Environment-specific Trust Framework attributes

With dynamic authorization, policies must be able to retrieve attributes frequently from policy information providers (PIPs) at runtime.

The services and datastores from which additional policy information is retrieved range from development and testing environments to preproduction and production environments.

For example, you might use a Trust Framework service to retrieve a user’s consent from the PingDirectory Consent API. This service depends on the URL of the Consent API, the username and password that are used for authentication, and other items that vary between development, preproduction, and production environments.

About policy configuration keys

To avoid hard-coding values such as URLs, usernames, or passwords, Trust Framework attributes can refer to policy configuration keys, which are key/value pairs defined outside of the Trust Framework and provided to the policy engine at runtime.

To define a Trust Framework attribute that uses a policy configuration key, configure the attribute with a Configuration Key resolver and the name of the policy configuration key.

For example, in the following image, an attribute called ConsentServiceBaseUri is configured to use a policy configuration key called ConsentBaseUri.

Screen capture of the ConsentServiceBaseUri attribute window with the Parent field left blank and the Resolvers section showing the specified configuration

The means by which policy configuration keys are provided to the policy engine differ based on whether the PingAuthorize Server is configured to use external PDP mode or embedded PDP mode, as shown in the following table.

Mode Where to define policy configuration keys

Mode	Where to define policy configuration keys
External PDP mode	An options file and run the Policy Editor’s `setup` tool. See Define policy configuration keys in a development environment.
Embedded PDP mode	The PingAuthorize Server configuration. See Define policy configuration keys in a preproduction environment.

External PDP mode

An options file and run the Policy Editor’s setup tool.

See Define policy configuration keys in a development environment.

Embedded PDP mode

The PingAuthorize Server configuration.

See Define policy configuration keys in a preproduction environment.

Example

In this example, you define a policy information provider (PIP) in the Trust Framework so that various properties needed to connect to the PIP can be changed from those needed for a development environment to those needed for a preproduction environment.

You can complete the PIP definition without needing to update the Trust Framework.

Define a policy information provider for the PingDirectory Consent API that uses the following policy configuration keys:

ConsentBaseUri: The base URL to use when making requests to the Consent API.
ConsentUsername: The username for a privileged Consent API account.
ConsentPassword: The password for a privileged Consent API account.