2

I installed PingFederate on an AWS EC2 running Windows_Server-2008-R2_SP1-English-64Bit-Base-2014.04.09. I have a Java application that is using Spring Security for authentication.

I have read about how with PingFederate, I can set up an Identity Provider(IdP) and a Service Provider(SP). I have gathered that the IdP would be the Application User providing login credentials(the Identity) and passing this to the SP which has the Target Application apart of the SP in this diagram on this page here:

http://documentation.pingidentity.com/display/PF66/Service+Providers+and+Identity+Providers

This image also shows the Federated Identity Software on both sides of the IdP and the SP.

I have created an IdP and SP with my local PingFederate server just to see what the configuration options are and I am confused on which parts of this I actually need to be able to have a SSO for my Spring Security application.

My questions are:

  1. Do I need an IdP and SP to implement that I am trying to do.

  2. Right now our usernames and passwords are stored in a SQL Server, would I leverage this for PingFederate to use to authenticate the users?

  3. Should I even be using Spring Security SAML for this or would another route be more appropriate?

Thanks for any help, I have reached out to PingFederate but my Regional Solutions Architect happens to be out until Friday.

I also apologize if I am completely off in my thinking, I am trying to wrap my mind around what is needed.

Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
hyperlite
  • 65
  • 2
  • 6
  • 2
    Are the "production" instances going to be in the same domain (i.e., domain.com)? Is the spring security app behind a proxy (IIS or Apache)? Or is it straight to Spring? – Andrew K. May 08 '14 at 12:53
  • The Spring Security application is inside an AWS VPC with a pubnat if that counts as a proxy. Does that answer your question? – hyperlite May 08 '14 at 15:45

2 Answers2

5

Presuming your goal is to establish federation between Ping and your application (in order to e.g. externalize authentication or enable single sign-on), your thinking is correct.

The Ping Federate serves as an Identity Provider (IDP) and you can configure it to connect to your SQL server, so that it can authenticate your existing users from there. IDP communicates with other applications which are called Service Providers (SP).

In order to connect to Ping your application therefore needs to be able to act as a SAML 2.0 Service Provider and using Spring SAML is a very good way to enable it to do so.

The typical flow of data between SP and IDP for single sign-on is similar to:

  1. User accesses SP application which requires authentication
  2. SP creates an AuthenticationRequest and sends it to IDP (using redirect in user's browser)
  3. IDP processes the request and authenticates the user
  4. IDP responds back to SP with an AuthenticationResponse message
  5. SP processes the response and creates a session for the user based on the included data
Vladimír Schäfer
  • 15,375
  • 2
  • 51
  • 71
3

There is an assumption being made that you need SAML between your Spring app and PingFederate. That is not true depending on how it is deployed and if you (see Andy K follow-up questions). You should check out the OpenToken Integration Kit for Java or perhaps the ReferenceID Int Kit from Ping as a possible solution. Much simpler to integrate than trying to hack together another SAML solution that may not be needed. However, I would recommend talking to your RSA who can give you the best approach for your scenario.

Ian
  • 4,227
  • 18
  • 19
  • I only decided to use SAML because after this piece I will need to authenticate a Tableau server via SAML. Like I said in my response to Andy K, I am deploying this using AWS Elastic Beanstalk to an Apache Tomcat server which lives in an AWS VPC. I am going to attempt using the OpenToken Integration Kit for Java since you say it is much simpler to integrate. By doing it this way, do I need to use Spring Security at all or PingFederate secures the site? Thanks much. @Ian – hyperlite May 08 '14 at 16:26
  • 1
    I would be surprised if you need to use Spring Security. However, your RSA can dig deeper with you to figure out the right approach based on how your app is deployed in Tomcat. HTH – Ian May 09 '14 at 14:49
  • My application is configured to use the Spring Security Roles in able to secure functions and dynamically show/hide segments in my JSP depending on what the users role allows. Sorry but I am not positive what you are referring to as my RSA? Would this be Ping Federate? I just received an email from Ping Support explaining what I was trying to accomplish and it said I would no longer need Spring if I used the java kit. I still will be using the Spring Framework for the other features such as annotations for RequestMappings, but I am not sure how I would use the roles as before. @vschafer – hyperlite May 09 '14 at 16:41
  • My apologies, I realized that my Support contact's title is Regional Solutions Architect(RSA). I just started this monday and he has been out all week so this is why I am posting here to get a better idea of what I need to do to complete this solution. After sending an email I to their generic support address, I was given advice from a Solutions Support Engineer, I will look into the integration kit using his advice. Thanks much for the help. @vschafer – hyperlite May 09 '14 at 16:59