PingAM 8.0.0

Introduction to authentication

Authentication is the act of confirming a user’s identity, for example, by providing a set of credentials.

In access management, authentication is tightly coupled with authorization. Usually, it’s important to confirm that a user is who they say they are, and to make sure they can access only a subset of information.

Consider a user who wants to access an online shop. As the owner of the shop, you want to make sure the user’s identity is confirmed as it’s tied to their shipping and email addresses and payment information. You also want to make sure the user can only access their own information.

You can deploy a web agent on the web server hosting the online shop. The agent redirects the user’s request to an AM login page, where the user enters their credentials, such as username and password. AM determines who the user is, and whether the user has the right to access the protected page. AM then redirects the user back to the protected page with authorization credentials that can be verified by the agent. The agent allows the user authorized by AM to access the page.

In the same way, you can also use AM to protect physical devices connected on the Internet of Things (IoT). For example, a delivery van tracking system could have its proxying gateway authenticate to a brokering system using an X.509 certificate to allow it to enable an HTTPS protocol and then connect to sensors in its delivery trucks. If the X.509 certificate is valid, the brokering system can monitor a van’s fuel consumption, speed, mileage, and overall engine condition to maximize each van’s operating efficiency.

Nodes and trees

AM implements authentication with authentication nodes and trees.

AM provides a large variety of authentication nodes. You can also develop your own nodes based on your authentication requirements.

You connect nodes to create a tree that guides users through the authentication process.

Learn more in Nodes and trees.

Default trees

AM provides the following trees (unless you upgraded from an earlier version using the file-based configuration):

ldapService

The ldapService tree is the default authentication tree used when administrators and non-administrative users log into AM. The tree validates the user credentials with a Data Store Decision node.

Before going to production, make sure you change the default authentication tree or strengthen it. Learn more in Secure realms.

Default ldapService tree
The default `ldapService` tree
Agent

The Agent tree is used by PingGateway and the web and Java agents to authenticate to AM. The tree validates the agent credentials with an Agent Data Store Decision node.

This tree is used by all instances of PingGateway, and the web and Java agents. Consider this before making any changes or deleting it.

Default Agent tree
The default `Agent` tree
amsterService

The amsterService tree is used by Amster to authenticate to AM using SSH keys. The tree validates the incoming private key with an Amster Jwt Decision node.

Changing or removing this tree could prevent Amster from connecting to AM.

Default amsterService tree
The default `amsterService` tree

Sessions

AM creates a journey session to track the user’s progress through an authentication tree. Once the journey has completed, AM creates an authenticated session to manage the user’s access to resources if appropriate. A session is not created if the tree has been configured as a no session tree or the noSession query parameter is set.

Learn more in Sessions.

Multi-factor authentication

Multi-factor authentication (MFA) is an authentication technique that requires users to provide multiple forms of identification when logging in to AM.

Multi-factor authentication provides a more secure method for users to access their accounts with the help of a device.

Learn more in Multi-factor authentication (MFA).