PingAccess

Adding PingAuthorize access control rules

Add an access control rule to contact PingAuthorize for access information.

Before you begin

Create a third-party service with PingAuthorize configured as the target. Learn more in Adding third-party services.

About this task

An access control rule can grant or deny access, and can modify the request, based on the response from the PingAuthorize request application programming interface (API).

The PingAuthorize sideband API cannot accept gzipped data from upstream server responses. Ensure that upstream server requests add or replace the Accept-Encoding header with Accept-Encoding: identity to prevent the upstream server from sending compressed responses.

PingAuthorize access control rules are available for gateway, sideband, and agent deployments.

In agent deployments, PingAuthorize access control rules have the following limitations:

  • Agents cannot provide the request body to PingAuthorize.

  • Agent caching is disabled for resources or applications that use the PingAuthorize access control rule.

To add a PingAuthorize access control rule:

Steps

  1. Click Access and then go to Rules → Rules.

  2. Click Add Rule.

  3. In the Name field, enter a unique name, up to 64 characters long.

    Special characters and spaces are allowed.

  4. In the Type list, select PingAuthorize Access Control.

  5. In the Third Party Service list, select your PingAuthorize service.

  6. In the Shared Secret field, enter the shared secret from PingAuthorize.

  7. Optional: To include access token data in the request to PingAuthorize, select the Include Identity Attributes check box.

    This option is selected by default.

  8. Optional: To include the HTTP request body in the HTTP request data sent to PingAuthorize, select the Include Request Body check box.

    If PingAuthorize needs the request body for an access decision, make sure that this check box is selected. Otherwise, clearing the check box could improve performance.

    This option is selected by default.

  9. Optional: To configure advanced options, click Show Advanced:

    1. Optional: In the Sideband Endpoint field, enter the sideband API endpoint location.

    2. Optional: In the Shared secret header name field, enter a header in which to send the shared secret.

    3. Optional: In the Additional Request Headers section, enter a Header Name and Header Value for any additional headers that you want to include in the request to PingAuthorize. Click Add Row to add other headers as necessary.

      PingAuthorize can use the additional headers to determine the policy set that’s most relevant to the request context.

      If an additional header that you configured appears in a user request, PingAccess replaces the original request header and its corresponding values with the Header Value that you configured. If you leave the Header Value field blank, PingAccess removes this header from the request to PingAuthorize.

      If the Header Value contains the substrings "${APPLICATION_NAME}" or "${RESOURCE_NAME}", PingAccess replaces those strings with the name of the requested application or resource as defined in PingAccess.

  10. Click Save.