Preempt Agentless RDP MFA PingID Part 2

In my previous blog, I highlighted the use of the Preempt platform with PingID for agentless multi-factor authentication (MFA) for secure login and policy enforcement. Similarly, it is critical to check and detect anomalous activity when accessing secure applications via federated access.

The Preempt platform, since it sits and monitors all login activity, gathers ‘normal’ activity and will detect authentications that may be malicious or violate organizational policy. In this blog, I am going to go over integrating Preempt into the Ping Federate application. This will allow for continuous monitoring of logins and policy enforcement dynamically (e.g. step up authentication) when needed based on organizational policy and possible malicious activity.

To begin the integration, login to the Preempt platform and go to Administration > Connectors > API Keys.

 

 

Enable the API Token Integration.

 

Create a token for the integration and give it a friendly name for Ping Federate.

Once done, should see the newly created token in the list.

 

 

Copy the token out to notepad for use later by clicking the link. (NOTE: the token is not shown here)

Machine generated alternative text: Token Name PingFederatelntegration wed, Aug 12th 2020 Last used Never

 

Once this is complete, copy the Ping Federate Preempt integration kit to your ping servers. Make sure to do this for each Ping Federate node in your environment.

Machine generated alternative text: [svcping@idmpingl cd /app/install/ping/preempt/ [svcping@idmpingl preempt]$ Is pf-preempt-integration-kit-3.2.20. zip [svcping@idmpingl preempt]$

 

Stop ping federate (on the node to be updated / integration kit deployed).

Machine generated alternative text: Last login: wed Aug 12 2020 from 10.254.252.112 [admnickh@idmpingl sudo systemctl stop pingfederate [sudo] password for admnickh: [admnickh@idmpingl

 

Unzip the integration kit and copy the jar to the deploy directory. Also copy the login template files to the templates directory (see below).

Machine generated alternative text: [svcping@idmpingl preempt]$ unzip pf-preempt-integration-kit-3.2.2G .zip Archive: pf-preempt-integration-kit-3.2.20.zip inflating: pf-preempt-integration-kit-3.2.2G.jar inflating: preemptMfaUI.htm1 extracting: preemptNextState . html [svcping@idmpingl preempt]$ cp pf-preempt-integration-kit-3.2.2G.jar /app/ping/fed/pingfederate-l€.l.€/pingfederate/server/default/deploy/ [svcping@idmpingl preempt]$ cp preempt* /app/ping/fed/pingfederate-l€.l.o/pingfederate/server/default/conf/template/ [svcping@idmpingl preempt]$

 

Once this is done, start the ping federate processes back up.

Machine generated alternative text: [admnickh@idmpingl sudo systemctl start pingfederate [admnickh@idmpingl

 

Once ping is back up, log back into the administrator console.

 

Click on the IdP adapters.

 

Click to create a new adapter for the Preempt platform. From the list of available types, be sure to ping the Preempt IDP Adapter.

Give the adapter a friend name and Instance ID. Click Next once complete.

 

 

Complete the hostname of the Preempt management server and copy over the token created in the management console. Leave Allow enabled for the time being until this has been tested / validated and can turn this off later.

No need to extend the contract at this time. Click Next.

 

Leave the defaults for the attributes, click Next.

 

Leave contract mappings the default, click Next.

 

 

Click Save on the summary page and should now see the newly created adapter in the list.

 

The Preempt adapter that was created is not an authentication adapter like the IWA or HTML Form adapters (in the sense does not provide a form / password). This is more for making external calls to the Preempt management server as part of another login, as such, this needs to be added to a composite adapter that can authenticate the user, then will be redirected to Preempt to check for policy violations. So, next create a new composite to test the adapter / validate the configuration. Give the composite adapter a friendly name.

Machine generated alternative text: PingFederaté Warning: One or more administrators with similar access rights are already logged on to the administrative console. Before making changes. you may wish to coordinate with: administrator IdP Adapters Create Adapter Instance Adapter Contract Mapping Summary O < Integration IdP Connections IdP Adapters Authentication API Applications IdP Default URL IdP Adapter Extended Contract Adapter Attributes Enter an Adapter Instance Name and ID, select the Adapter Type, and a parent if applicable. The Adapter Type is limited to the adapters currently installed on your server. INSTANCE NAME INSTANCE ID TYPE PARENT INSTANCE PreemptComposite PreemptComposite Composite Adapter None Cancel

On the options, be sure to pick the primary authentication adapter (HTML Form here) as required and then the Preempt adapter (created earlier) as the secondary check.

 

 

 

 

 

 

 

 

Once this is done, click through and save the newly created composite adapter.

 

 

 

 

 

 

 

Once the adapter is created, assign it to an application to validate the integration.

To ensure we can detect errors, watch the flow, we need to enable logging for the platform as well. To begin, open the log4j2.xml in the conf directory of ping federate.

Machine generated alternative text: [sudo] password for admnickh: [svcping@idmpingl cd /app/ping/fed/ ingfederate-l€.l.€/pingfederate/server/default/conf/ [svcping@idmpingl conf]$ vi log4j2.xm1

 

Add the block of code below after org.pingidentity.RunPF to add the preempt logger class and file handler.

Machine generated alternative text: <Logger name="org.pingidentity.RunPF" <AppenderRef <Logger name="com.pingidentity.adapter.idp.preempt" <AppenderRef Preempt log - -z. includeLocation=" false <RoIIingFi1e name="PREEMPTFILE" :pf . log .dir}/preemptIdpAdapter. log" <PatternLayout> <pattern>%d %-5p [%t] %m%n</pattern> </PatternLayout> <SizeBasedTriggeringpoIicy KB" /> <0nStartupTriggeringp01icy <Defau1tR0110verStrategy filepatte rn=" ${sys : pf . log . di r}/p reemptIdpAdapter. log . " igno reExceptions=" false " >

 

Once this logging is added, restart the Ping Federate node to pick up the additional logging settings.

 

With Ping Federate setup, we want to add some policies in the Preempt platform to detect and enforce secure logins. To begin, login to the Preempt platform and go to Policy > Manage Rules and click Add Rule. Be sure to select Federated access as the trigger type.

 

In the conditions, we can do a lot of different things here (e.g. domain admins, privileged, geo location, etc.), but to keep it simple, we are going to focus on a specific username to validate the login and integration.

 

Once done, click Save and apply the changes in the platform.

 

Is now active, now test this out to make sure is working. I am using an IdP-initiated URL for a test partner.

 

https://<pingfed>/idp/startSSO.ping?PartnerSpId=DemoPreempt

Login with your test user and password (this is the form login).

Once you login with a valid username/password, you will be redirected to the Preempt validation page that you can choose your option for multi-factor authentication (MFA) based on the Preempt policies.

 

 

Once you complete the push notification, you should see the screen below before you are redirected to your intended applciation.

 

Then to complete, you are redirected to your originally requested application.

 

 

The below video shows this exchange from end-to-end to highlight the integration.