PingAccess

Adding PingAuthorize access control rules

Add an access control rule to contact PingAuthorize or PingOne Authorize for access information.

To use this rule with PingOne Authorize, make sure that the Include Identity Attributes checkbox is selected in step 7 of this procedure.

Before you begin

Create a third-party service with PingAuthorize configured as the target. Learn more in Adding third-party services.

About this task

An access control rule can grant or deny access and can modify the request, based on the response from the PingAuthorize request application programming interface (API).

The PingAuthorize sideband API cannot accept gzipped data from upstream server responses. Ensure that upstream server requests add or replace the Accept-Encoding header with Accept-Encoding: identity to prevent the upstream server from sending compressed responses.

PingAuthorize access control rules are available for gateway, sideband, and agent deployments.

In agent deployments, PingAuthorize access control rules have the following limitations:

  • Agents cannot provide the request body to PingAuthorize.

  • Agent caching is disabled for resources or applications that use the PingAuthorize access control rule.

To add a PingAuthorize access control rule:

Steps

  1. In the PingAccess administrative console, click Access and go to Rules > Rules.

  2. Click Add Rule.

  3. In the Name field, enter a unique name of up to 64 characters.

    Special characters and spaces are allowed.

  4. In the Type list, select PingAuthorize Access Control.

  5. In the Third Party Service list, select your PingAuthorize service.

  6. In the Shared Secret field, enter the shared secret from PingAuthorize.

  7. (Optional) To include access token data in the request to PingAuthorize, select the Include Identity Attributes checkbox.

    This option is selected by default.

    If you’re using PingOne Authorize, this checkbox must be selected. PingOne Authorize requires identity attributes.

  8. (Optional) To include the HTTP request body in the HTTP request data sent to PingAuthorize, select the Include Request Body checkbox.

    If PingAuthorize needs the request body for an access decision, make sure that this checkbox is selected. Otherwise, clearing the checkbox could improve performance.

    This option is selected by default.

  9. (Optional) To configure advanced options, click Show Advanced:

    1. (Optional) In the Sideband Endpoint field, enter the sideband API endpoint location.

    2. (Optional) In the Shared secret header name field, enter a header in which to send the shared secret.

    3. (Optional) In the Additional Request Headers section, enter a Header Name and Header Value for any additional headers that you want to include in the request to PingAuthorize. Click Add Row to add other headers as necessary.

      PingAuthorize can use the additional headers to determine the policy set that’s most relevant to the request context.

      If an additional header that you configured appears in a user request, PingAccess replaces the original request header and its corresponding values with the Header Value that you configured. If you leave the Header Value field blank, PingAccess removes this header from the request to PingAuthorize.

      If the Header Value contains the substrings "${APPLICATION_NAME}" or "${RESOURCE_NAME}", PingAccess replaces those strings with the name of the requested application or resource as defined in PingAccess.

  10. Click Save.