Configuring PingAccess applications for Microsoft Entra ID

Configure PingAccess applications so they are accessible to users through the Microsoft Entra ID (formerly Microsoft Azure AD) MyApps portal.

Before you begin

Install PingAccess and verify that you can access the administrative console. Learn more about installing PingAccess in Installing and Uninstalling PingAccess.
The default credential set should be changed upon first usage. The default credentials for your PingAccess installation are:

Username: Administrator Password: 2Access
Have a Microsoft Entra ID Premium account for access to the Application Proxy feature.
Configure Microsoft Entra ID. You can find steps to configure Microsoft Entra ID in https://docs.microsoft.com/azure/active-directory/application-proxy-ping-access.
Configure PingAccess to use Microsoft Entra ID as the token provider.

About this task

For each application that you want to configure:

Steps

Create a virtual host.

Learn more about creating a virtual host in Creating new virtual hosts.

In a typical configuration for this solution, you will create a virtual host for every application.
1. Click Applications, then go to Applications > Virtual Hosts.
2. Click Add Virtual Host.
3. In the Host field, enter the FQDN portion of the Microsoft Entra ID External URL.
  
  Example:
  
  For example, external URLs of https://app-tenant.msappproxy.net/ and https://app-tenant.msappproxy.net/AppName will both have a Host entry of app-tenant.msappproxy.net.
4. In the Port field, enter 443.
5. Click Save.
Create a web session.

Learn more about creating a web session in Creating web sessions.
1. Click Access, then go to Web Sessions > Web Sessions.
2. Click Add Web Session.
3. In the Name field, enter a name for the web session.
4. From the Cookie Type list, select your cookie type, either Signed JWT or Encrypted JWT.
5. In the Audience field, enter a unique value.
6. In the Client ID field, enter the Microsoft Entra ID application ID.
7. From the Client Credentials Type list, select Secret.
8. In the Client Secret field, enter the client secret you generated for the application in Microsoft Entra ID.
9. Optional: To create and use custom claims with the Microsoft Entra ID GraphAPI, click Advanced and clear the Request Profile and Refresh User Attributes checkboxes.
  
  Learn more about using custom claims in Optional - Use a custom claim.
10. Click Save.
Create an identity mapping.

Learn more about creating an identity mapping in Creating header identity mappings.

An identity mapping can be used with more than one application if more than one application is expecting the same data in the header.
1. Click Access, then go to Identity Mappings > Identity Mappings.
2. Click Add Identity Mapping.
3. In the Name field, enter a name.
4. From the Type list, select Header Identity Mapping.
5. In the Attribute to Header Mapping table, specify the required mappings.
  
  Example:
  
  For example:
  
  Attribute Name Header Name
  
  upn
  
  x-userprinciplename
  
  email
  
  x-email
  
  oid
  
  x-oid
  
  scp
  
  x-scope
  
  amr
  
  x-amr
6. Click Save.
Create a site.

Learn more about creating a site in Adding sites.

In some configurations, a site might contain more than one application. A site can be used with more than one application, where appropriate.
1. Click Applications, then go to Sites > Sites.
2. Click Add Site.
3. In the Name field, enter a name for the site.
4. In the Target field, specify the target.
  
  The target is the hostname:port pair for the server hosting the application. Do not enter the path for the application in this field. For example, an application at https://mysite:9999/AppName will have a target value of mysite:9999.
5. From the Secure list, select whether or not the target is expecting secure connections.
6. Click Save.
Create an application in PingAccess for each application in Microsoft Entra ID that you want to protect.

Learn more about creating an application in Adding an application.
1. Click Applications, then go to Applications > Applications.
2. Click Add Application.
3. In the Name field, enter a name for the application.
4. In the Description field, enter a description for the application.
5. In the Context Root field, specify the context root for the application.
  
  For example, an application at https://mysite:9999/AppName will have a context root of /AppName. If the application is on the root of the server, you can set the context root as /. The context root must begin with a slash (/), must not end with a slash (/), and can be more than one layer deep, for example, /Apps/MyApp.
6. From the Virtual Host list, select the virtual host you created.
  
  The combination of virtual host and context root must be unique in PingAccess.
7. From the Application Type list, select Web.
8. From the Web Session list, select the web session you created.
9. From the Site list, select the site you created that contains the application.
10. From the Web Identity Mapping list, select the mapping you created.
11. Select the Enabled checkbox to enable the site when you save.
12. Click Save.

PingAccess

Configuring PingAccess applications for Microsoft Entra ID

Before you begin

About this task

Steps

Example:

Example: