Ping Id PingOne is a stable performer within the Identity-Management-as-a-Service (IDaaS) area. It provides a number of choices for authenticating in opposition to an present Energetic Listing (AD) surroundings in addition to help for Google Apps or different third-party directories. The place Ping Id PingOne falls in need of a number of the competitors (together with Editors’ Selection winners Microsoft Azure Active Directory and Okta Identity Management is in areas comparable to authentication insurance policies and reporting. In these classes, Ping Id PingOne merely does not provide the identical stage of sophistication because the competitors. Nevertheless, at a value of $28 per consumer yearly [plus an additional $24 per year if you want to use multi-factor authentication (MFA)], Ping Id PingOne’s pricing is aggressive with the remainder of the sector of IDaas options. Additionally, its concentrate on not storing knowledge within the cloud shall be engaging to some.
Setup and Configuration
The preliminary setup and configuration of Ping Id PingOne is a two-step course of. First, your Ping Id PingOne account have to be created together with an administrative consumer to handle the service. Second, Ping Id PingOne have to be related to your company listing to carry out authentication in opposition to your present identification service. Ping Id provides two choices for connecting an present AD surroundings: ADConnect (to not be confused with Microsoft’s Azure AD Join) and PingFederate. ADConnect is an easy set up and requires little or no configuration on the listing aspect. Nevertheless, it’s restricted to a single AD area, which suggests most bigger organizations might want to go for PingFederate.
Happily, set up of PingFederate can be easy, though Java Server Version is a prerequisite. One criticism I’ve is that the PingFederate setup utility merely states that the JAVA_HOME surroundings variable should level to a legitimate Java runtime, with no point out of the requirement for Server Version. Whereas Ping Id PingOne clearly spells out the necessity for the Java requirement, I would ideally want the setup utility embody the entire prerequisite software program—or, at a minimal, provide a transparent path to downloading what’s wanted previous to or throughout set up. Because it stands, nonetheless, you may must find, obtain, and set up Java by yourself earlier than shifting on to PingFederate.
As soon as PingFederate is put in, it launches the web-based Administration console. The console provides the “Hook up with an Id Repository” wizard, which you could use to create an activation key that then have to be entered into PingFederate. As soon as the activation secret is entered, have some fundamental details about your AD Energetic surroundings helpful, together with issues comparable to distinguished names for a service account and consumer container. As soon as that is completed, your listing needs to be related to Ping Id PingOne.
I’d have preferred to have seen some graphical parts within the listing connection course of displaying the listing tree, letting you choose which containers to sync, and even letting you search and browse to consumer objects. Ping Id PingOne ought to understand that not everybody understands what a distinguished title is far much less its correct syntax.
Ping Id PingOne can combine with AD domains by utilizing both AD Join, PingFederate, Google G Suite, or a third-party Safety Assertion Markup Language (SAML) listing. Whereas most prime distributors within the IDaaS area, together with Okta Id Administration and OneLogin, retailer customers and a subset of their out there attributes, Ping Id PingOne does not retailer copies of your company identities. Reasonably, it connects to your identification supplier on demand by utilizing one of many offered connectors. Due to this basic architectural distinction, most IT professionals will level out that it’s important to correctly implement PingFederate to forestall a single level of failure as a result of PingFederate server being offline.
To be honest right here, nonetheless, the truth is that a lot of the competitors requires you to take care of a listing connection anyway. The one distinction is that the majority suppliers merely want this for authentication, not for the complete set of consumer attributes. To me, this structure differentiation is overkill, however there is a legit hesitation amongst firms about sustaining privateness whereas shifting to the cloud. So, maybe PingIdentity has discovered a superb steadiness between avoiding the cloud altogether and leaping in and not using a second thought.
There are a number of large benefits to utilizing PingFederate alongside Ping Id PingOne along with the elevated management over how your identities are uncovered. First is the power to combine with further listing sorts, together with Light-weight Listing Entry Protocol (LDAP) directories. Intently tied to the standards-based performance is the power for PingFederate to attach with a number of identification sources and mixture them collectively. Ping Id PingOne doesn’t provide this skill on the cloud stage, so PingFederate is your greatest guess for merging identities from a number of sources.
PingFederate does provide a wealth of configuration choices, together with the power to specify which identification attributes are uncovered to Ping Id PingOne. As consumer attributes comparable to electronic mail addresses and names are probably for use for single sign-on (SSO) to Software program-as-a-Service (SaaS) purposes, these attributes might be essential to your implementation. Choosing which attributes to sync makes use of a barely extra graphical instrument than the listing sync configuration however it’s buried pretty deep within the PingFederate administration console.
Whereas Ping Id PingOne does not retailer consumer names or their attributes, it does preserve an inventory of teams synched out of your listing. These teams might be assigned apps you have configured for SSO. Customers who’ve membership in these teams will then acquire entry to those apps of their dock.
