Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PingFederate and NGinx integration and deployment options

Tags:

nginx

httpd.conf

single-sign-on

saml-2.0

pingfederate

Some time before we started to look how to integrate PingFederate into our infrastructure.

Our initial use case is following: we are providing multy tenant access to our application and different companies might use different(their) Identity providers to access our application.

Right now flow is limited to this workflow: Mutiple Idp(s) to one SP

However in the future flow might be extended to Many-to-many relations

Currently we are using NGINX as Reverse Proxy and based on PingFed documentation it's totally difficult to understand deployment options that we have right now.

Based on diagram that was taken from this guide PingFed and apache httpd integration

It's more or less clear how this integration works for apache httpd. Mainly there is apache PingFed Agent that works with SSO flows on apache and mainly it validates "session" or initiate SSO flow.

    Processing Steps
1. A user attempts to access a resource on the Apache server protected by the PingFederate
Apache Agent.
2. The user is redirected to the PingFederate server for authentication.
(If an OpenToken session already exists, the user is granted immediate access.)
3. The PingFederate server redirects the user’s browser to an IdP for authentication using either the
SAML or WS-Federation protocols. The IdP partner authenticates the user and returns a SAML
assertion.
4. PingFederate validates the assertion and creates an OpenToken for the user including any
configured attributes. PingFederate then redirects the browser, including the OpenToken, back to
the Apache Agent.
5. The Agent verifies the OpenToken and grants access to the protected resource. The User ID and
any attributes from the OpenToken are exposed to the resource as HTTP Request Headers or Apache Environment Variables.

And mainly on Step 5 apache agent passes information about User to the actual application using Request Headers or Apache Environment Variables.

Based on all info mentioned above here is 2 questions:

  1. How to make similar deployment for PingFed and NGINX (for option that described in this question with apache httpd)?
  2. Is it required to use Web Server(Reverse Proxy) together with PingFederate. Or Ping Federate can act also as WebServer? If yes probably some links and additional explanations are appreciated.
like image 519
user1459144 Avatar asked Aug 26 '16 15:08

user1459144

People also ask

What is the difference between PingAccess and PingFederate?

PingAccess is an identity-enabled access management product that applies security controls to client requests to safeguard Web applications and APIs. PingFederate is a standards-based single sign-on technology that connects Identity Providers and Service Providers via a reliable SAML connection.

What is the difference between Ping Identity and PingFederate?

Used together, PingFederate integrates with the PingID service for MFA, PingID is hosted in the cloud and is administer via the PingOne console. Differences, PingFederate offers more complete federation standards support then does PingOne. For example PingFederate supports WS-Fed and WS-Trust.

What is PingFederate used for?

PingFederate is an enterprise federation server that enables user authentication and single sign-on. It serves as a global authentication authority that allows employees, customers and partners to securely access all the applications they need from any device.

1 Answers

It worth to publish final ideas on solution and our observations

  1. When we tried integrate PingFed we got an understanding that pingFed is very natively integrated with Ping Access. And Ping Access acts as Reverse proxy.

enter image description here

And the main idea that Authentication between PingAccess and PingFed is done using OpenId connect protocol. Authentication between PingFederate and Auth provider can be done by very different ways:

  1. It can be SAML
  2. It can be another SSO protool
  3. Ping Fed can serve also login page and make authentication using some custom DB or LDAP

However Authentication flow for application will remain the same as PingFed is hiding this complexity

like image 166
user1459144 Avatar answered Oct 05 '22 23:10

user1459144
Sign in to Comment

Related questions

How to use WebRTC to stream video to RTMP?
Hosting multiple ASP NET Core sites on unbuntu and nginx as reverse proxy
How do I allow only 1 URL in my web app to be accessed via iframe?
Should I go with Varnish instead of nginx?
Global favicon.ico and iOS icons
Passenger process already running? but its not
How can I gracefully restart thin + nginx?
Get Nginx to call PHP file to handle 404 errors under php-fpm
RabbitMQ managment Nginx proxy
Mapping subdomains to URLs with nginx
Using regex in nginx location block for variables
Nginx Fastcgi_cache performance - Disk cached VS tmpfs cached VS static file
g-wan - reproducing the performance claims
nginx 500 Internal Server Error
nginx slow on every second request
How to load balance services in CoreOS?
How to access web page served by nginx web server running in docker container
How to run Nginx with Node.js on Windows?
Nginx, fastcgi PHP Windows, No input file specified
NGINX - Python - UWSGI kill issue

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!