Workforce360

Integrations Guide
How to Authenticate Everyone & Everything

W HI T E PA P ER
TABLE OF CONTENTS

03 EXECUTIVE SUMMARY

05 INTEGRATING APPLICATIONS
Achieve Secure Integration

Give Users One-click Access to Apps

SaaS Apps

Mobile Apps

Legacy Apps

Single-page Apps or APIs

09 INTEGRATING STRONG AUTHENTICATION

Multi-factor Authentication (MFA)

Virtual Private Networks (VPNs)

Mobile Device Management (MDM)

Adaptive & Contextual Policies

12 INTEGRATING WITH IDPS & DATA STORES

Legacy Data Stores

Cloud

13 INTEGRATING WITH THE IDENTITY ECOSYSTEM

Identity Governance & Administration

Privileged Access Management

Zero Trust

15 CONCLUSION

16 APPLICATION INTEGRATION & AUTHENTICATION

2
WHITE PAPER Workforce360 Integrations Guide
EXECUTIVE SUMMARY
An unavoidable threat landscape combined with an increase in remote work is bringing identity to the forefront. As the workforce expands

beyond traditional employees and work increasingly happens outside of the corporate confines, enterprises are abandoning the concept of

network perimeters and relying on identity to ensure their users are who they say they are. These changing workforce dynamics are also driving

the movement toward Zero Trust as enterprises seek agile ways to verify any user, using any application, accessing any data, on any device.

Identity and access management (IAM) is an essential technology to address a growing attack surface. It helps you keep up with the

exponential growth of applications, especially mobile and SaaS, while managing legacy applications that still house critical data and

workloads. Equally important, IAM plays an integral role in delivering a frictionless experience, giving you the ability to provide seamless login

and access to a diverse workforce.

But not all IAM solutions are created equal. To address an ever-evolving environment, you need a solution purpose-built for workforce

requirements and use cases. Ping’s Workforce360 solution provides centralized authentication services with the capabilities you need.

With support for widely adopted standards and out-of-the-box integrations, Workforce360 gives you the tools and technology to fully integrate

your organization’s IT stack and eliminate any silos that may exist to deliver a streamlined workforce experience. You’re able to authenticate

everyone and everything, regardless of location, device or application, with a global authentication authority that makes your organization more

productive, secure and agile.

Authentication
Authority Apps

Auth
Types

Auth Auth
Decisions Types

Auth
Decisions

Data Data

Integrations

Integrations

3
WHITE PAPER Workforce360 Integrations Guide
Workforce360’s centralized authentication services integrate with diverse Why You Need an
applications and resources across hybrid IT environments. Through open Authentication Authority
standards, integration kits, adapters, token generators and other tools, An authentication authority is more crucial for

Ping supports a range of integrations, spanning applications, strong enterprises than ever. As the number and type of

authentication, data stores and ecosystems. applications you must support continues to grow,

an authentication authority makes it possible to

Workforce360 Integration deliver a consistent user experience regardless of

the application type or where it resides (on premises,

Capabilities cloud or SaaS). By acting as a federation hub,

an authentication authority provides centralized

Applications Strong authentication services to all assets, including legacy

SaaS Authentication or custom systems based on proprietary standards,

as well as assets that utilize open standards like

Mobile MFA
SAML and OAuth.

Legacy VPNs
In addition to applications, the authentication
Single-page Apps MDM
authority can handle multiple directories and act
or APIs Adaptive & either as the identity provider or service provider. With
Contextual Policies an authentication authority in place, you have the

orchestration engine to handle complex authentication

flows. You’re less dependent on disparate identity

Data Stores Ecosystems silos and can consolidate where it makes sense.

Legacy Identity Governance

Perhaps most importantly, an authentication authority

Cloud Privileged Access lets you provide your workforce with a simple and
Management consistent single sign-on (SSO) experience. By

providing a single point of access to all resources,

Zero Trust
SSO minimizes password sprawl and the helpdesk

requirements that come with it. When you combine

Read on to learn how Ping’s Workforce360 solution helps you:
SSO with advanced security features like adaptive,
• Provide authentication for everyone and everything by working
policy-based multi-factor authentication (MFA)
across multiple silos.
and passwordless capabilities, you’re able to give
• Deliver secure, consistent experiences to your workforce.
employees secure and streamlined access to
• Utilize an identity-based workforce authentication authority to be
resources, and they’re able to be more productive.
more productive, secure and agile.

