PingAccess

Application field descriptions

The following table describes the fields available for managing applications on the Applications tab.

Field Required Description

Name

Yes

A unique name for the application.

Description

No

An optional description for the application.

Context Root

Yes

The context at which the application is accessed at the site.

This value must meet the following criteria:

  • It must start with /.

  • It can contain additional / path separators.

  • It must not end with /.

  • It must not contain wildcards or regular expression strings.

  • The combination of the Virtual Host and Context Root must be unique. The following is allowed and incoming requests will match the most specific path first:

    • vhost1:443/App

    • vhost1:443/App/Subpath

  • /pa is, by default, reserved for PingAccess and is not allowed as a Context Root. You can change this reserved path using the PingAccess Admin application programming interface (API).

Case Sensitive Path

No

Indicates whether or not to make request Uniform Resource Locator (URL) path matching case sensitive.

Virtual host(s)

Yes

Specifies the virtual host for the application. Click Create to create a virtual host. See Creating new virtual hosts for more information.

Application Type

Yes

Specifies the application type, either Web, API, or Web + API.

  • If the Application Type is Web, select the Web Session if the application is protected and, if applicable, the Web Identity Mapping for the application.

Select an Authentication Challenge Policy to produce authentication challenges for the application. You can enter an OpenID Connect Provider Issuer URL to replace the visible URL during authentication if the token provider supports it.

Select a Risk Policy to enforce continuous authorization with PingOne Protect on the application.

You must set up a PingOne connection before you can create a risk policy. For more information on how to set these up through the administrative console, see PingOne Protect integration, Adding a PingOne connection and Adding a risk policy.

PingOne risk policies depend on mapping user identity attributes to the risk evaluation requests, so the PingAccess administrative console will prevent you from saving an unprotected application or resource with a risk policy.

Click +Create underneath the desired field to create a new web session, identity mapping, authentication challenge policy, or risk policy. * If the Application Type is API, specify whether or not you want to enable SPA Support. Indicate the method of Access Validation and, if applicable, select the API Identity Mapping for the application.

If you want to configure different DPoP settings for the application than the global settings you specified in the token provider, follow step 9 in Adding application resources to complete your configuration.

Click Create to create an access validation or identity mapping.

If you try to use a remote access token validator on your PingAccess API application without first configuring the introspection endpoint on the OAuth Authorization Server tab of the Token Provider page, you get the following error message:

Cannot use remote validation as authorization server does not have an Introspection endpoint.

  • If the Application Type is Web + API, indicate the method of Access Validation. Select the Web Session and, if applicable, the Web Identity Mapping and API Identity Mapping to use for each type.

Select an Authentication Challenge Policy to produce authentication challenges for the application. In this configuration, the web session is required and the API is protected by default.

Click Create to create an access validation, web session, web identity mapping, API identity mapping, or authentication challenge policy.

You can enter an OpenID Connect Provider Issuer URL to replace the visible URL during authentication if the token provider supports it.

Specify whether you want to enable SPA Support.

If you want to configure different DPoP settings for the application than the global settings you specified in the token provider, follow step 9 in Adding application resources to complete your configuration.

Destination

Yes

Specifies the application destination type, either Site, Agent, or Sideband.

  • If the destination is a Site, select the Site requests are sent to when access is granted. If HTTPS is required to access this application, and at least one non-secure HTTP listening port is defined, select the Require HTTPS option. Click Create to create a Site. For more information, see Adding sites.

  • If the destination is an Agent, select the agent that intercepts and validates access requests for the application. Click Create to create an Agent. For more information, see Adding agents.

  • If the destination is Sideband, select the sideband client that queries PingAccess for authorization and request/response modification. Click Create to create a sideband client. For more information, see Adding sideband clients.

Enabled

No

Select to enable the application and allow it to process requests.

Advanced Settings

To configure advanced settings on an application, expand the Show Advanced Settings section at the bottom of the Applications tab, just above the Enabled check box. These settings are optional.

Field Description

Use context root as reserved resource base path

Selecting the Use context root as reserved resource base path check box provides access to reserved PingAccess resources and runtime API endpoints from the context root of this application in addition to the globally-defined reserved application context root.

By default, the reserved application context root is /pa. You can change this value in /applications/reserved using the PingAccess admin API. If you change the reserved application context root, make sure to update your calls to PingAccess endpoints and any other application URLs that reference the reserved path accordingly.

When this setting is enabled, PingAccess adds this application’s context root before the reserved application context root in any content that references the reserved path to ensure that it responds to those requests. For example, the path to an endpoint changes from [reserved application context root]/[endpoint] to [application context root]/[reserved application context root]/[endpoint].

If you have a web application with a context root of myApp, PingAccess changes the path to the OpenID Connect (OIDC) endpoint to https://[host]/myApp/pa/oidc/cb instead of https://[host]/pa/oidc.cb.