PingAccess

Setting up the token validation workaround

Shared secrets are available out of the box with the PingAuthorize policy decision access control rule, but token validation is not. You can perform the following workaround to set up token validation.

This procedure is optional.

About this task

To set up token validation, you’ll build the call to the introspection endpoint manually and create a policy to check if the token is active.

There are three main steps in this workaround:

  1. Creating an HTTP service for the PingFederate introspection endpoint

  2. Creating attributes for the client_id, client_secret, and active token

  3. Creating a policy to validate the access token

To create an HTTP service for the PingFederate introspection endpoint:

Steps

  1. In the PingAuthorize administrative console, go to Trust Framework > Services > PDP and create a service named PingFederate Introspection.

  2. In the Service Type list, select HTTP.

  3. In the HTTP Settings section:

    1. In the URL field, enter the PingFederate introspection endpoint.

    2. In the HTTP Method list, select POST.

    3. In the Body field, enter token={{HttpRequest.AccessToken.access_token}}

    4. In the Authentication list, select Basic.

    5. In the Username list, select the PingFederate client option.

    6. In the Password list, select the PingFederate client option.

  4. In the Value Processors section, add a new JSON path processor:

    1. In the Processor list, select JSON and enter active in the field.

    2. In the Value Type list, select Boolean.

  5. In the Value Settings section:

    1. In the Type list, select String, and enter Secret in the field.

  6. In the Timeout and Retry section:

    1. In the Request Timeout (ms) field, enter 2000.

  7. Click Save.

Next steps

Create attributes for the client_id, client_secret, and active token.