Professional Documents
Culture Documents
Workforce360 Integrations Guide
Workforce360 Integrations Guide
Integrations Guide
How to Authenticate Everyone & Everything
W HI T E PA P ER
TABLE OF CONTENTS
03 EXECUTIVE SUMMARY
05 INTEGRATING APPLICATIONS
Achieve Secure Integration
SaaS Apps
Mobile Apps
Legacy Apps
Cloud
Zero Trust
15 CONCLUSION
2
WHITE PAPER Workforce360 Integrations Guide
EXECUTIVE SUMMARY
An unavoidable threat landscape combined with an increase in remote work is bringing identity to the forefront. As the workforce expands
beyond traditional employees and work increasingly happens outside of the corporate confines, enterprises are abandoning the concept of
network perimeters and relying on identity to ensure their users are who they say they are. These changing workforce dynamics are also driving
the movement toward Zero Trust as enterprises seek agile ways to verify any user, using any application, accessing any data, on any device.
Identity and access management (IAM) is an essential technology to address a growing attack surface. It helps you keep up with the
exponential growth of applications, especially mobile and SaaS, while managing legacy applications that still house critical data and
workloads. Equally important, IAM plays an integral role in delivering a frictionless experience, giving you the ability to provide seamless login
But not all IAM solutions are created equal. To address an ever-evolving environment, you need a solution purpose-built for workforce
requirements and use cases. Ping’s Workforce360 solution provides centralized authentication services with the capabilities you need.
With support for widely adopted standards and out-of-the-box integrations, Workforce360 gives you the tools and technology to fully integrate
your organization’s IT stack and eliminate any silos that may exist to deliver a streamlined workforce experience. You’re able to authenticate
everyone and everything, regardless of location, device or application, with a global authentication authority that makes your organization more
Authentication
Authority Apps
Auth
Types
Auth Auth
Decisions Types
Auth
Decisions
Data Data
Integrations
Integrations
3
WHITE PAPER Workforce360 Integrations Guide
Workforce360’s centralized authentication services integrate with diverse Why You Need an
applications and resources across hybrid IT environments. Through open Authentication Authority
standards, integration kits, adapters, token generators and other tools, An authentication authority is more crucial for
Ping supports a range of integrations, spanning applications, strong enterprises than ever. As the number and type of
authentication, data stores and ecosystems. applications you must support continues to grow,
Legacy VPNs
In addition to applications, the authentication
Single-page Apps MDM
authority can handle multiple directories and act
or APIs Adaptive & either as the identity provider or service provider. With
Contextual Policies an authentication authority in place, you have the
Data Stores Ecosystems silos and can consolidate where it makes sense.
Cloud Privileged Access lets you provide your workforce with a simple and
Management consistent single sign-on (SSO) experience. By
transformation.
To learn more about the benefits of an authentication
4
WHITE PAPER Workforce360 Integrations Guide
INTEGRATING APPLICATIONS
Large enterprises, more than any other segment, require IAM with advanced integration capabilities to support an extensive and diverse
portfolio of applications, as well as complex and custom use cases. They need a solution that’s flexible enough to support multiple methods
of integration to ensure security. At the same time, the solution must be capable of integrating a range of application types to ensure users
gain convenient access to the resources they need. Workforce360 excels at both.
To achieve the most secure integration, you should use standards-based federation when possible and avoid methods like password vaulting,
where credentials are stored on a server. Often marketed as secure web authentication or password managers, solutions that use password
vaulting or forwarding are discouraged because they don’t offer the same level of enterprise security as SSO via federation.
5
WHITE PAPER Workforce360 Integrations Guide
Give Users One-click Access to Apps
A successful integration requires giving your workforce convenient access to all of their applications, plus giving your admins the ability to
easily onboard apps and manage permissions. With Workforce360, your users can SSO to all of their apps, including SaaS, mobile, legacy
and single-page apps relying on APIs. At the same time, your admins gain access to a central administrative portal where they can delegate
responsibilities and enable self-service for developers and business units via policies and templates.
SSO
SaaS Apps
SaaS applications are built on SAML or OIDC, which Ping supports natively. This makes them the fastest and easiest candidates for
integration and a natural first step. Starting your integration with SaaS applications allows you to effectively deliver value from day one.
Integration
Add App
Workforce360 integrates SaaS applications through an application catalog and through SAML or OIDC connections.
• An application catalog provides a pre-configured connection to popular SaaS apps such as Google, Microsoft Office 365, Salesforce
and more.
