--- title: Adding application resources description: Add application resources to existing applications in PingAccess. component: pingaccess version: 9.0 page_id: pingaccess:pingaccess_user_interface_reference_guide:pa_adding_application_resources canonical_url: https://docs.pingidentity.com/pingaccess/9.0/pingaccess_user_interface_reference_guide/pa_adding_application_resources.html revdate: December 4, 2025 section_ids: about-this-task: About this task steps: Steps choose-from: Choose from: choose-from-2: Choose from: choose-from-3: Choose from: choose-from-4: Choose from: choose-from-5: Choose from: choose-from-6: Choose from: --- # Adding application resources Add application resources to existing applications in PingAccess. ## About this task An application resource is a component within an application that requires a different level of security. These instructions describe how to add, edit, and delete application resources and how to configure resource ordering, authentication policy, and application type. There are two resource types: standard and virtual. * Standard resources Standard resources exist on the target destination, and users can be directed to them. * Virtual resources Virtual resources exist only in PingAccess. When a user attempts to access them, PingAccess generates a specified response. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Some applications allow you to specify the parameters of a request in the query string or the POST body. If you are managing such an application and are defining its resources using query parameters, use caution when defining the resource to ensure that PingAccess and the application treat the resource in the same way. | ## Steps 1. Click **Applications**, then go to **Applications > Applications**. 2. Click to expand the application that you want to modify resources on, then click the **Pencil** icon and click the **Resources** tab. ### Choose from: * To add a resource, click **Add Resource**. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | A group containing all global unprotected resources is displayed on the first **Resources** page. Review this list before adding a resource to make sure that there won't be a conflict between the new resource's path patterns and any unprotected resource path pattern. | * To edit a resource, expand the resource and click the **Pencil** icon. * To delete the resource, expand the resource and click the **Delete** icon. 3. Enter a unique **Name** of up to 64 characters, including special characters and spaces. 4. Enter a list of Uniform Resource Locator (URL) *(tooltip: \
\

Identifies a resource according to its internet location.\

\
)* path patterns within the context root that identify this resource. If [resource ordering](pa_application_resources.html#section_ys3_mhr_ddb) is enabled, select the path pattern type, **Basic** or **Regex**. The path pattern must start with a forward slash (/). It begins after the application context root and extends to the end of the URL. If automatic path pattern evaluation ordering is in use (default), patterns can contain one or more wildcard characters (`*`). No use of wildcards is assumed. For example, there is a difference between `/app/` and `/app/*`. If a request matches more than one resource, the most specific match is used. If you enable manual path pattern ordering (resource ordering), you can use regular expressions in the path pattern. When one or more path patterns contain a regular expression, you can't revert to automatic path pattern ordering unless you remove that path pattern | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you have specified a regular expression, make sure that you select the **Regex** path pattern type. If you don't, the pattern will be interpreted incorrectly as a **Basic** text string.The application reserved path can't be used as a path pattern when the context root is `/`. The default application reserved path is `/pa`(`/pa*`). You can modify the default application reserved path using the PingAccess admin application programming interface (API) *(tooltip: \
\

A specification of interactions available for building software to access an application or service.\

