PingGateway 2025.3

PingOne Advanced Identity Cloud

This guide provides examples of how to use PingGateway with PingOne Advanced Identity Cloud for Single Sign-On and API Security. It is for PingOne Advanced Identity Cloud evaluators, administrators, and architects.

Example installation for this guide

Unless otherwise stated, the examples in this guide assume the following installation:

When using PingOne Advanced Identity Cloud, you need to know the value of the following properties:

  • The root URL of your PingOne Advanced Identity Cloud tenant. For example, https://myTenant.forgeblocks.com.

    The URL of the PingAM component of PingOne Advanced Identity Cloud is the root URL of your PingOne Advanced Identity Cloud tenant followed by /am. For example, https://myTenant.forgeblocks.com/am.

  • The realm where you work. The examples in this document use alpha.

    Prefix each realm in the hierarchy with the realms keyword. For example, /realms/root/realms/alpha.

If you use a different configuration, substitute in the procedures accordingly.

About authentication to PingOne Advanced Identity Cloud

PingOne Advanced Identity Cloud provides an authentication journey to validate the agent credentials with an Agent Data Store Decision node.

When you register PingGateway with PingOne Advanced Identity Cloud, PingOne Advanced Identity Cloud uses the journey to authenticate PingGateway.

Register a PingGateway agent in PingOne Advanced Identity Cloud

This procedure registers an agent profile for PingGateway.

  1. Log in to the Advanced Identity Cloud admin UI as an administrator.

  2. Click verified_user Gateways & Agents > New Gateway/Agent > Identity Gateway > Next and use the hints in the following table to create the agent profile:

    Field Description Example

    ID

    Set the unique agent profile name PingGateway uses to connect.

    ig_agent

    Password

    Store the password PingGateway uses to connect in the agent profile.

    Record the password to use when configuring PingGateway.

    A strong password.

    The examples in the documentation use password and its base64-encoding cGFzc3dvcmQ=.

    Use Secret Store for password

    Store the password in a secret and reference the secret by its label.

    Follow the steps in Use the secret store for the password after you create the agent profile.

    Click to enable

    Secret Label Identifier

    This field appears when you select Use Secret Store for password.

    This value represents the identifier part of the secret label for the agent. PingOne Advanced Identity Cloud uses the identifier to generate a secret label in the following format: am.application.agents.identifier.secret. Learn more in Secret labels.

    After setting this, add an ESV secret for the password and map the ESV to the secret label.

    ig
    Use secure passwords in a production environment. Consider using a password manager to generate secure passwords.

  3. Click Save Profile > Done to display the new agent profile.

  4. (Optional) Add the list of Redirect URLs used in PingGateway routes and click Save to update the profile.

Use the secret store for the password

When you select Use Secret Store for password and set a secret label for the agent profile, PingOne Advanced Identity Cloud creates the secret label but the secret isn’t yet defined or mapped to the label:

  1. Define an ESV secret, such as esv-ig_agent, holding the password for PingGateway to connect.

    The examples in the documentation use password.

    Learn how in creating ESV secrets. In production deployments, restrict access to the password from configuration placeholder and script contexts.

  2. Map the ESV to the label created when you set the Secret Label Identifier:

    1. Click open_in_new Native Consoles > Access Management > Secret Stores > ESV > Mappings > Add mappings.

    2. In the Add Mapping modal, select the label, such as am.application.agents.ig.secret, in the Secret Label list.

    3. In the aliases field, enter the ESV secret, such as esv-ig_agent, and click Add.

    4. Click Create to add the mapping:

      agent password mapping

    Learn more in Map ESV secrets to secret labels.

Note the following points:

  • If you update or delete the Secret Label Identifier, AM updates or deletes the corresponding mapping for the previous identifier unless another agent shares the mapping.

  • When you rotate a secret, update the corresponding mapping.

Optional settings

In the AM admin UI, consider the following additional optional settings for the agent profile under Applications > Agents > Identity Gateway > agent ID:

  1. To direct login to a custom URL instead of the default AM login page, configure Login URL Template for CDSSO.

  2. To apply a different introspection scope, click Token Introspection and select a scope from the list.

  3. Click Save to update the profile.

Set up a demo user in PingOne Advanced Identity Cloud

This procedure sets up a demo user in the alpha realm.

  1. Log in to the Advanced Identity Cloud admin UI as an administrator.

  2. Go to group Identities > Manage > settings_system_daydream Alpha realm - Users, and add a user with the following values:

    • Username: demo

    • First name: demo

    • Last name: user

    • Email Address: demo@example.com

    • Password: Ch4ng3!t

Recommendations

Use PingGateway with PingOne Advanced Identity Cloud as you would with any other service.

  • During updates, individual PingOne Advanced Identity Cloud tenant servers go offline temporarily. PingGateway can receive HTTP 502 Bad Gateway responses for some requests during the update.

    In your ClientHandler and ReverseProxyHandler configurations, configure PingGateway to retry operations when this occurs:

    "retries": {
    "enabled": true,
    "condition": "${response.status.code == 502}"
}
    json

  • Update PingGateway to use the latest version you can to benefit from fixes and improvements.