Most often, consumer accounts in SaaS apps will must be manually provisioned. A restricted subset of the out there SaaS apps (together with Concur and DropBox) help automated consumer provisioning, although that is largely on the SaaS apps to reveal the required software programming interfaces (APIs). The truth is, the Microsoft Office 365 SSO app listed as “SAML with Provisioning” does no such factor. As an alternative, it requires you to put in Microsoft’s listing synchronization instruments, that means the provisioning features of that specific app aren’t being dealt with by Ping in any respect.
Provisioning configuration in Ping Id PingOne is cumbersome in comparison with each Okta Id Administration and OneLogin. Two areas by which I’ve issues are the best way some SaaS apps are recognized and the way directors allow provisioning. Configuring provisioning with Google G Suite requires you to decide on the Google Gmail app, which is relatively complicated. Provisioning is enabled by way of the app configuration wizard however requires you to test a field on the backside of one of many screens to see the choices for consumer provisioning. Provisioning is one of some must-have options for IDaaS suites and the restricted provisioning help Ping Id PingOne provides is just a half-step away from not supporting it in any respect.
Ping Id PingOne provides sturdy authentication to apps supporting the SAML customary in addition to the power to log in to different SaaS apps by utilizing saved credentials (very similar to a password vault). The app catalog clearly states what sort of authentication is supported by every app. The truth is, some apps help each authentication sorts (by which case SAML is the advisable technique). Connection to an app supporting SAML authentication should usually be configured on either side of the connection, that means the SaaS app will need to have SAML help enabled and a few fundamental configuration have to be completed. Ping Id PingOne’s app catalog contains setup data for every SAML app, which makes the configuration of this hyperlink pretty easy.
Ping Id PingOne helps elevated authentication energy within the type of MFA. MFA might be utilized to particular apps and teams of customers (or IP handle ranges) by utilizing an authentication coverage. Nevertheless, Ping Id PingOne solely provides a single authentication coverage and lacks the power to filter by each group and IP handle. This makes Ping Id PingOne lag behind a number of the competitors comparable to Okta Id Administration or Azure AD, each of which a minimum of allow you to configure authentication insurance policies on a per-app foundation.
Ping Id PingOne’s MFA implementation makes use of PingID, a smartphone app that performs the extra authentication step both by way of a affirmation course of or a one-time password. Customers may obtain one-time passwords by way of SMS or voice messages or with a YubiKey USB safety machine. Whereas that is serviceable at a really fundamental stage, Ping Id PingOne actually must step up their recreation in the event that they need to be taken severely from a MFA standpoint. Even LastPass Enterprise soundly beats them when it comes to MFA capabilities.
SSO is one other space by which PingFederate’s structure selections have an effect. Through the SSO authentication course of, customers signal on to their Ping Id PingOne dock, which redirects them to the PingFederate service hosted on their company community. For customers on the inner company community, that is probably a non-issue however would require some further firewall configuration (port 443) for customers on the skin wanting in.
The user-facing SSO dashboard, the Ping Id PingOne dock, has improved considerably since our final go to. The easy checklist of SaaS apps has been changed by a grid of icons which can be navigated utilizing a fly-out menu on the left aspect. Directors can allow a private part of the dock the place customers can add their very own SaaS accounts. Ping Id PingOne browser extensions improve the dock expertise, offering SSO entry to apps with out having to return to the dock.
The Ping Id PingOne dashboard has some canned experiences that present log-in statistics together with a world map displaying from the place these authentications are originating. The reporting performance covers the fundamentals wanted to begin gaining details about consumer authentications being processed by way of Ping Id PingOne, however it does not permit for any deep evaluation or troubleshooting knowledge.
Pricing and Charges
Ping Id PingOne prices $28 per consumer every year and MFA prices a further $24 yearly. Quantity and bundle reductions can be found from PingIdentity. For a product with clear weaknesses in comparison with Azure AD, Okta Id Administration, and OneLogin, Ping Id PingOne’s pricing is aggressive however not sufficient in order to supply a lot incentive to decide on it over the competitors.
Total, Ping Id PingOne made some structure selections which might be essentially totally different than the competitors and a few of them shall be appreciated by organizations with safety or privateness issues. Sadly, the structure does not present sufficient advantages to beat some areas the place Ping Id PingOne falls quick—significantly the limitation in safety insurance policies, barebones reporting, and most critically consumer provisioning. Until privateness is your utmost concern and Ping Id PingOne helps you clear that hurdle, we won’t suggest it over Azure AD, Okta Id Administration, or OneLogin. Nevertheless, in case you’re in an trade that’s significantly delicate to cloud knowledge security, Ping Id PingOne could be a suitable choice for you.