PingGateway 2024.11

Policy enforcement

PingGateway as a policy enforcement point (PEP) uses the PolicyEnforcementFilter to intercept requests for a resource and provide information about the request to AM.

AM as a policy decision point (PDP) evaluates requests based on their context and the configured policies. AM then returns decisions indicating what actions are allowed or denied and any advice, subject attributes, or static attributes for the specified resources.

You can find more information in the PolicyEnforcementFilter and AM’s Authentication and SSO documentation.

Deny requests without advice

The following image shows a simplified flow of information when AM denies a request without advice.

policydp-allowdeny-noadvices

Deny requests with advice as parameters in a redirect response

The following image shows a simplified flow of information when AM denies a request with advice and PingGateway returns the advices as parameters in a redirect response.

This is the default flow, most used for web applications.

policydp-noauthheader

Deny requests with advice in a header

The following image shows a simplified flow of information when the request to PingGateway includes an x-authenticate-response header with the value header. If the header has any other value, the flow in Deny requests with advice as parameters in a redirect response takes place.

To change the name of the x-authenticate-response header, refer to the authenticateResponseRequestHeader property of the PolicyEnforcementFilter.

In this flow, AM denies the request with advice and PingGateway sends the response with the advice in the WWW-authenticate header.

Use this method for SDKs and single page applications. Placing advice in a header gives these applications more options for handling the advice.

policydp-authheader

Consider the following example GET with an x-authenticate-response header with the value HEADER:

[CONTINUED]GET https://ig.example.com:8443/home HTTP/1.1
[CONTINUED]accept-encoding: gzip, deflate
[CONTINUED]Connection: close
[CONTINUED]cookie: iPlanetDirectoryPro=0Dx...e3A.*....; amlbcookie=01
[CONTINUED]Host: ig.example.com:8443
[CONTINUED]x-authenticate-response: HEADER

PingGateway returns a WWW-Authenticate header containing advice:

HTTP/1.1 401 Unauthorized
WWW-Authenticate: SSOADVICE realm="/",advices="eyJ...XX0=",am_uri="http://openam.example.com:8080/am/"
transfer-encoding: chunked
connection: close

The advice decodes to a transaction condition advice:

{"TransactionConditionAdvice":["493...3c4"]}