5

Some time before we started to look how to integrate PingFederate into our infrastructure.

Our initial use case is following: we are providing multy tenant access to our application and different companies might use different(their) Identity providers to access our application.

Right now flow is limited to this workflow: Mutiple Idp(s) to one SP

However in the future flow might be extended to Many-to-many relations

Currently we are using NGINX as Reverse Proxy and based on PingFed documentation it's totally difficult to understand deployment options that we have right now.

Based on diagram that was taken from this guide PingFed and apache httpd integration

It's more or less clear how this integration works for apache httpd. Mainly there is apache PingFed Agent that works with SSO flows on apache and mainly it validates "session" or initiate SSO flow.

    Processing Steps
1. A user attempts to access a resource on the Apache server protected by the PingFederate
Apache Agent.
2. The user is redirected to the PingFederate server for authentication.
(If an OpenToken session already exists, the user is granted immediate access.)
3. The PingFederate server redirects the user’s browser to an IdP for authentication using either the
SAML or WS-Federation protocols. The IdP partner authenticates the user and returns a SAML
assertion.
4. PingFederate validates the assertion and creates an OpenToken for the user including any
configured attributes. PingFederate then redirects the browser, including the OpenToken, back to
the Apache Agent.
5. The Agent verifies the OpenToken and grants access to the protected resource. The User ID and
any attributes from the OpenToken are exposed to the resource as HTTP Request Headers or Apache Environment Variables.

And mainly on Step 5 apache agent passes information about User to the actual application using Request Headers or Apache Environment Variables.

Based on all info mentioned above here is 2 questions:

  1. How to make similar deployment for PingFed and NGINX (for option that described in this question with apache httpd)?
  2. Is it required to use Web Server(Reverse Proxy) together with PingFederate. Or Ping Federate can act also as WebServer? If yes probably some links and additional explanations are appreciated.
user1459144
  • 4,439
  • 5
  • 28
  • 35

3 Answers3

5

It worth to publish final ideas on solution and our observations

  1. When we tried integrate PingFed we got an understanding that pingFed is very natively integrated with Ping Access. And Ping Access acts as Reverse proxy.

enter image description here

And the main idea that Authentication between PingAccess and PingFed is done using OpenId connect protocol. Authentication between PingFederate and Auth provider can be done by very different ways:

  1. It can be SAML
  2. It can be another SSO protool
  3. Ping Fed can serve also login page and make authentication using some custom DB or LDAP

However Authentication flow for application will remain the same as PingFed is hiding this complexity

user1459144
  • 4,439
  • 5
  • 28
  • 35
2
  1. There is no PingFederate agent architecture from Ping Identity that supports nginx. I would suggest you look into the "Agentless Adapter" (also known as reference adapter) and build your own.
  2. There is no requirement to use a reverse proxy with PingFederate. PingFederate uses Jetty as its web container, and is perfectly capable of serving traffic. We provide options for reverse proxy so as to support those organizations that have requirements against opening a port directly to an application server.
Andrew K.
  • 3,240
  • 12
  • 23
  • So generally you recommend to follow this schema (without NGINX): https://documentation.pingidentity.com/display/AIK12/Implementing+SP+Functionality ? And can you provide link how PingFed is good with typical reverse proxy tasks: static content cashing, SSL termination ..... Or should I look to Jetty capabilities ? – user1459144 Aug 28 '16 at 20:39
  • lua-resty-openidc - could you please add a bit explanation how it might be usefull in this task? Not sure I fully grasped idea. – user1459144 Aug 28 '16 at 20:42
  • @HansZ., that is not a "supported" architecture, from Ping. – Andrew K. Aug 30 '16 at 21:49
  • @user1459144 - yes, generally, I would say that the architecture provided by the Apache kit is sufficient for many tasks. Or the IIS kit. Or any number of our other kits. Quite frankly though, I'm guessing at what you're trying to accomplish - you should contact your regional solutions architect, if you're a customer, and have a conversation with them about all your needs. – Andrew K. Aug 30 '16 at 21:52
  • As of April 2017, Pingfederate supports nginx. Adding this comment here as an update, incase someone looks at the answer and thinks it is still not supported. https://www.pingidentity.com/en/company/blog/2017/04/05/pingaccess_now_protects_nginx_web_servers.html – Rajgopal C Nov 29 '17 at 11:29
  • No, **PingFederate** still does **not** have an agent for nginx. Ping Identity has released an nginx agent for **PingAccess** , which is a different, but complementary, product, as stated in the title: "PingAccess Now Protects NGINX Web Servers". – Andrew K. Nov 29 '17 at 14:53
1

PingIdentity has released NGINX certified PingAccess Agent for NGINX servers. This PingAccess agent can be deployed on the NGINX web server as an PEP, thereby elimintating the need of proxy servers

sk23
  • 212
  • 1
  • 7