Policy enforcement
PingGateway as a policy enforcement point (PEP) uses the PolicyEnforcementFilter to intercept requests for a resource and provide information about the request to AM.
AM as a policy decision point (PDP) evaluates requests based on their context and the configured policies. AM then returns decisions indicating what actions are allowed or denied and any advice, subject attributes, or static attributes for the specified resources.
You can find more information in the PolicyEnforcementFilter and AM’s Authentication and SSO documentation.
Deny requests without advice
The following image shows a simplified flow of information when AM denies a request without advice.
Deny requests with advice as parameters in a redirect response
The following image shows a simplified flow of information when AM denies a request with advice and PingGateway returns the advices as parameters in a redirect response.
This is the default flow, most used for web applications.
Deny requests with advice in a header
The following image shows a simplified flow of information
when the request to PingGateway includes an x-authenticate-response
header with the value header
.
If the header has any other value, the flow in Deny requests with advice as parameters in a redirect response takes place.
To change the name of the x-authenticate-response
header, refer to the authenticateResponseRequestHeader
property
of the
PolicyEnforcementFilter.
In this flow, AM denies the request with advice and PingGateway sends the response
with the advice in the WWW-authenticate
header.
Use this method for SDKs and single page applications. Placing advice in a header gives these applications more options for handling the advice.
Consider the following example GET with an x-authenticate-response
header with the value HEADER
:
[CONTINUED]GET https://ig.example.com:8443/home HTTP/1.1
[CONTINUED]accept-encoding: gzip, deflate
[CONTINUED]Connection: close
[CONTINUED]cookie: iPlanetDirectoryPro=0Dx...e3A.*....; amlbcookie=01
[CONTINUED]Host: ig.example.com:8443
[CONTINUED]x-authenticate-response: HEADER
PingGateway returns a WWW-Authenticate
header containing advice:
HTTP/1.1 401 Unauthorized
WWW-Authenticate: SSOADVICE realm="/",advices="eyJ...XX0=",am_uri="http://openam.example.com:8080/am/"
transfer-encoding: chunked
connection: close
The advice decodes to a transaction condition advice:
{"TransactionConditionAdvice":["493...3c4"]}