• Create a solid identity foundation so you can accelerate digital

transformation.
To learn more about the benefits of an authentication

authority, please see the Workforce Authentication

Authority white paper.

4
WHITE PAPER Workforce360 Integrations Guide
INTEGRATING APPLICATIONS

Large enterprises, more than any other segment, require IAM with advanced integration capabilities to support an extensive and diverse
portfolio of applications, as well as complex and custom use cases. They need a solution that’s flexible enough to support multiple methods
of integration to ensure security. At the same time, the solution must be capable of integrating a range of application types to ensure users
gain convenient access to the resources they need. Workforce360 excels at both.

Achieve Secure Integration

Workforce360 provides support for open standards like SAML, OAuth and OpenID Connect (OIDC) so you’re able to achieve fast and efficient
integrations in a developer-friendly manner. For applications that don’t support standards-based authentication, you can utilize Ping’s custom,
pre-built integration kits, which typically require 15 or fewer lines of code changes. If you have significant custom application requirements,
PingAccess, part of Ping’s adaptive access security solution, provides centralized access security with a comprehensive policy engine.

Open Standards Non-Standards

Integration Kits OR PingAccess

To achieve the most secure integration, you should use standards-based federation when possible and avoid methods like password vaulting,
where credentials are stored on a server. Often marketed as secure web authentication or password managers, solutions that use password
vaulting or forwarding are discouraged because they don’t offer the same level of enterprise security as SSO via federation.

Gartner strongly recommends against using

password vaulting and forwarding due to the associated
risks of potential password compromise; instead, use
standards-based federation when possible.

- MAGIC QUADRANT FOR ACCESS MANAGEMENT, GARTNER, 2019

5
WHITE PAPER Workforce360 Integrations Guide
Give Users One-click Access to Apps
A successful integration requires giving your workforce convenient access to all of their applications, plus giving your admins the ability to
easily onboard apps and manage permissions. With Workforce360, your users can SSO to all of their apps, including SaaS, mobile, legacy
and single-page apps relying on APIs. At the same time, your admins gain access to a central administrative portal where they can delegate
responsibilities and enable self-service for developers and business units via policies and templates.

SSO

Legacy SaaS APIs Mobile

SaaS Apps
SaaS applications are built on SAML or OIDC, which Ping supports natively. This makes them the fastest and easiest candidates for
integration and a natural first step. Starting your integration with SaaS applications allows you to effectively deliver value from day one.

Integration

Add App

Workforce360 integrates SaaS applications through an application catalog and through SAML or OIDC connections.
• An application catalog provides a pre-configured connection to popular SaaS apps such as Google, Microsoft Office 365, Salesforce
and more.
• SAML or OIDC connections can be used to add apps that aren’t on the application catalog but support SAML or OIDC, making them
available by SSO to users in minutes via the admin portal.

6
WHITE PAPER Workforce360 Integrations Guide
Mobile Apps
Mobile apps function quite differently and require a more sophisticated approach. They consist of a client communicating to APIs and can
operate or function in the background. They’re also typically sandboxed on handheld devices, which makes it more difficult to share credentials
and sessions between apps, and makes them more susceptible to theft.

The two standards for integrating mobile applications are OIDC and OAuth. OAuth is used by application developers to obtain the access token
for authorization to back-end APIs. OIDC provides the identity layer for the application itself so the user can be authenticated on top of OAuth.

Supporting OIDC and OAuth, Workforce360 simplifies the integration of mobile apps and their corresponding APIs with SSO. With passwords
removed from the equation, your apps are more secure, and your users are more productive. By simultaneously reducing authentication
complexity, developers can focus more on application features and spend less time worrying about authentication and onboarding requirements.

Legacy Apps
Most enterprises still rely on a number of legacy applications, whether homegrown or commercial off the shelf (COTS) products, that run critical
workloads. Integration of legacy applications can typically be accomplished through three types of integration kits.

