The changing nature of today's workforce, whether it be contractors, freelancers, or more remote workers, challenges the traditional perimeter security model that predominates today. Ping Identity is an identity management platform provider that aims to challenge this age-old model with their PingOne platform.
I spent some time over the past few days testing out PingOne using a free trial account provided to me by the company.
- Single Sign On (SSO) for unlimited applications and users
- Active Directory (AD) authentication
- Multifactor authentication
- On-premises identity store integration (AD/LDAP/DB/WAM)
- User provisioning
- 24x7x365 support via email, phone, and web
Contact Ping Identity for PingOne pricing information.
Setting up PingOne
The PingOne setup is well documented and methodical. You won't need to be some mobile security ninja to get the platform working, but you will need to follow the documentation.
You get the option to choose an identity repository, for purposes of my testing, I chose PingOne Directory and because it's cloud-based. You can also choose one of the following repositories:
- AD Connect
- Ping Federate
- Google Apps for Work
- 3rd Party Security Assertion Markup Language (SAML)
Configuring the PingOne Dock, where users access SaaS applications, is handled via the Dock Configuration tab where you can customize the dock to meet your corporate look and feel. There's also options to configure some application setting in the dock.
In cases where the authentication bridge you configure during setup isn't enough security, you have the option to configure a secondary level of authentication using the Authentication Policy Editor.
The PingID tab governs the configuration of an expiration policy to enable single sign-on without PingID or to decline single sign-on attempts using PingID.
There's also a Directory Settings tab where you can configure all the important user password settings including:
- Password requirement
- Password expiration
- Password lockout
Figure A shows the first page of the PingOne Dashboard:
Setting up applications
After getting my PingOne account set up, the first thing I did was go to the platform's well laid out dashboard and went to the Application Catalog, where you configure access to applications. I configured some applications supporting basic SSO for purposes of my testing:
- Microsoft SkyDrive (now Microsoft OneDrive but PingOne still uses the old name)
- Office 365
Figure B shows the applications I chose from the Application Catalog as they appear on the My Application page:
When you go to configure an application that uses SAML, PingOne provides you with detailed documentation on how to configure SSO for that application. Figure C shows an example of the documentation to setup SSO for Dropbox:
You also have the option to configure new SAML and basic SSO applications beyond what is included in the Application Store
Managing users and user groups
The Users tab is minimalist as application design goes. When you click on a user, you have the option to disable or delete the user from PingOne. You can also view and edit user attributes, group memberships, and directory permissions.
Managing user groups takes place under the Groups tab. By default, there are groups for domain administrators and users. Click on Add Group and you can setup custom groups to fit the access requirements for your partners, contractors, interns, or an internal business unit. Directory permissions can be set as:
- No Access
- User Reader with read-only security access
- User Manager with read access plus create and modify user directory information through the PingOne user interface or the application programming interface (API)
- Group and Entitlement Manager with user management access plus creating groups, and setting group entitlements, and change group memberships
Ping Identity makes a lot of group configuration options available within a few clicks so I advise you to be methodical and judicious how you setup groups especially if you are extending identity management to contractor and partner mobile users.
There's also a Users by Service tab, where you can see how your users are consuming PingOne services. Figure D shows an example of the Reports page:
Managing your PingOne account
The Account tab includes a few more things than a field for updating your corporate credit card and account options. The tab includes sub-pages for updating your company information including the option to upload your corporate logo. There's also an Administrators tab for adding and managing PingOne administrators. As a global administrator, I got the option to setup the following administrator types:
- Global administrator
- SaaS administrator
- Service user administrator
- Directory administrator
Setting up and using the PingOne mobile app
I installed the free PingOne mobile app on my iPad Air running iOS 8.4. There's also a free Android app available. The one point I'd like to see improved is better documentation and user experience around using the PingID and PingOne apps to sync a device with a PingOne account. It wasn't hard; it could just be a lot smoother based on my experience running Okta through similar steps. However, based on the other elements and good documentation across the project, I'm sure Ping Identity will mature the process as the platform goes through future iterations. Figure E shows an example of the PingOne mobile app's dock:
I like PingOne for enterprises standardized on the cloud whether it's a large enterprise seeking a better way to manage partner and contractor access to corporate SaaS applications or smaller to mid-sized businesses with employees who work remotely or in co-working spaces seeking to better manage access to their SaaS applications.
Will Kelly is a freelance technical writer and analyst currently focusing on enterprise mobility, Bring Your Own Device (BYOD), and the consumerization of IT. He has also written about cloud computing, Big Data, virtualization, project management applications, Google Apps, Microsoft technologies, and online collaboration for TechRepublic and other sites. Will also works as a contract technical writer for clients in the Washington, DC area and nationwide. Follow Will on Twitter: @willkelly.