PingAuthorize

HTTP services

The policy decision point (PDP) can perform requests to HTTP services. These requests can send and receive Text, JSON, and XML content.

HTTP authentication is supported by using a simple user name and password, or by using an OAuth2 token.

You can send custom headers with any request, which you can make dynamically in various ways by interpolating attribute values into various parameters. See Attribute interpolation.

Core settings

  • URL

    URL for the REST endpoint that the PDP accesses. The Policy Manager can interpolate attributes anywhere in the URL. Because no escaping of attribute values takes place, make certain that this action is completed in the attribute definition, if necessary.

  • HTTP Method

    Method to send in the HTTP request.

  • Content Type

    Content-Type header to send, which relates to the body of the request.

  • Body

    Body to send with the request. The Policy Manager can interpolate attributes anywhere in the body with no escaping.

Authentication

The Authentication drop-down lists the following HTTP authentication types, which correspond to an authorization header sent with the request:

  • None

    Default value that indicates the PDP sends no authorization header.

  • Basic

    Reveals the choices for attributes whose values function as the user name and password of an HTTP request with basic authentication.

  • OAuth2

    Reveals a token selector. The PDP sends the selected attribute as the authorization token in an HTTP request with bearer authentication.

Headers

You can add any number of custom headers to the request. The header names are fixed strings, but their values can be constants or attribute values. To switch between constant and attribute, toggle C / A, which is next to a header value.

Certificate validation

With certificate validation, you can define TLS and Mutual-TLS (M-TLS) certificates and keys when connecting to the TLS (or SSL) based service.

When using external PDP mode, you can declare local file-based trust stores and key stores by providing an options file during setup. See Specifying custom configuration with an options file.

When using embedded PDP mode, you do this by assigning Trust Manager Providers and Key Manager Providers to the Policy Decision Service. See Use policies in a production environment.

Server (TLS)

Server (TLS) settings apply when validating the certificate or certificate chain sent from the server. You have three options when validating a server certificate.

  • No Validation

    Skips validating the server certificates and initiates connection without any restriction.

  • Default

    This option is the default for Server (TLS).

    Uses the default trust store provided by the runtime environment.

    Use this if you are trying to connect to a service that has a certificate issued from a valid certificate authority.

  • Custom

    Allows the user to define a custom certificate or certificate chain that is stored in a trust store.

    Custom trust store settings:

    • Source

      Trust store source. Currently, it only supports file-based trust stores.

    • Trust store name

      The name given to the trust store in configuration.yml.

    • Alias

      Certificates in the trust stores are mapped by alias. You must set the alias in the trust store to specify which certificate to use for validation.

      Attributes can be interpolated anywhere in the value.

    • Alias password

      If the certificate is password-protected, it might need to provide the password.

      Attributes can be interpolated anywhere in the value.

Client (M-TLS)

Some services might require the client to provide a client certificate when initializing the connection. To provide a client certificate, enable this setting and provide a custom key store to be sent to the service.

Custom key store settings:

  • Source

    Key store source. Currently, it only supports file-based key stores.

  • Key store name

    The name given to the key store in configuration.yml.

  • Alias

    Key-value pairs and the certificate entry in the key stores are mapped by alias. You must set the alias in the key store to specify which entry to use for validation.

    Attributes can be interpolated anywhere in the value.

  • Alias password

    If the entry is password-protected, it might need to provide the password.

    Attributes can be interpolated anywhere in the value.