Integration

Add Homegrown/
Legacy App
Agent Server Single-click Access
Kits
via Employee Dock

1. Agentless Kits: Agentless integration kits are the preferred method for integrating legacy applications in a simple, flexible way. They use
back-channel to exchange user-session attributes with Workforce360 via RESTful APIs. This is ideal for developers because there’s less
reliance on the target application architecture, and kits are compatible with any application language.
2. Language Kits: When there’s limited or no access to a web or application server, custom application integration kits are an option. They
support a variety of legacy programming languages including Java, NET and PHP.
3. Server Agent Kits: If you do have access to the web or application server, server agent integration kits allow the applications to be added to
SSO via SAML. Common systems for this scenario include Internet Information Services (IIS), Apache, NetWeaver and WebSphere.

7
WHITE PAPER Workforce360 Integrations Guide
Other Legacy Applications What About My Existing
Centralized authentication via PingFederate provides a range of convenient approaches WAM?
to enable SSO, but some apps might not natively support federation standards like SAML, You may need to continue using an existing

OAuth and OIDC, while others might be protected by agent-based legacy web access WAM system to run critical workloads. For

management (WAM) agents. many, ripping and replacing isn’t an option, so

you need a solution that can integrate with this

When PingFederate and PingAccess are deployed together, you can easily extend single legacy architecture.
sign-on to all applications through HTTP header injection, JWT tokens and even token
mediation to applications protected by legacy WAM agents. Ping’s partnership with This integration is supported through
Microsoft provides the additional benefit of leveraging your identities in Azure AD to
integration kits that allow Workforce360 to
maintain SSO for all of your on-premises applications.
operate as either the identity provider (IdP) or

service provider (SP). Ping offers integration

kits for many common legacy WAM systems.

Single-page Apps or APIs

Single-page applications (SPAs) are based on web technologies such as HTML, Using this approach, you’re able to maintain
JavaScript and HTTP and WebSocket-based APIs. SPAs are unique because the user your existing WAM system without interruption,
never navigates off the initial HTML page. Instead, locally executed JavaScript from that while giving developers the ability to extend
first page supplies the browser with the behavior for handling user requests. the single sign-on reach of an authentication

authority to applications protected by the

Workforce360 relies on local code to define the user experience and logic for retrieving
supported WAM system. This is accomplished
and manipulating data via API endpoints. Given the usage of web technologies and the
through API integration into legacy apps. Ping
need for API access, SPAs and their corresponding APIs can be integrated via OAuth and
is able to translate legacy token formats (WAM
OIDC. Token translators can further help bridge SPAs into an existing WAM infrastructure.
tokens, Kerberos tickets) into OAuth or JWT

tokens to enable mobile apps and integration

into modern stacks. This can be done over WS-

Trust or OAuth Token Exchange via REST API +

mobile friendly preferred standard.

Check out our adaptive access security solution

to learn more about co-existence or migrating

off WAM systems through migration tools and

API management tools.

8
WHITE PAPER Workforce360 Integrations Guide
INTEGRATING STRONG AUTHENTICATION

The ability to make authentication decisions based on various security and risk signals is critical for enterprises. By the same measure, all
orchestration needs to maximize user experience and productivity. You achieve this with intelligent strong authentication.

Workforce360 lets you leverage existing investments in security and create reusable, granular policies that can be applied to a variety of use
cases. Admins are able to incorporate data from multiple sources—whether risk signals or user data from multiple directories—and at the
scale your enterprises requires. When you’re able to apply intelligence behind the scenes, you gain greater assurance that your users are who
they say they are, while giving them faster access to resources.

Multi-factor Authentication
(MFA)
Multi-factor authentication is a common form of strong
authentication for enterprises that want to limit their reliance
Any MFA
on password policies and reduce the risk of credential theft.
3
But it can be challenging to add MFA to a constantly growing
and changing portfolio of applications.

