SSO/Rest Agent for PingFederate

The SSORest Agent for PingFederate enables single sign on (SSO) between a PingFederate environment and enterprise Web Access Management products such as CA SiteMinder. Using the SSORest Agent for PingFederate, PingFederate can extract the user identity from a SiteMinder session and use that identity to create SAML assertions.

The Business Challenge

Many organizations employ both CA SiteMinder and PingFederate to provide Web access management and federated single sign on, each with its own authentication methods.  Organizations want to extend their SiteMinder user sessions across to PingFederate, enabling PingFederate to generate SAML assertions based upon the identity provided by SiteMinder.

The Solution

The solution requires a reverse proxy with a SiteMinder agent, such as an Apache Web Server or SiteMinder Secure Proxy Server.

IDFConnect’s solution validates the SM session using IDFConnect’s SSORest, a RESTful interface to SiteMinder. SSORest handles all of the SiteMinder API calls, alleviating the requirement for PingFederate to use the SiteMinder Agent API.

In addition, SSORest enables your AJAX-based Web applications to seamlessly integrate with your SiteMinder infrastructure.

Solution Components

A CA SiteMinder protected Apache Web Server acts as a reverse proxy in front of PingFederate. SiteMinder policies can then protect access to PingFederate. On the PingFederate side, an authentication adapter enables PingFederate to consume the identity headers provided by the user’s SiteMinder session and generate the requested assertion.

The SSORest Agent for PingFederate can also be used in conjunction with PingFederate’s Composite Adapter to provide multiple authentication paths into PingFederate.

The SSORest Agent for PingFederate supports both “trust” (using headers) and “ re-validation” (using SSORest) modes, and SiteMinder authentication levels.

How It Works

  1. Federation requests pass through the SiteMinder protected proxy server. If the request does not include a SiteMinder session, the user is redirected to an authentication mechanism.
  2. The SSORest Agent for PingFederate passes the identity headers to SSORest for validation and generates the requested assertion.
  3. AJAX enabled clients can maintain SiteMinder session timeouts using SSORest calls.
  4. Requests to other SiteMinder protected enterprise applications can be forwarded to the appropriate Website.

PF WAM Adapter

For more information, please call us at 888-612-8820 or contact us.