CIS14: PingAccess in Action

PINGACCESS IN ACTION Peter Motykowski

Sr. Product Engineering Manager

Copyright © 2014 Ping Identity Corp. All rights reserved. 2

Web & API Access Management

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 3

The 5Ws

Confidential — do not distribute

• Who – users of Jenkins, the continuous integration server • What – Jenkins and PingAccess, PingFederate • When – live! • Where – localhost, because WiFi is unreliable • Why – because we’re tired of signing-in, again •  How – using PingAccess as an identity-enabled HTTP reverse

proxy

Copyright © 2014 Ping Identity Corp. All rights reserved. 4

Overview of PingAccess / Jenkins Deployment

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 5

Decomposing the PingAccess / Jenkins scenario

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 6

•  HTTP Reverse Proxy deployment, therefore Jenkins is a Site.

•  Jenkins is comprised of several URLs that will be defined as Resources within an Application.

•  Jenkins is equipped with a plugin[1] for authentication using HTTP Headers via a Reverse Proxy. This is accomplished using Identity Mappings.

[1]https://wiki.jenkins-ci.org/display/JENKINS/Reverse+Proxy+Auth+Plugin

Jenkins

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 7

The PingAccess / Jenkins Deployment recipe

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 8

A Virtual Host, an Identity Mapping, an OpenID Connect Provider (PingFederate), a Web Session, a Site, and an Application. And a dash of PKI and Policy.

Securing the PingAccess / Jenkins Deployment

Confidential — do not distribute Copyright © 2014 Ping Identity Corp. All rights reserved. 9