\
)*.If you selected the **Use context root as reserved resource base path** checkbox on your application, you can't use the application context root as a path pattern either. This checkbox turns the application context root into a reserved resource, and a reserved application context root can't be used in an application's resource paths. | 5. If you have enabled resource ordering, select an option in the **Query Parameters** section. The **Query Parameters** section lets you define the resource by query parameters in addition to path patterns. ### Choose from: * To define the resource without regard to query parameters, select **Match Any**. * To define the resource using one or more query parameters, select **Match Specific**: * Select **Matches No Parameters** to match the result to the resource if no query parameters are present and if at least one query parameter is present and matches. If this option is deselected, at least one query parameter must be present and must match. * Enter one or more **Name**-**Value** pairs, or enter a **Name** and select **Any** to match any value for the given name. 6. Select a **Resource Authentication** type. ### Choose from: * If the resource requires the same authentication as the root application, select **Standard**. * If this resource has no authentication requirements, select **Anonymous**. Identity mappings are still applied if the user is already authenticated. Access control and processing rules are applied where applicable. * If this resource has no authentication requirements, select **Unprotected**. Processing rules are applied where applicable. No application or resource access control policy is applied. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | These options are not available for unprotected applications.* Web applications are unprotected when they don't have an associated web session. * API applications are unprotected when they aren't protected by an authorization server. | 7. If the application is a protected web application with a web session, select an **Authentication Challenge Policy** to generate authentication challenge responses for the resource or click **[icon: plus, set=fa]Create** to create a new authentication challenge policy. Otherwise, proceed to the next step. 8. If you are using the PingOne Protect integration on a protected web application, select a **Risk Policy** to enforce on the resource or click **+Create** to create a new risk policy. Otherwise, proceed to the next step. | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You must set up a PingOne connection before you can create a risk policy. You can find more information on how to set these up through the administrative console in [Adding a PingOne connection](pa_adding_a_p1_connection.html) and [Adding a risk policy](pa_adding_a_risk_policy.html). You can find more information on the capabilities that a risk policy can provide in [PingOne Protect integration](../agents_and_integrations/pa_p1risk_policy_eval_integration.html).A risk policy applied at the resource level takes precedence over one applied at the application level. PingOne risk policies depend on mapping user identity attributes to the risk evaluation requests, so the PingAccess administrative console will prevent you from saving an unprotected application or resource with a risk policy. | 9. (Optional) If you're using an **API** or **Web + API** type application and want to configure different DPoP settings for the application resource than the global DPoP settings that you configured in the [token provider](pa_token_provider.html): | | | | - | ----------------------------------------------------------------------------------------------------------------------- | | | If you are using PingFederate as the token provider, you must use PingFederate 11.3 or later to configure DPoP support. | 1. Select **Override DPoP Settings**. 2. In the **DPoP Type** list, select the level of OAuth 2.0 Demonstrating Proof of Possession (DPoP) support that you want to enable for access token validation: * **Off** (default): PingAccess doesn't accept DPoP-bound access tokens, only bearer tokens. * **Enabled**: PingAccess accepts both bearer tokens and DPoP-bound access tokens. * **Required**: PingAccess doesn't accept bearer tokens, only DPoP-bound access tokens. 3. To require each DPoP proof to contain a nonce value during validation that was provided by PingAccess when the access token was created, per [RFC 9449 section 9](https://www.rfc-editor.org/rfc/inline-errata/rfc9449.html#:~:text=Next%20Nonce%20Value-,9.%20%20Resource%20Server%2DProvided%20Nonce,-Resource%20servers%20can), select **Require Nonce**. This check box is cleared by default. 4. In the **DPoP Proof Lifetime (SEC.)** field, enter the duration, in seconds, that a DPoP proof should be considered valid after it's issued. | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------- | | | As a security best practice, keep this value low and consistent with the DPoP implementation of your API client. The default value is 120 seconds. | 10. In the **Methods** list, select one or more methods supported by the resource. You can find a list of common HTTP methods and their intended usage in [RFC 9110: HTTP Semantics](https://www.rfc-editor.org/rfc/rfc9110.html#section-9). | | | | - | -------------------------------------------------------------------- | | | PingAccess doesn't support the `CONNECT`, `PRI`, or `QUERY` methods. | Leave the asterisk default if the resource supports all other HTTP methods, including custom methods. Defining methods for a resource allows more fine-grained access control policies on resources. If you have a server optimized for writing data (POST, PUT) and a server optimized for reading data (GET), you might want to segment traffic based on the operation being performed. 11. To log information about the transaction to the audit store, select the **Audit** checkbox. 12. If the application type is **Web + API**, and **SPA Support** is disabled on the root application, indicate whether the application resource should override the fallback type specified for the main application. If you select **Yes** for this option, select the method to be used for the application resource when a request doesn't contain a web session cookie or OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* token. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Carefully consider your configuration when making this selection. Changing the application fallback type can have unexpected effects on resources that do not override the fallback.For example, if you configure a **Web + API** application with a fallback type of **Web** along with several resources that do not override the fallback type, these resources will emit a `401` response (rather than a `302` to PingFederate) if you later change the fallback type to **API** on the main application.The PingAccess runtime uses fallback type to determine which processing flow (Web or API) to use when the request doesn't contain a web session or an API OAuth Bearer token. When a request doesn't contain either of these authentication mechanisms, it relies on this configuration to determine which processing flow to use. | 13. To enable the resource, select the **Enabled** checkbox. 14. In the **Resource Type** list, select a resource type: ### Choose from: * If the resource exists on the target destination, select **Standard**. * If the resource only exists in PingAccess, select **Virtual**. PingAccess generates a response when a user attempts to access the resource. 15. If you selected the **Virtual** resource type, in the **Type** list, select a response generator type: ### Choose from: * To redirect the user to a new URL with the specified response code, select **Redirect**. * To create a response using a specified template, select **Template**. * To make user attributes available to other applications as a JavaScript Object Notation (JSON) *(tooltip: \
\

An open, lightweight data-interchange format that uses human-readable text to store and transmit data.\