• SAML or OIDC connections can be used to add apps that aren’t on the application catalog but support SAML or OIDC, making them
available by SSO to users in minutes via the admin portal.
6
WHITE PAPER Workforce360 Integrations Guide
Mobile Apps
Mobile apps function quite differently and require a more sophisticated approach. They consist of a client communicating to APIs and can
operate or function in the background. They’re also typically sandboxed on handheld devices, which makes it more difficult to share credentials
and sessions between apps, and makes them more susceptible to theft.
The two standards for integrating mobile applications are OIDC and OAuth. OAuth is used by application developers to obtain the access token
for authorization to back-end APIs. OIDC provides the identity layer for the application itself so the user can be authenticated on top of OAuth.
Supporting OIDC and OAuth, Workforce360 simplifies the integration of mobile apps and their corresponding APIs with SSO. With passwords
removed from the equation, your apps are more secure, and your users are more productive. By simultaneously reducing authentication
complexity, developers can focus more on application features and spend less time worrying about authentication and onboarding requirements.
Legacy Apps
Most enterprises still rely on a number of legacy applications, whether homegrown or commercial off the shelf (COTS) products, that run critical
workloads. Integration of legacy applications can typically be accomplished through three types of integration kits.
Integration
Add Homegrown/
Legacy App
Agent Server Single-click Access
Kits
via Employee Dock
1. Agentless Kits: Agentless integration kits are the preferred method for integrating legacy applications in a simple, flexible way. They use
back-channel to exchange user-session attributes with Workforce360 via RESTful APIs. This is ideal for developers because there’s less
reliance on the target application architecture, and kits are compatible with any application language.
2. Language Kits: When there’s limited or no access to a web or application server, custom application integration kits are an option. They
support a variety of legacy programming languages including Java, NET and PHP.
3. Server Agent Kits: If you do have access to the web or application server, server agent integration kits allow the applications to be added to
SSO via SAML. Common systems for this scenario include Internet Information Services (IIS), Apache, NetWeaver and WebSphere.
7
WHITE PAPER Workforce360 Integrations Guide
Other Legacy Applications What About My Existing
Centralized authentication via PingFederate provides a range of convenient approaches WAM?
to enable SSO, but some apps might not natively support federation standards like SAML, You may need to continue using an existing
OAuth and OIDC, while others might be protected by agent-based legacy web access WAM system to run critical workloads. For
8
WHITE PAPER Workforce360 Integrations Guide
INTEGRATING STRONG AUTHENTICATION
The ability to make authentication decisions based on various security and risk signals is critical for enterprises. By the same measure, all
orchestration needs to maximize user experience and productivity. You achieve this with intelligent strong authentication.
Workforce360 lets you leverage existing investments in security and create reusable, granular policies that can be applied to a variety of use
cases. Admins are able to incorporate data from multiple sources—whether risk signals or user data from multiple directories—and at the
scale your enterprises requires. When you’re able to apply intelligence behind the scenes, you gain greater assurance that your users are who
they say they are, while giving them faster access to resources.
Multi-factor Authentication
(MFA)
Multi-factor authentication is a common form of strong
authentication for enterprises that want to limit their reliance
Any MFA
on password policies and reduce the risk of credential theft.
3
But it can be challenging to add MFA to a constantly growing
and changing portfolio of applications.
Directory
Lookup
Workforce360 includes PingID, our enterprise-grade cloud MFA, as part of the solution. In addition to integrating with PKI systems through
either software based X.509 certificates or smartcards, Ping integrates with all popular MFA providers.
9
WHITE PAPER Workforce360 Integrations Guide
Virtual Private Networks (VPNs)
VPNs are a popular means of enabling secure remote access. Using Ping’s integrations, enterprises can strengthen VPN security by adding
MFA and granular group policies. Integrations also allow user management and access to VPNs to be controlled by the authentication
authority.
Integration
via SAML
Any MFA
Authentication
VPN Client Authority
Any Directory
Workforce360 can integrate with SAML-based VPNs. If PingID is being used, VPNs can be added via RADIUS as well. Ping is officially certified
by the following providers:
Ping can integrate any third-party MDM and is officially certified by the following providers:
10
WHITE PAPER Workforce360 Integrations Guide
Adaptive & Contextual Policies
By incorporating adaptive and contextual policies, you’re able to implement enterprise-grade authentication without disrupting the
productivity of your workforce. This approach provides stronger security by evaluating a user’s device, behavior and other context beyond
passwords to dynamically assess risk and step authentication requirements up or down accordingly.