When you’re able to piggyback off of an authentication

1 4
authority, you no longer have to go through the arduous
process of integrating MFA to each application individually.
Access Authentication Access
You’re freed from the limitations of authentication protocols Application Authority Decision
and can utilize numerous MFA providers if necessary and as
2
is common after mergers and acquisitions.

Directory
Lookup

Workforce360 includes PingID, our enterprise-grade cloud MFA, as part of the solution. In addition to integrating with PKI systems through
either software based X.509 certificates or smartcards, Ping integrates with all popular MFA providers.

9
WHITE PAPER Workforce360 Integrations Guide
Virtual Private Networks (VPNs)
VPNs are a popular means of enabling secure remote access. Using Ping’s integrations, enterprises can strengthen VPN security by adding
MFA and granular group policies. Integrations also allow user management and access to VPNs to be controlled by the authentication
authority.

Integration
via SAML

Any MFA
Authentication
VPN Client Authority

Any Directory

Workforce360 can integrate with SAML-based VPNs. If PingID is being used, VPNs can be added via RADIUS as well. Ping is officially certified
by the following providers:

Mobile Device Management (MDM)

Whether you’re provisioning mobile devices or supporting a BYOD model, mobile device management is crucial for ensuring secure
authentication. Workforce360 integrates with MDM software to enforce security policies based on device-level attributes like establishing a
minimum OS, preventing jailbroken/rooted devices, requiring password criteria or disallowing certain types of devices.

Ping can integrate any third-party MDM and is officially certified by the following providers:

10
WHITE PAPER Workforce360 Integrations Guide
Adaptive & Contextual Policies
By incorporating adaptive and contextual policies, you’re able to implement enterprise-grade authentication without disrupting the
productivity of your workforce. This approach provides stronger security by evaluating a user’s device, behavior and other context beyond
passwords to dynamically assess risk and step authentication requirements up or down accordingly.

You can define advanced authentication, pairing and device posture policies, such as:

• Limiting MFA and available authentication methods to specific groups, IP addresses or applications.
• Employing geo-fencing to skip MFA requirements if a trusted device is requesting access from a “secure” location or network.
• Restricting users from sharing authentication devices and from using devices that are rooted or jailbroken through root detection.
• Defining sessions that allow users to avoid prompts for MFA if authenticated within a predefined amount of time (hours, minutes, days, etc.).

Paired with MFA that can extend anywhere, context and risk signals are an essential piece to intelligent, seamless authentication. By leveraging
the authentication authority policies, they provide security for any use case. Ping integrates with the following risk signal providers:

11
WHITE PAPER Workforce360 Integrations Guide
INTEGRATING WITH IDPS & DATA STORES

To provide a consistent login experience, central authentication services must be able to integrate with multiple identity providers (IdPs). The
most common enterprise IdP is Active Directory, though enterprises have also adopted more modern directories from cloud providers such
as Amazon and Google. Many enterprises also maintain on-premises data stores as their primary user directories.

Authentication typically requires pulling user attributes from multiple directories in real-time. Few if any can match the capabilities of Ping in
this regard. By supporting multiple IdPs and legacy data stores, Workforce360 lets you validate, retrieve and send user and device attributes
during provisioning. You’re able to connect all of your users to any application they require, as well as centralize credential validation to
improve user experience.

Legacy Data Stores

With Workforce360, you’re able to extend the capabilities of legacy data stores to any app and any device. Ping integrates with:
• Microsoft Active Directory
• Microsoft SQL
• Oracle DSEE
• Oracle Unified Directory
• Oracle DB 12c
• Oracle MySQL
• PostgreSQL

Cloud
Ping’s cloud directory integrations enable the cloud service to be the identity provider for certain applications by utilizing the cloud API to
authenticate users and return user information. Ping offers integrations with cloud services and social identity providers including:

12
WHITE PAPER Workforce360 Integrations Guide
INTEGRATING WITH THE IDENTITY
ECOSYSTEM

An authentication authority must support integration with the broader identity ecosystem, namely identity governance and administration
(IGA) and privileged access management (PAM). While Ping offers basic provisioning, we integrate with SailPoint and CyberArk to provide
best-of-breed solutions for these capabilities. The authentication authority capabilities of Workforce360 also provide a solid foundation for a
Zero Trust ecosystem.

