Configuring PingAccess applications for Azure
Configure PingAccess applications so they are accessible to users through the Microsoft Azure MyApps portal.
Before you begin
-
Install PingAccess and verify that you can access the administrative console. For information on installing PingAccess, see Installing and Uninstalling PingAccess.
The default credential set should be changed upon first usage. The default credentials for your PingAccess installation are:
Username: Administrator Password: 2Access
-
Have a Microsoft Azure AD Premium account for access to the Application Proxy feature.
-
Configure Microsoft Azure AD. For steps to configure Microsoft Azure AD, see https://docs.microsoft.com/azure/active-directory/application-proxy-ping-access.
-
Configure PingAccess to use Azure AD as the token provider.
About this task
For each application that you want to configure:
Steps
-
Create a virtual host.
For more information on creating a virtual host, see Creating new virtual hosts.
In a typical configuration for this solution, you will create a virtual host for every application.
-
Click Applications and then go to Applications → Virtual Hosts.
-
Click Add Virtual Host.
-
In the Host field, enter the FQDN portion of the Azure AD External URL.
Example:
For example, external URLs of https://app-tenant.msappproxy.net/ and https://app-tenant.msappproxy.net/AppName will both have a Host entry of
app-tenant.msappproxy.net
. -
In the Port field, enter
443
. -
Click Save.
-
-
Create a web session.
For more information on creating a web session, see Creating web sessions.
-
Click Access and then go to Web Sessions → Web Sessions.
-
Click Add Web Session.
-
In the Name field, enter a name for the web session.
-
From the Cookie Type list, select your cookie type, either Signed JWT or Encrypted JWT.
-
In the Audience field, enter a unique value.
-
In the Client ID field, enter the Azure AD application ID.
-
From the Client Credentials Type list, select Secret.
-
In the Client Secret field, enter the client secret you generated for the application in Azure AD.
-
Optional: To create and use custom claims with the Azure AD GraphAPI, click Advanced and clear the Request Profile and Refresh User Attributes check-boxes.
Learn more about using custom claims in Optional - Use a custom claim.
-
Click Save.
-
-
Create an identity mapping.
For more information on creating an identity mapping, see Creating header identity mappings.
An identity mapping can be used with more than one application if more than one application is expecting the same data in the header.
-
Click Access and then go to Identity Mappings → Identity Mappings.
-
Click Add Identity Mapping.
-
In the Name field, enter a name.
-
From the Type list, select Header Identity Mapping.
-
In the Attribute to Header Mapping table, specify the required mappings.
Example:
For example:
Attribute Name Header Name upn
x-userprinciplename
email
x-email
oid
x-oid
scp
x-scope
amr
x-amr
-
Click Save.
-
-
Create a site.
For more information on creating a site, see Adding sites.
In some configurations, a site might contain more than one application. A site can be used with more than one application, where appropriate.
-
Click Applications and then go to Sites → Sites.
-
Click Add Site.
-
In the Name field, enter a name for the site.
-
In the Target field, specify the target.
The target is the hostname:port pair for the server hosting the application. Do not enter the path for the application in this field. For example, an application at https://mysite:9999/AppName will have a target value of
mysite:9999
. -
From the Secure list, select whether or not the target is expecting secure connections.
-
Click Save.
-
-
Create an application in PingAccess for each application in Azure that you want to protect.
For more information on creating an application, see Adding an application.
-
Click Applications and then go to Applications → Applications.
-
Click Add Application.
-
In the Name field, enter a name for the application.
-
In the Description field, enter a description for the application.
-
In the Context Root field, specify the context root for the application.
For example, an application at
https://mysite:9999/AppName
will have a context root of/AppName
. If the application is on the root of the server, you can set the context root as/
. The context root must begin with a slash (/), must not end with a slash (/), and can be more than one layer deep, for example,/Apps/MyApp
. -
From the Virtual Host list, select the virtual host you created.
The combination of virtual host and context root must be unique in PingAccess.
-
From the Application Type list, select Web.
-
From the Web Session list, select the web session you created.
-
From the Site list, select the site you created that contains the application.
-
From the Web Identity Mapping list, select the mapping you created.
-
Select the Enabled check box to enable the site when you save.
-
Click Save.
-