This authenticator allows the Curity Identity Server to integrate with PingFederate by Ping Identity. The use case that this component is designed to solve is when PingFederate is functioning as a SAML service provider or a WS-Federation Relying Party. In this scenario, PingFederate will receive a federation message from an upstream Identity Provider and process that before sending it to the Curity Identity Server. When it does, it is this component that will handle the message. This integration is shown in the following figure:
In more detail, PingFederate (in the “service provider” role) receives a SAML 1.1, SAML 2, WS-Federation or any other protocol that it can handle (1). Part of its handling of the message is to store the user attributes it received. Using the “agentless integration kit” to broker this message into the Curity Authentication Server, PingFederate creates a reference to the user data; this reference is send to the Curity Authentication Server as a parameter via a redirect that takes place in the user’s browser (2). Next, the PingFederate authenticator makes an authenticated, back-channel connection to PingFederate, providing the reference (3). The response to this point-to-point HTTP request is the set of attributes that PingFederate has parsed from the federation message (4).
To configure a PingFederate authenticator in the Curity Authentication Server to complete this integration, a few configuration settings are required. These are listed and described in the following table:
For more information about the setup and integration in PingFederate, refer to that product’s documentation.