Identity Governance & Administration

You can support most sophisticated environments when it comes to user and lifecycle management by combining a dedicated IGA platform
with an authentication authority. The Ping + SailPoint integration lets you give the right access to the right employees across any app and any
directory in any environment. At the same time, you gain greater control over processes such as provisioning, password management, and
access requests and certification.

Mobile Apps

• Provision
• Update Profile
• Certify Access Cloud Apps

CORPORATE
DIRECTORY SaaS Apps
• Leverage Profile
• Provide Contextual
Access
• Strengthen security
with MFA
On-prem Apps

Privileged Access Management

When PAM is integrated with an authentication authority, each technology protects the other. The Ping + CyberArk integration gives admins
logging into CyberArk an extra layer of security provided by the MFA and SSO capabilities of PingID and PingFederate. Conversely, Ping
administrator accounts are protected by CyberArk’s market-leading PAM solution.

13
WHITE PAPER Workforce360 Integrations Guide
Zero Trust
As more enterprises adopt cloud technologies and enable work beyond the corporate premises, the notion of security via network perimeters
has given way to a Zero Trust framework. Zero Trust assumes no network traffic is trusted and everything must be verified. At the heart of
this are identity and an authentication authority that first requires users to verify they are who they say there are.

An authentication authority is central to Zero Trust, allowing you to implement resource perimeters over network perimeters and replace
network-based trust with greater assurance and confidence that users are who they say they are. Workforce360 provides a solid foundation
on which to build your Zero Trust framework, either integrating with or supporting complementary technologies and providing the
orchestration engine to ensure an optimal user experience.

To learn more about using an authentication authority to create the foundation for Zero Trust, read the white paper.

14
WHITE PAPER Workforce360 Integrations Guide
CONCLUSION
You need to deliver a consistent experience to your users, no matter where they are or what device they’re using. An authentication authority
capable of integrating anything and everything is more essential for today’s enterprises than ever before. With Workforce360, you gain the global
authentication authority needed to deliver secure and consistent experiences to your workforce, making your organization more productive while
increasing security and agility.

• Provide authentication for everyone and everything by working across multiple silos.
• Deliver secure, consistent experiences to your workforce.
• Utilize an identity-based workforce authentication authority to be more productive, secure and agile.
• Create a solid identity foundation so you can accelerate digital transformation.

To learn more about Workforce360, visit pingidentity.com/workforce360.

Ping Identity is pioneering Intelligent Identity. We help enterprises achieve Zero Trust identity-defined security and more personalized, streamlined user experiences.
The Ping Intelligent IdentityTM platform provides customers, employees, partners and, increasingly, IoT, with access to cloud, mobile, SaaS and on-premises
applications and APIs, while also managing identity and profile data at scale. Over half of the Fortune 100 choose us for our identity expertise, open standards
leadership, and partnership with companies including Microsoft and Amazon. We provide flexible options to extend hybrid IT environments and accelerate digital 15
business initiatives with multi-factor authentication, single sign-on, access management, intelligent API security, directory and data governance capabilities.
Visit www.pingidentity.com.  #3500 | 06.2020 | v06
 Application Integration Authentications

Single Sign-on Standards

Application Type Integration LDAP

Standards WS-FED RADIUS

Standards OAuth/OIDC Kerberos

Standards SAML SAML

Local Language SDK WS-FED

Local Agentless SDK OAuth/OIDC

Local Web Server Agent X.509 Certificates (PIV/Smart Cards)

Local Reverse Proxies

Local Access Security (URL level access control)

Legacy WAM Custom

CA/Broadcom/Symantec Siteminder Agent SDK

Oracle Access Manager Agentless SDK

RSA Access Manager MFA

MFA Out-of-band OTP (Email, SMS, Voice)

Windows Login Mobile Push

SSH OATH (Mobile, Hardware Tokens)

VPN Biometrics

Provisioning Desktop

SCIM FIDO

JIT Risk Engines

App Specific APIs Social

Directory Sync MDM

Legacy WAM

16
WHITE PAPER Workforce360 Integrations Guide