Geek Answers Handbook

PingFederate and NGinx Integration and Deployment Options

Some time before we started looking at how to integrate PingFederate into our infrastructure.

Our initial use case is as follows: we provide multi-user access to our application, and different companies can use different (their) identity providers to access our application.

Currently, the flow is limited to this workflow: Mutiple Idp (s) for one SP

However, in the future, the flow may be expanded to many-to-many relationships.

We are currently using NGINX as a reverse proxy, and based on the PingFed documentation, it’s very difficult to understand the deployment options we have now.

Based on chart taken from this guide PingFed and apache httpd integration

It is more or less clear how this integration works for apache httpd. Basically, there is an Apache PingFed agent that works with SSO streams on apache and basically checks for a "session" or initiates an SSO stream.

Processing Steps 1. A user attempts to access a resource on the Apache server protected by the PingFederate Apache Agent. 2. The user is redirected to the PingFederate server for authentication. (If an OpenToken session already exists, the user is granted immediate access.) 3. The PingFederate server redirects the user's browser to an IdP for authentication using either the SAML or WS-Federation protocols. The IdP partner authenticates the user and returns a SAML assertion. 4. PingFederate validates the assertion and creates an OpenToken for the user including any configured attributes. PingFederate then redirects the browser, including the OpenToken, back to the Apache Agent. 5. The Agent verifies the OpenToken and grants access to the protected resource. The User ID and any attributes from the OpenToken are exposed to the resource as HTTP Request Headers or Apache Environment Variables.

And basically in step 5, the apache agent passes the user information to the actual application using request headers or Apache environment variables.

Based on all the information mentioned above, there are 2 questions:

  • How to do a similar deployment for PingFed and NGINX (for the option described in this question with apache httpd)?
  • Whether to use a web server (reverse proxy) with PingFederate. Or can Ping Federate act just like WebServer? If so, some links and additional explanations may be appreciated.
+5
source share
3 answers
  • There is no Ping Identity PingFederate agent architecture that supports nginx. I suggest you look into the "Agentless Adapter" (also known as the link adapter) and create your own.
  • There is no need to use a reverse proxy with PingFederate. PingFederate uses Jetty as its web container and is capable of serving traffic. We provide options for reverse proxies to support organizations that have requirements against opening a port directly on the application server.
+2
source

It is worth publishing the final ideas on the solution and our observations

  • When we tried to integrate PingFed, we realized that pingFed is very integrated with PingFed. And Ping Access acts as a reverse proxy.

enter image description here

And the main idea is that authentication between PingAccess and PingFed is done using the OpenId connection protocol. Authentication between the PingFederate provider and Auth can be done in different ways:

  • It could be SAML
  • It could be another SSO prominence
  • Ping Fed can also serve the login page and authenticate using some custom DB or LDAP

However, the authentication flow for the application will remain the same as PingFed hides this complexity.

+4
source

PingIdentity has released the NGINX Certified PingAccess Agent for NGINX Servers . This PingAccess agent can be deployed to the NGINX web server as a PEP, thereby eliminating the need for proxies

+1
source

More articles:


All Articles