\
)* payload, select **JSON Identity Mapping**. * To end the application web session and optionally redirect the user to a specific landing page after logout, select **Logout**. All applications using the same web session are logged out. | | | | - | ------------------------------------------------------------------------------------------------------- | | | You can only use the **Logout** virtual resource type if PingFederate is the configured token provider. | 16. If you selected the **Redirect** response generator, specify the redirect parameters: 1. In the **Redirect URL** field, enter a relative or absolute URL to which users should be redirected. 2. In the **Response Code** list, select a response code: * **301 – Moved permanently** This is a permanent redirect that doesn't require the redirect to maintain the original HTTP method. * **302 – Found** This is a temporary redirect that doesn't require the redirect to maintain the original HTTP method. * **307 – Temporary Redirect** This is a temporary redirect that requires the redirect to maintain the original HTTP method. * **308 – Permanent Redirect** This is a permanent redirect that requires the redirect to maintain the original HTTP method. 3. To opt out of automatic URL encoding, deselect the **Encode URL** checkbox. Learn more in the **Opt out of automatic URL encoding** release note in [PingAccess 8.1 (June 2024)](../release_notes/pa_release_notes.html#previous-releases). 17. If you selected the **Template** response generator, specify the template parameters: 1. In the **Media Type** list, select or enter a media type for the template. 2. In the **Template** field, enter a template in Velocity Template Language (VTL). When a user accesses the virtual resource, the template is processed and returned as the response. The template can include information about the user, resource, and application according to this data model: * `identity.subject` A string containing the subject name of the identity. This property is only available if the user is authenticated. * `identity.attributes` An object containing user attributes set by the token provider. For example, `identity.attributes.role` could contain a role set by the token provider. This property is only available if the user is authenticated. * `identity.trackingID` A string containing the tracking ID of the identity. This property is only available if the user is authenticated. * `resource.name` A string containing the name of the requested resource. * `application.name` A string containing the name of the requested application. * `application.realm` A string containing the OAuth *(tooltip: \
\

A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.\

\
)* realm associated with the application. If the realm isn't defined by the application, it is inferred to be the requested authority and the application's context root. * `exchangeId` A string containing the ID for the current transaction. 3. In the **Response Code** list, select a response code: * `200`: OK * `201`: Created * `400`: Bad Request * `401`: Unauthorized * `403`: Forbidden * `404`: Not Found * `405`: Method Not Allowed 18. If you selected the **JSON Identity Mapping** response generator, select **Inclusion List** or **Exclusion List**: ### Choose from: * To map the specified attributes to corresponding property names, select **Inclusion List**. If you select this option, enter a corresponding **Attribute Name** and **Property Name** on each row. Click **[icon: plus, set=fa]Add Row** to add additional rows. * To expose all attributes except for those you specify, select **Exclusion List**. If you select this option, enter zero or more excluded attributes in the **Excluded Attributes** field. 19. If you selected the **Logout** response generator, specify the logout parameters: 1. (Optional) In the **Post-logout Redirect URI** field, enter a Uniform Resource Identifier (URI) *(tooltip: \
\

Identifies a web resource with a string of characters conforming to a specified format.\

\
)* to which the user is directed after logout. The format of this URI determines the logout behavior: * No URI: single logout (SLO) *(tooltip: \
\

The process of signing a user out of multiple sites where the user has started a SSO session.\

\
)* defaults to the token provider settings. * Absolute URL without variables: The PingAccess session is cleared and SLO isn't triggered. * URL containing the `${SLO}` variable: The `${SLO}` variable is replaced with the PingFederate `ping_end_session_endpoint`, which triggers SLO. For example, if the PingFederate `ping_end_session_endpoint` is `https://pingfederate:9031/idp/startSLO.ping`, a value of `${SLO}?TargetResource=https://example.com` would direct the user to the PingFederate endpoint, trigger SLO, and then redirect the user to `https://example.com`. * Relative path: The relative path is appended to the application path to form the destination and SLO isn't triggered. * PingFederate parameters: The parameters are passed to PingFederate and SLO is triggered. You can find more information in [IdP endpoints](https://docs.pingidentity.com/pingfederate/latest/developers_reference_guide/pf_idp_endpoints.html). 2. To opt out of automatic URL encoding, deselect the **Encode URL** checkbox. Learn more in the **Opt out of automatic URL encoding** release note in [PingAccess 8.1 (June 2024)](../release_notes/pa_release_notes.html#previous-releases). 3. If session validation and single logout aren't available with the token provider, you can select the **Revoke Access Token** checkbox to prevent session replay after a user signs off. Access token revocation should be compatible with any OIDC provider. Error messages are available in the PingAccess error log. When you enable this checkbox, PingAccess: * Sends an access token revocation request for the associated application to the token provider during sign off, per [RFC 7009](https://www.rfc-editor.org/rfc/rfc7009.txt). This prevents potential bad actors from using stored cookies during future authorization requests when PingAccess must refresh the user attributes. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------- | | | For the access token revocation request, PingAccess uses the client credentials configured on the associated application's web session. | * Clears user attributes from the local cache on the engine that received the sign-off request if the **Cache User Attributes** setting is enabled. 20. Click **Save**.