We are considering implementing PingFederate as an IdP.
PingFederate can also act as an SP - is it recommended that PingFederate, when acts as an SP, be hosted on a separate server from the PingFederate instance acting as the IdP.
We are an educational institution, it is likely that some of our integration applications, to the PingFederate IdP, will not have budget to purchase PingFederate licenses for SP. Do you use the open source SP from Internet2?
You can easily run PingFed in the IDP and SP role on the same server with the same PF server instance. It is not required to separate them. I would suggest talking with Regional Solutions Architect from Ping Identity to help identify the best setup for your institution.
--Ian
Related
I'm looking for how to add hostname bindings to ADFS like you would add additional hostname bindings for a website in IIS. e.g. adfs.mydomain.com is the domain used for ADFS. In addition I'd like to add server1.adfs.mydomain.com. This has nothing to do with SSL certs. I know this can be done as I did it on the ADFS server I'm retiring.
For those who ask why I want to do this. There is a farm of ADFS servers behind a load balancer all using adfs.mydomain.com hostname. I'd like specific bindings for each server e.g. server1.adfs.mydomain.com so I can probe the service on a specific server from our monitoring system to verify the ADFS service is online.
The old ADFS server is whatever role service comes with Win2k16. The new ADFS server is the role service on Win2k22. This used the be easier to find searching google, but now adfs related postings have become littered with references to Azure and O365 implementations. Anyone know how to add the additional binding? I feel like previously it was powershell or netsh command, but I could be wrong.
• Since, the ADFS servers in your ADFS farm are behind a load balancer which has a hostname of ‘adfs.mydomain.com’, the ADFS servers in the farm also are domain joined servers with their DNS records hosted in your environment’s local DNS server. Thus, to identify those ADFS servers with additional hostnames other than that assigned them during domain joining, you need to add these additional hostnames in the local hosts file of the ADFS servers serviced by the load balancer as shown below: -
Go to the path, ‘C:\Windows\System32\drivers\etc\hosts’ and open the hosts file with notepad and add the IP address of the respective ADFS Server as shown below in the screenshot: -
Thus, in this way, the monitoring server will be able to find out the ADFS server and query the ADFS service for its proper functioning. Also, it will be able to resolve them through the load balancer if it has to pass through them for service availability.
I want to implement in my project the Intel SGX remote attestation mecanisme.
this mecanisme requires the Service Provider and a IAS server.
My problem is: what is exactly a Service Provider, is it an ordinary server in which we install an API or something else.
How to configure this SP in order to implement remote attestation mecanisme.
Thank you.
You probably have in mind Intel's RA example:
(source: intel.com)
There are three different actors involved:
Client Application, who is a host to the enclave
Service Provider, who performs remote attestation on Client's behalf
Attestation Service (IAS, Intel Attestation Service), who is a trusted third party tasked with verifying the enclave
This example implements remote attestation in a client-server architecture where the Client Application acts as a client and the Service Provider acts as a server. So yes, the Service Provider could be an ordinary server that provides Client Application with some API.
This is a useful pattern if you intend to perform RA across many applications - but it's not required. You can implement RA algorithm in Client Application instead and talk to the Attestation Service directly.
I am new to Ping Federate. I have developed SAML 2.0 SSO browser profile code from an application. Tested it using WSO2 Identity Server. It works in PingFederate too. But I am facing hard time figuring out the pieces of puzzle in PingFederate.
Please point me to a good resouce on this.
Thanks
Ping has a video in their library here that describes creating an SP connection.
I am beginer in learning IBM DataPower so please let me know why it is used and
where it is used and what is the purpose that we use it.
Thank you.
IBM Datapower is called an appliance because it is purpose built with an OS of its own. The datapower appliance is usually located in the DMZ layer where an organization communicates with the other 3rd party vendor. Datapower has the ability to transform messages as well and the inbuilt security feature makes it a stronghold to secure the DMZ layer. It can connect using many protocols such as MQ, HTTP, HTTPS, JMS, SFTP, FTP, IMS , AS2, AS3 etc as well. It is also used to host APIs and SOAP web services. In short it is used for integrating with application outside of the organization layer.
I have some dedicated servers running ASP.NET applications over internet. All servers are fully trusted (all belongs to the same company) and need to communicate to each other in a secure way. They are not part of a domain or work group and should not be.
Each server acts as both client and server of some WCF services. These services are few (1-2 per server) and light (a little data is transferred on each call).
I can use self-signed SSL certificates or X509. I'm looking for some way to make sure nobody from internet can call a WCF service on a server. New server would be added in the future.
I read about WCF but now I'm confused, is it good idea to use self-signed SSL certificates or not (non self-signed is not an option at the moment), which binding to use, which security mode to use, which authentication method to use...
I need some hints to start (please provide a link to a sample.
I would use a certificate-based authentication where both client and server are authenticated.
To make things more secure, do not use self sign certificates.
If your company already have a certificate server: issue certificates to each of your server and specify as an authentication configuration that both client and services need to present a certificate issued by your certificate server.
WCF security is a big topic, but there are some other non-WCF specific ways you can secure the service:
Use IP SEC to secure the communication channel
Use IP whitelists to grant / deny access to the port that the WCF endpoints operate on
Use a VPN Solution (particularly convenient if your company already has a site to site VPN)