PingAuthorize

Attaching the PingAuthorize Shared Flow to API proxies

About this task

To attach the PingAuth Shared Flow to the API proxies where you want to use PingAuthorize as the external authorization policy runtime service:

Steps

  1. Add a Flow Callout policy:

    1. Go to one of your APIs in Develop → API Proxies and click the Develop tab.

      Ensure you are on the latest revision of the proxy.

    2. Click the icon to add a policy to the Policies list.

    3. In the Extension section, click Flow Callout.

    4. Select PingAuth from the Shared Flow list. Enter a policy name and then click Add.

      Screen capture of the Apigee Add Policy window for Flow Callout policy creation
  2. Attach the Flow Callout policy to flows.

    Because PingAuthorize typically provides fine-grained authorization, you should integrate PingAuthorize late in the PreFlow of the request to the proxy endpoint, after the coarse-grained authentication and authorization functions. See the Apigee documentation for more information on integrating PingAuthorize.

    1. In the Proxy Endpoints list on the left navigation pane, select PreFlow, and then click +Step in the Request section to add a flow step to the request.

      Screen capture of the Apigee proxy endpoint PreFlow step creation
    2. On the Existing tab of Policy instance, select the Flow Callout policy that you created previously and click Add.

      Screen capture of the Apigee proxy endpoint PreFlow step configuration details
    3. In the Target Endpoints list on the left navigation pane, select PreFlow , and then click +Step in the Response section to add a flow step to the response.

      This allows PingAuthorize to process the API response from the target API before it is processed by Apigee.

    4. On the Existing tab of the Policy instance, select and add the previously created Flow Callout policy.

  3. Save and deploy the updated proxy.

    Screen capture of Apigee target endpoint PreFlow step configuration

Next steps

Configure fine-grained authorization policies in your PingAuthorize Policy Editor. To understand how to target specific API requests and extract other HTTP metadata to use in your policies, see Sideband API policy requests.