Ping Identity Platform Reviews

I usually deploy single sign-on and multi-factor authentication using PingOne for customer-facing applications to enhance security and user convenience. I use PingFederate to integrate with Kerberos-based systems, such as Salesforce, AWS, ServiceNow, and Google. I configure various OAuth grant types and set up Windows Service Federation and SAML 2.0 protocol service provider endpoints using PingOne and PingFederate.

It's convenient for users to log in through Ping using the Kerberos adapter because it doesn't require them to authenticate again. If a user is already logged into the organization's domain, the system automatically checks the Kerberos ticket in the background when they try to access another application through Ping. It logs them in without prompting for a password or reauthorization. 

You don't need prior experience to use this; you need to understand how it works. Experience is only necessary when integrating it with systems. For instance, when using any application through Ping in your organization, it just needs to be connected to the organization's domain. This setup works seamlessly on a PC, automatically detecting the Kerberos ticket and logging you in. However, it won't work on a mobile device since the mobile doesn't have a Kerberos ticket. On a mobile phone, you'll be prompted to authenticate again.

I have around ten years of experience with IAM tools, and I have been working mostly on access management for the last few projects. My overall experience, considering that I have worked with various access management tools, like PingFederate and Okta. In terms of identity management, I have worked with IDM and SailPoint. In terms of privileged access management, I want to work closely with CyberArk to provide the service account and administer it to the vault. I also understand the concept of PSM and password rotation. Integrating CyberArk with Ping, you get both RADIUS and SAML. Coming to my roles and responsibilities, in my current project for new application onboarding and access assigned to the IAM team who are assigned service tickets. We pick up those tickets and assign them to us, and then we communicate with the application owners.

The most valuable feature of the solution is the role-based access control. We use role-based access control in our project while onboarding applications. I get to understand how the user provisioning is done and the roles currently available in the system, and we will integrate them with SailPoint IIQ and make those roles requestable. Once the user requests the roles, we can follow the workflow, and SailPoint IIQ will provide the user with the ability to request the roles in Active Directory. While using SSO, we will read the roles and pass them to the application.

I am into cybersecurity IAM and have excellent experience with Ping Identity, especially. I work on implementing SSO using Ping Identity with application support protocols such as SAML 2.0 and OAuth/OIDC connections in production and non-production environments. 

I validate applications and functionalities on PingFederate and PingAccess, provide 24/7 support on prod/non-prod environments, troubleshoot issues, renew certificates, gather requirements, implement changes, and integrate new applications into Ping. 

I also provide authentication and authorization services to applications. I have been working with the operations team and, for the last six months, have upgraded to the engineering team. I create policies, adapters, and selectors for clients.

We implement multi-factor authentication because two-factor authentication had a lot of problems. We have to move to multi-factor authentication for security purposes. We had to implement multi-factor authentication before onboarding the SSO applications.

It is not an easy tool to use. There are two flows: internal and external. 

For internal flows, we use Azure AD authentication for seamless SSO. Users do not need to enter a user ID or password. Once they are authenticated by Azure AD, they are redirected to the application page. 

For external users, the application teams are using multi-factor authentication.

Managing customer identities and providing a secure and seamless login experience for consumer-facing applications.
Protecting APIs from unauthorized access and ensuring secure communication between services.

Enhance security, improve user experience, ensure compliance, and streamline access management.Clients using this Platforms a seamless and secure login experience. Self-service capabilities allow clients to manage their accounts independently, reducing the burden on support teams.

We use the product for migrating applications from on-premises to AWS.

The platform's most valuable feature is its identity management capabilities. It allows us to integrate multiple identity providers (IDPs) seamlessly and manage access policies effectively. Performance-wise, it has been quite reliable compared to other tools.

From a user perspective, if you need to get into our VPN or virtual private network, which is for remote people, there is protected data behind a vault.

And if you need access to the vault, you must use a multi-factor and PingID. Additionally, vicariously, people have to use multi-factor to get into applications. The final aim is to get into laptops and desktops, and you have to use Multi-factor to restart or unlock your PC. You have to use multi-factor. The way that we do multi-factor here is we give the users a choice of using a phone or a Ubiquiti as to something they have.

So after they type in their password and username, they're prompted for a device that they have registered, and they have their choice of a phone or a Ubiquiti, or both.

I wonder if there are multi factors in improving. It's always a deterrent to productivity, naturally. Since I've been on this journey for three years, I've seen the product improve in the sense that it's less impact on productivity. In the beginning days, we had challenges with paying, finding the network, and signing its back-end service in the cloud. However, that's been drastically improved over the years.

The other thing we did was allow users to manage their device profiles. So they can either go in and register on Ubiquiti or a phone directly with the user interface now or web interface, and they can also set their default device which they want to use. So they, like Ubiqui working with PingID, tend to be the default of choice. So they set their Ubiquiti to the default device. And then whenever MFA is prompted, they have the Ubiquiti or default device. So that was a great improvement. And the way we implemented PingID, it's the same user interface regardless if you're getting into VPN, the vault applications, or a laptop or desktop.

So it's the same user interface to manage profiles centrally on a server. Hence if they change it for one use case, they change it for another.

We use PingFederate to provide SSO (Single Sign-On) solutions to enterprise applications. We support protocols like SAML (Security Assertion Markup Language), OAuth, and OpenID Connect. For example, an organization wants to enable SSO for their applications. We use PingFederate to integrate those applications and onboard them with their IdP (Identity Provider).

PingFederate's scalability features supported our organization's growth. 

We use PingFederate as an identity provider (IdP). At the back end, we have Active Directory and Ping Directory as user stores for authentication. For our company, where we have around one million users and a thousand applications, PingFederate enables single sign-on (SSO) using the SAML protocol.

People have different email IDs and applications. Instead of users needing to remember a thousand different credentials, they can authenticate with a centralized system and use a single set of credentials to log in to all authorized applications. This provides a seamless user experience.

I primarily use the platform for OAuth and SAML-enabled applications, especially third-party and SaaS applications. I utilize the SAML protocol for those that support SAML, while for OAuth-supporting applications, I use OAuth, OIDC, and OpenID tokens. Additionally, for server-to-server communication, I employ the client credentials grant. For mobile-based native applications that require refresh tokens, I utilize those as well. I manage OAuth client ID registrations for certain SaaS applications and implement various authorization flows, such as Kerberos authentication for intranet requests and form-based authentication for external network requests. Furthermore, I have integrated Multi-Factor Authentication (MFA) to enhance the security of critical applications.

From a security perspective, I highly value the product's biometric authentication methods such as FIDO, FaceID, YubiKey, and the mobile app. These methods provide a higher security level than email authentication, which can be compromised if the email is breached.