41 AM Reply Category: Other

Windows Login to SAML Federation Adapter

Hello,

I am wondering if Ping has some solution to federate Windows Login to SAML. Currently we have users logging into Windows Active Directory from their workstations. We have a completely seperate LDAP store for SAML based SSO into web apps. And we use the SAML based SSO for apps like Salesforce, Google Apps etc. 

We would like to use the LDAP as the IdP for the Cloud Apps. But we don't want our users to have to login into Windows and then ALSO login into SAML Challenge page for logging into apps like Salesforce, Google Apps. We would like the user to just sign into Windows and then automatically get logged into a browser session with a valid SAML token. 

Does Ping provide something to achieve this?

Note: Our SAML implementation is not using Windows Active Directory as the user store, it is using a seperate LDAP directory for that. And we would keep that LDAP directory as the IdP going forward.

Any thoughts, and insights would be appreciated.

Thanks,
Saqib

1 reply »  Posted by Saqib Ali on 4/30/2012 9:52 PM Reply Category: Other

apache agent kit - using mod_pf.conf and ProxyPass together

 
How do I configure apache to use mod_pf.conf to protect a reverse proxy directory. When i use ProxyPass /secure_app/ https://someurl/
ProxyPassReverse /secure_app/ https://someurl/

the ProxyPass always overrides the prodected dir by mod_pf config. So how can I configure mod_pf.conf and ProxyPass in apache to work together. ie only pass control over to ProxyPass after redirect to idp for authN

1 reply »  Posted by David Richardson on 4/13/2012 6:18 AM Reply Category: Other

Ping Fed 6.6 session timeout

Hello, Can you set a session timeout in PIng Fed. So in the case of the user walks away from a public machine that it will  timeout.

Thanks
3 replies »  Posted by Eric Merkle on 4/10/2012 4:39 PM Reply Category: Other

Oauth based RESTFul operation details

How are user's credential passed in the Oauth request for SAML bearer assertion token from IDP? Is it based on the user's PKI used in the ssl session with IDP?

When a web application (Restful Client) makes call to IDP to get the SAML bearer assertion, is the token that is issued for the web application or for the user using the web application. In other words, would web application request token on behalf of the end user? Or will it reuse the token it received  when the user initially logged into the web application (assuming all web applications are protected resources)?

Are the SAML token encrypted? If so, how is the key propagated? When we worked with SAML tokens for my last AF project, it used to be wrapped with receiving clients public key, but that means that the original request to IDP will have information about the target application.

How long do the tokens (access and request) token live?

How much of Oauth token generation/API supported by Ping Federate SDK?
3 replies »  Posted by Greg Vsevolozhsky on 4/6/2012 12:30 PM Reply Category: Other