You can define advanced authentication, pairing and device posture policies, such as:
• Limiting MFA and available authentication methods to specific groups, IP addresses or applications.
• Employing geo-fencing to skip MFA requirements if a trusted device is requesting access from a “secure” location or network.
• Restricting users from sharing authentication devices and from using devices that are rooted or jailbroken through root detection.
• Defining sessions that allow users to avoid prompts for MFA if authenticated within a predefined amount of time (hours, minutes, days, etc.).
Paired with MFA that can extend anywhere, context and risk signals are an essential piece to intelligent, seamless authentication. By leveraging
the authentication authority policies, they provide security for any use case. Ping integrates with the following risk signal providers:
11
WHITE PAPER Workforce360 Integrations Guide
INTEGRATING WITH IDPS & DATA STORES
To provide a consistent login experience, central authentication services must be able to integrate with multiple identity providers (IdPs). The
most common enterprise IdP is Active Directory, though enterprises have also adopted more modern directories from cloud providers such
as Amazon and Google. Many enterprises also maintain on-premises data stores as their primary user directories.
Authentication typically requires pulling user attributes from multiple directories in real-time. Few if any can match the capabilities of Ping in
this regard. By supporting multiple IdPs and legacy data stores, Workforce360 lets you validate, retrieve and send user and device attributes
during provisioning. You’re able to connect all of your users to any application they require, as well as centralize credential validation to
improve user experience.
Cloud
Ping’s cloud directory integrations enable the cloud service to be the identity provider for certain applications by utilizing the cloud API to
authenticate users and return user information. Ping offers integrations with cloud services and social identity providers including:
12
WHITE PAPER Workforce360 Integrations Guide
INTEGRATING WITH THE IDENTITY
ECOSYSTEM
An authentication authority must support integration with the broader identity ecosystem, namely identity governance and administration
(IGA) and privileged access management (PAM). While Ping offers basic provisioning, we integrate with SailPoint and CyberArk to provide
best-of-breed solutions for these capabilities. The authentication authority capabilities of Workforce360 also provide a solid foundation for a
Zero Trust ecosystem.
Mobile Apps
• Provision
• Update Profile
• Certify Access Cloud Apps
CORPORATE
DIRECTORY SaaS Apps
• Leverage Profile
• Provide Contextual
Access
• Strengthen security
with MFA
On-prem Apps
13
WHITE PAPER Workforce360 Integrations Guide
Zero Trust
As more enterprises adopt cloud technologies and enable work beyond the corporate premises, the notion of security via network perimeters
has given way to a Zero Trust framework. Zero Trust assumes no network traffic is trusted and everything must be verified. At the heart of
this are identity and an authentication authority that first requires users to verify they are who they say there are.
An authentication authority is central to Zero Trust, allowing you to implement resource perimeters over network perimeters and replace
network-based trust with greater assurance and confidence that users are who they say they are. Workforce360 provides a solid foundation
on which to build your Zero Trust framework, either integrating with or supporting complementary technologies and providing the
orchestration engine to ensure an optimal user experience.
To learn more about using an authentication authority to create the foundation for Zero Trust, read the white paper.
14
WHITE PAPER Workforce360 Integrations Guide
CONCLUSION
You need to deliver a consistent experience to your users, no matter where they are or what device they’re using. An authentication authority
capable of integrating anything and everything is more essential for today’s enterprises than ever before. With Workforce360, you gain the global
authentication authority needed to deliver secure and consistent experiences to your workforce, making your organization more productive while
increasing security and agility.
• Provide authentication for everyone and everything by working across multiple silos.
• Deliver secure, consistent experiences to your workforce.
• Utilize an identity-based workforce authentication authority to be more productive, secure and agile.
• Create a solid identity foundation so you can accelerate digital transformation.
Ping Identity is pioneering Intelligent Identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences.
The Ping Intelligent IdentityTM platform provides customers, employees, partners and, increasingly, IoT, with access to cloud, mobile, SaaS and on-premises
applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards
leadership, and partnership with companies including Microsoft and Amazon. We provide flexible options to extend hybrid IT environments and accelerate digital 15
business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities.
Visit www.pingidentity.com. #3500 | 06.2020 | v06
Application Integration Authentications
VPN Biometrics
Provisioning Desktop
SCIM FIDO
Legacy WAM
16
WHITE PAPER Workforce360 Integrations Guide