News

Microsoft and Ping Identity Partnering on Web App Access Solutions

• By Kurt Mackie
• 09/14/2016

Microsoft and Ping Identity announced a partnership today that could help organizations that need to authenticate users that are trying to access older ("legacy") Web applications.

The partnership involves integration of PingAccess with Azure Active Directory, Microsoft's cloud-based identity and access management service. Specifically, PingAccess will work with the Azure AD Application Proxy service to permit access to premises-based Web applications via single sign-on (SSO). That is, with SSO, there's just one login that end users have to try to gain access to firewalled applications.

As a consequence of the partnership, a new "PingAccess for Azure AD" solution will be available in preview form sometime in "early 2017," according to Microsoft's and Ping Identity's announcements today. When this solution gets rolled out, Azure AD Premium subscribers will have free access to "20 on-premises web applications." Organizations needing authentications to more than 20 Web apps can license the access from Ping Identity.

In addition, the two companies are partnering on integrating PingFederate into Azure AD Connect. Azure AD Connect is Microsoft's wizard-like setup tool for connecting computing environments with Microsoft's cloud-based identity and access management service. Microsoft's announcement described PingFederate as the third largest third-party "federation server or cloud service used with Azure AD." Last week, Microsoft saw 1.6 million unique users using PingFederate to access Azure AD, while 42 million unique users logged in using Azure AD, according to the announcement.

Legacy Web Apps Support
PingAccess is software that installs in an organization's computing environment or it can be accessed from a public cloud datacenter, such as Amazon Web Services or Microsoft Azure. PingAccess can support Web applications that require HTTP "header-based authentication," which typically get managed by legacy Web access management systems. While Azure AD specifically supports Web applications that use open authentication protocols such as SAML, OAuth 2.0 and Kerberos, organizations told Microsoft that they also wanted support for other authentication protocols.

"That's why we're partnering with Ping Identity," Microsoft's announcement explained, regarding the added protocol support.

According to a Ping Identity white paper (sign-up required for access), organizations may have "legacy on-premises applications that aren't easily accessible via Microsoft Azure AD, even with Azure AD Application Proxy." The integrated PingAccess solution will permit these Web apps to work with Azure AD and will let organizations have SSO access "from any device," without having to use a virtual private network, the white paper explained.

Ping Identity also supports Amazon Web Services SSO via PingFederate or PingOne, according to an AWS partner page. There's also Ping Identity SSO support for Google Apps.

"Coopetition"
Microsoft and Ping are competitors in the identity and access management space, but this partnership deal represents a kind of "coopetition" effort, according to Garrett Bekker, a senior security analyst at 451 Research. He noted that Active Directory can be considered to be the de facto standard for premises-based environments, but this Ping Identity partnership deal will help by adding support on top of those environments.

"I think Ping is realizing here that they have no interest in competing for the employee use case that Microsoft is really interested in," Bekker said in a phone interview today. "One of the problems of Azure AD, and one of the limitations, is that it may primarily be limited to Microsoft environments -- so Azure, Office 365, SharePoint Online, etc. How Ping helps them out there is, by using their federation, they can now extend the applicability of Azure AD outside the Microsoft ecosystem."

Bekker added that many organizations have legacy applications on premises and likely will have them in the future. There are lots of cloud-based authentication services out there, but organizations can't wholly standardize on them. And that's where Ping Identity can help Microsoft.

One emerging area is called "customer identity access management" (CIAM) in which an organization has a need to provide access for its customers in a frictionless way. And that's an area where you'll likely see Microsoft and Ping Identity compete in the future, Bekker said.

However, Microsoft has been very open to partnering, especially with regard to cloud security, according to Bekker.

"They're really looking for help in realizing that not everybody is going to be completely standardized on Microsoft products," Bekker said. "People will still continue to use Salesforce, AWS and Google. They want to be very clear that the things they are doing for cloud security are not just about the Microsoft ecosystem. From that standpoint, I think this partnership helps them in both areas. It helps them fill in some gaps and it also helps them outside the Microsoft ecosystem."

He added cloud security is still a fragmented space. Vendors have been trying to fill in the gaps via partnerships.