PingGateway

Using a specific PingAM journey

This page shows how to authenticate with SSO and the example AM authentication journey (tree) instead of the default authentication journey.

  1. Set up the example in Using the default PingAM journey.

  2. Add the following route to PingGateway:

    Linux

    $HOME/.openig/config/routes/sso-authservice.json

    Windows

    %appdata%\OpenIG\config\routes\sso-authservice.json

    {
  "name": "sso-authservice",
  "baseURI": "https://app.example.com:8444",
  "condition": "${find(request.uri.path, '^/home/sso-authservice')}",
  "heap": [
    {
      "name": "SystemAndEnvSecretStore-1",
      "type": "SystemAndEnvSecretStore"
    },
    {
      "name": "AmService-1",
      "type": "AmService",
      "config": {
        "agent": {
          "username": "ig_agent",
          "passwordSecretId": "agent.secret.id"
        },
        "secretsProvider": "SystemAndEnvSecretStore-1",
        "url": "http://am.example.com:8088/openam/"
      }
    }
  ],
  "handler": {
    "type": "Chain",
    "config": {
      "filters": [
        {
          "name": "SingleSignOnFilter-1",
          "type": "SingleSignOnFilter",
          "config": {
            "amService": "AmService-1",
            "authenticationService": "Example"
          }
        }
      ],
      "handler": "ReverseProxyHandler"
    }
  }
}

    Source: sso-authservice.json

    Notice the features of the route compared to sso.json:

    • The route matches requests to /home/sso-authservice.

    • The authenticationService property of SingleSignOnFilter points to an Example tree. PingGateway uses this authentication tree instead of the AM admin UI.

  3. Create the Example authentication tree.

    1. Sign on to the AM admin UI as adminstrator.

    2. Go to Top Level Realm > Authentication > Trees and click Create Tree.

    3. Name the new tree Example and click Create.

    4. Arrange the nodes in the Example tree and click Save when done.

      Example authentication tree

      • The Start node begins processing authentication.

      • The Zero Page Login Collector node lets the tree gather credentials without presenting a page.

      • The User Name Collector node gets the username.

      • The Password Collector node gets the password.

      • The Data Store Decision node validates the username and password against the stored credentials.

      • The Success node completes authentication.

      • The Failure node returns an authentication error.

  4. Test the setup:

    1. In your browser’s privacy or incognito mode, go to https://ig.example.com:8443/home/sso-authservice.

    2. If you see warnings that the site isn’t secure, respond to the warnings to access the site.

    3. Note that the login page is different from Using the default PingAM journey.