Bridging The Gap Between CA Single Sign-On and PingFederate

Photo credit: Ian McWilliams

Photo credit: Ian McWilliams

Let’s face it: some things just go well together. Chocolate & Peanut Butter; Coffee & Cream; Vinz Clortho & Zuul; PingFederate and CA Single Sign-On (formerly SiteMinder) ….  I’ll give you a moment to let that last one sink in. Traditionally organizations prefer to consolidate on a single vendor suite, however recently there has been a more accepting attitude toward combining different vendor technologies. That’s understandable given that there are so many great products out there each offering their own unique advantages.  The driving factor for these combinations are varied. Often it’s to get best of all technologies, sometimes it may be to fill a gap, and every now and then it might involve a transition between technologies.  Regardless of the driving factor, you need a plan in place if you want to successfully ‘bridge’ these technologies.  Success in this case could mean a seamless implementation with no noticeable impact to the end users.  In this example we will look at a common deployment which combines CA Single Sign-On, an industry leading access management solution, with PingFederate, a leading SAML Federation solution. 

Both products are great at what they do and maintain a large implementation footprint.  Both products provide a ‘single sign-on’ function, but with a different method of implementation.  Since both products have the ability to ‘authenticate’ users and act as an authoritative source, wouldn’t it be great if they could work together?  Great News!  They Can!

To facilitate this functionality, we need to be able to exchange information and trust between both platforms while maintaining their native processing.  This is accomplished through token exchange.  Specifically, through use of the CoreBlox Token Server (CTS) and the PingFederate CoreBlox Token Translator. 

The exchange of tokens facilitates a bi-directional flow of trust between both vendors, meaning that if a user has already authenticated with one service its token can be trusted and exchanged for a token from the other service. This is accomplished through the two components mentioned earlier. The CoreBlox Token Service is deployed within the Ping Jetty engine, or as a stand-alone instance. Depending on the use case, the Ping Adapter (IDP/SP) CTS will validate an incoming SMSESSION, redirect a user to authenticate to get an SMSESSION, or will create an SMSESSION based on information provided by the Ping Adapter.  Likewise, the Ping CTS Adapter works with CTS to provide the same functionality on its side, ensuring a new session is created based upon the trust with the CTS service.

In addition to basic trust and token exchange, there are also specific customizations which allow identifying attributes to be exchanged for additional authorization enforcement or content delivery bi-directionally.   

To sum up: whether you need on-going seamless sign-on between CA SSO and PingFederate OR just a temporary bridge between these products, look no further than the CoreBlox Token Service. Click here to download CTS for free and get started today!