PingFederate

This authenticator allows the Curity Identity Server to integrate with PingFederate by Ping Identity. The use case that this component is designed to solve is when PingFederate is functioning as a SAML service provider or a WS-Federation Relying Party. In this scenario, PingFederate will receive a federation message from an upstream Identity Provider and process that before sending it to the Curity Identity Server. When it does, it is this component that will handle the message. This integration is shown in the following figure:

../../_images/pingfed_authenticator_overview.png

In more detail, PingFederate (in the “service provider” role) receives a SAML 1.1, SAML 2, WS-Federation or any other protocol that it can handle (1). Part of its handling of the message is to store the user attributes it received. Using the “agentless integration kit” to broker this message into the Curity Authentication Server, PingFederate creates a reference to the user data; this reference is send to the Curity Authentication Server as a parameter via a redirect that takes place in the user’s browser (2). Next, the PingFederate authenticator makes an authenticated, back-channel connection to PingFederate, providing the reference (3). The response to this point-to-point HTTP request is the set of attributes that PingFederate has parsed from the federation message (4).

To configure a PingFederate authenticator in the Curity Authentication Server to complete this integration, a few configuration settings are required. These are listed and described in the following table:

Setting Description
SSO Endpoint The PingFederate endpoint where users will be redirected to when authentication is required
Pickup URL The PingFederate pickup endpoint
Pickup Username The username to authenticate to the pickup endpoint (if not defined in the HTTP client)
Pickup Password The password to authenticate to the pickup endpoint (if not defined in the HTTP client)
SP Adapter ID The service provider adapter ID in PingFederate that represents the Curity Authentication Server
Use Template Redirect Whether or not redirects should be done with a template (required to support POST requests)
Date/Time Format The format of dates asserted by PingFederate
HTTP Client The HTTP client to use when communicating with the PingFederate pickup endpoint

For more information about the setup and integration in PingFederate, refer to that product’s documentation.