In my previous blog, I highlighted the use of the Preempt platform with PingID for agentless multi-factor authentication (MFA) for secure login and policy enforcement. Similarly, it is critical to check and detect anomalous activity when accessing secure applications via federated access.
The Preempt platform, since it sits and monitors all login activity, gathers ‘normal’ activity and will detect authentications that may be malicious or violate organizational policy. In this blog, I am going to go over integrating Preempt into the Ping Federate application. This will allow for continuous monitoring of logins and policy enforcement dynamically (e.g. step up authentication) when needed based on organizational policy and possible malicious activity.
To begin the integration, login to the Preempt platform and go to Administration > Connectors > API Keys.
Enable the API Token Integration.
Create a token for the integration and give it a friendly name for Ping Federate.
Once done, should see the newly created token in the list.
Copy the token out to notepad for use later by clicking the link. (NOTE: the token is not shown here)
Once this is complete, copy the Ping Federate Preempt integration kit to your ping servers. Make sure to do this for each Ping Federate node in your environment.
Stop ping federate (on the node to be updated / integration kit deployed).
Unzip the integration kit and copy the jar to the deploy directory. Also copy the login template files to the templates directory (see below).
Once this is done, start the ping federate processes back up.
Once ping is back up, log back into the administrator console.
Click on the IdP adapters.
Click to create a new adapter for the Preempt platform. From the list of available types, be sure to ping the Preempt IDP Adapter.
Give the adapter a friend name and Instance ID. Click Next once complete.
Complete the hostname of the Preempt management server and copy over the token created in the management console. Leave Allow enabled for the time being until this has been tested / validated and can turn this off later.
No need to extend the contract at this time. Click Next.
Leave the defaults for the attributes, click Next.
Leave contract mappings the default, click Next.
Click Save on the summary page and should now see the newly created adapter in the list.
The Preempt adapter that was created is not an authentication adapter like the IWA or HTML Form adapters (in the sense does not provide a form / password). This is more for making external calls to the Preempt management server as part of another login, as such, this needs to be added to a composite adapter that can authenticate the user, then will be redirected to Preempt to check for policy violations. So, next create a new composite to test the adapter / validate the configuration. Give the composite adapter a friendly name.
On the options, be sure to pick the primary authentication adapter (HTML Form here) as required and then the Preempt adapter (created earlier) as the secondary check.
Once this is done, click through and save the newly created composite adapter.
Once the adapter is created, assign it to an application to validate the integration.
To ensure we can detect errors, watch the flow, we need to enable logging for the platform as well. To begin, open the log4j2.xml in the conf directory of ping federate.
Add the block of code below after org.pingidentity.RunPF to add the preempt logger class and file handler.
Once this logging is added, restart the Ping Federate node to pick up the additional logging settings.
With Ping Federate setup, we want to add some policies in the Preempt platform to detect and enforce secure logins. To begin, login to the Preempt platform and go to Policy > Manage Rules and click Add Rule. Be sure to select Federated access as the trigger type.
In the conditions, we can do a lot of different things here (e.g. domain admins, privileged, geo location, etc.), but to keep it simple, we are going to focus on a specific username to validate the login and integration.
Once done, click Save and apply the changes in the platform.
Is now active, now test this out to make sure is working. I am using an IdP-initiated URL for a test partner.
https://<pingfed>/idp/startSSO.ping?PartnerSpId=DemoPreempt
Login with your test user and password (this is the form login).
Once you login with a valid username/password, you will be redirected to the Preempt validation page that you can choose your option for multi-factor authentication (MFA) based on the Preempt policies.
Once you complete the push notification, you should see the screen below before you are redirected to your intended applciation.
Then to complete, you are redirected to your originally requested application.
The below video shows this exchange from end-to-end to highlight the integration.