PingGateway 2024.9

Authorize a single transaction

Transactional authorization requires a user to perform additional actions for one-time access to a resource.

Performing the additional action successfully grants access to the protected resource, but only once. Additional attempts to access the resource require the user to perform the configured actions again.

This section builds on the example in Step up the authentication level, adding a simple authorization policy with a Transaction environment condition. Each time the user agent tries to access the protected resource, they confirm the transaction again.

Update AM settings

Before you start, configure AM as described in Step up the authentication level. The PingGateway configuration is not changed.

  1. In the AM admin UI, add a tree to confirm the transaction.

    1. Select Authentication > Trees > + Create Tree.

    2. Name the new tree ConfirmTransaction.

    3. Set up the tree as in the following image:

      ConfirmTransaction tree

      The Choice Collector node has these settings:

      • Choices: Yes and No

      • Default Choice: No

      • Prompt: Confirm transaction?

    4. Click Save.

  2. Update the policy to use the new authentication tree.

    1. Select the policy set:

      • For SSO, select Authorization > Policy Sets > PEP-SSO.

      • For CDSSO, select Authorization > Policy Sets > PEP-CDSSO.

    2. In the policy, select Environments and add another environment condition:

      • All of

      • Type: Transaction

      • Authentication strategy: Authenticate To Tree

      • Strategy specifier: ConfirmTransaction

    3. Click and Save Changes.

    The summary of the policy looks similar to the following image:

    CDSSO policy summary

Validation

  1. In your browser’s privacy or incognito mode, go to the appropriate URL:

  2. Log in to AM as user demo, password Ch4ng31t.

    AM creates a session with the default authentication level 0, and PingGateway requests a policy decision.

  3. Enter the OTP verification code from the application you registered on your device.

    AM steps up the authentication level and displays a Confirm transaction? choice.

  4. Confirm the transaction by selecting Yes and logging in.

    Confirm transaction

    AM returns a policy decision granting one-time access to the sample application. If you reload the sample application page, you must confirm the new transaction.