PingAuthorize

Setting up Kong Gateway

Download, install, and configure the ping-auth plugin to set up Kong Gateway with PingAuthorize.

About this task

To configure the ping-auth plugin in Kong to set up a connection between PingAuthorize and Kong Gateway:

Steps

  1. Install the plugin by running the luarocks install kong-plugin-ping-auth command.

    See the Kong Gateway plugin installation guide for more information.

  2. After installation, load the plugin into Kong by editing the plugins = bundled,ping-auth property in the kong.conf file.

  3. Restart Kong Gateway.

  4. To confirm loading, look for the debug-level message Loading plugin: ping-auth in Kong’s error.log.

Next steps

  • To complete Kong Gateway setup using Kong Manager, proceed to Using the GUI.

  • To complete Kong Gateway setup using API requests, proceed to Using the API.

  • Using the GUI

  • Using the API

Setting up Kong Gateway using the GUI

Steps

  1. In Kong Manager, select the default workspace and then click Plugins.

    Screen capture of the Plugins window in the default workspace of Kong Manager with the ping-auth plugin loaded
  2. For the ping-auth plugin, click Edit, and then click the toggle to enable the plugin.

    Screen capture of the Update ping-auth plugin window enabling the ping-auth plugin in Kong Manager
  3. Optional: If you want to enable the plugin for specific consumers, services, or routes, click Scoped, and then enter Service, Route, and Consumer information as needed.

  4. Connect Kong Gateway to PingAuthorize:

    1. Copy the PingAuthorize sideband client’s shared secret.

    2. Enter the hostname of your PingAuthorize server and the port of the HTTPS Connection Handler into the Config.Service URL field.

      You can find this port number in the PingAuthorize administrative console by going to Configuration → System → Connection Handlers.

      Example:

      For example, this field’s value could be https://pingauthorize:8443.

    3. Paste the shared secret into the Config.Shared Secret field in Kong Manager.

    4. Ensure the Config.Secret Header Name value in Kong Manager matches the secret header name configured for the Sideband API Servlet Extension in PingAuthorize.

      Screen capture of the Config.Shared Secret and Config.Service Url configuration for the ping-auth plugin in Kong Manger
  5. Optional: Configure the rest of the optional fields in Kong Manager or the API.

    Option API Field Name Description

    Config.Connection KeepAlive Ms

    connection_keepAlive_ms

    The duration to keep the connection alive for reuse. The default is 60000.

    Config.Connection Timeout Ms

    connection_timeout_ms

    The duration to wait before the connection times out. The default is 10000.

    Config.Enable Debug Logging

    enable_debug_logging

    Controls if requests and responses are logged at the debug level. The default is false. For log messages to show in error.log, you must set log_level = debug in kong.conf.

    Config.Verify Service Certificate

    verify_service_certificate

    Controls whether the service certificate is verified. This is intended for testing purposes and the default is true.

  6. Click Update, and then click Update Plugin.

Result

Kong Gateway is now configured to work with PingAuthorize.

Setting up Kong Gateway using the API

Steps

  1. Send the following in a POST request to https://<KONG_URL>/plugins:

    {
      "name": "ping-auth",
      "enabled": true,
      "config": {
        "service_url": "https://<PingAuthorize Server hostname>:<HTTPS Connection Handler port>/",
        "shared_secret": "<shared secret>",
        "secret_header_name": "<shared secret header name>"
      }
    }

    See the following list for more information about the required fields for the previous API request:

    service_url

    The full URL of the Ping policy provider. This should not contain /sideband in the path.

    shared_secret

    The shared secret value to authenticate this plugin to the policy provider.

    secret_header_name

    The header name in which the shared secret is provided.

    You can provide additional configuration in accordance with the Kong API specification. For more information, see the .konghq.com/gateway/2.8.x/admin-api///[Kong documentation].

  2. Optional: Configure the rest of the optional fields through the API.

    Option API Field Name Description

    Config.Connection KeepAlive Ms

    connection_keepAlive_ms

    The duration to keep the connection alive for reuse. The default is 60000.

    Config.Connection Timeout Ms

    connection_timeout_ms

    The duration to wait before the connection times out. The default is 10000.

    Config.Enable Debug Logging

    enable_debug_logging

    Controls if requests and responses are logged at the debug level. The default is false. For log messages to show in error.log, you must set log_level = debug in kong.conf.

    Config.Verify Service Certificate

    verify_service_certificate

    Controls whether the service certificate is verified. This is intended for testing purposes and the default is true.

Result

Kong Gateway is now configured to work with PingAuthorize.