---
title: Policy enforcement and PingOne Advanced Identity Cloud
description: Configure PingGateway to request and enforce policy decisions from PingOne Advanced Identity Cloud, including step-up authorization for transactions
component: pinggateway
version: 2026
page_id: pinggateway:aic:pep
canonical_url: https://docs.pingidentity.com/pinggateway/2026/aic/pep.html
revdate: 2025-10-15T18:45:22Z
keywords: ["Single sign-on (SSO)", "Security", "Authorization", "Policy"]
page_aliases: ["identity-cloud-guide:pep.adoc"]
section_ids:
  pep-cdsso: Enforce a simple policy
  stepup-session: Step up authorization for a transaction
---

# Policy enforcement and PingOne Advanced Identity Cloud

The following procedure gives an example of how to request and enforce policy decisions from PingOne Advanced Identity Cloud.

## Enforce a simple policy

Before you start, set up and test the example in [Cross-domain single sign-on](cdsso.html).

1. Set up PingOne Advanced Identity Cloud:

   1. In the Advanced Identity Cloud admin UI, select [icon: open_in_new, set=material, size=inline] Native Consoles > Access Management to open the AM admin UI.

   2. Select [icon: key, set=fa]Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:

      * Id : `PEP-CDSSO`

      * Resource Types : `URL`

   3. In the new policy set, add a policy with the following values:

      * Name : `CDSSO`

      * Resource Type : `URL`

      * Resource pattern : `*://*:*/*`

      * Resource value : `https://app.example.com:8444/home/cdsso`

        This policy protects the home page of the sample application.

   4. On the Actions tab, add an action to allow HTTP `GET`.

   5. On the Subjects tab, remove any default subject conditions, add a subject condition for all `Authenticated Users`.

2. Set up PingGateway:

   1. Replace `cdsso-idc.json` with the following route and correct the value for the property `amInstanceUrl`:

      * Linux

        `$HOME/.openig/config/routes/pep-cdsso-idc.json`

      * Windows

        `%appdata%\OpenIG\config\routes\pep-cdsso-idc.json`

      ```json
      {
        "name": "pep-cdsso-idc",
        "baseURI": "https://app.example.com:8444",
        "condition": "${find(request.uri.path, '^/home/cdsso')}",
        "properties": {
          "amInstanceUrl": "https://myTenant.forgeblocks.com/am"
        },
        "heap": [
          {
            "name": "SystemAndEnvSecretStore-1",
            "type": "SystemAndEnvSecretStore"
          },
          {
            "name": "AmService-1",
            "type": "AmService",
            "config": {
              "url": "&{amInstanceUrl}",
              "realm": "/alpha",
              "agent": {
                "username": "ig_agent",
                "passwordSecretId": "agent.secret.id"
              },
              "secretsProvider": "SystemAndEnvSecretStore-1",
              "sessionCache": {
                "enabled": false
              }
            }
          }
        ],
        "handler": {
          "type": "Chain",
          "config": {
            "filters": [
              {
                "name": "CrossDomainSingleSignOnFilter-1",
                "type": "CrossDomainSingleSignOnFilter",
                "config": {
                  "redirectEndpoint": "/home/cdsso/redirect",
                  "authCookie": {
                    "path": "/home",
                    "name": "ig-token-cookie"
                  },
                  "amService": "AmService-1"
                }
              },
              {
                "name": "PolicyEnforcementFilter-1",
                "type": "PolicyEnforcementFilter",
                "config": {
                  "application": "PEP-CDSSO",
                  "ssoTokenSubject": "${contexts.cdsso.token}",
                  "amService": "AmService-1"
                }
              }
            ],
            "handler": "ReverseProxyHandler"
          }
        }
      }
      ```

      Source: [pep-cdsso-idc.json](../_attachments/config/routes/pep-cdsso-idc.json)

      Notice that compared to `cdsso-idc.json` the CrossDomainSingleSignOnFilter is followed by a PolicyEnforcementFilter to enforce the policy `PEP-CDSSO`.

3. Test the setup:

   1. In your browser's privacy or incognito mode, go to <https://ig.ext.com:8443/home/cdsso> and accept the server certificate.

      PingGateway redirects you to PingOne Advanced Identity Cloud for authentication.

   2. Sign on to PingOne Advanced Identity Cloud as user `demo`, password `Ch4ng3!t`.

      PingOne Advanced Identity Cloud redirects you back to the request URL, and PingGateway requests a policy decision. PingOne Advanced Identity Cloud returns a policy decision that grants access to the sample application.

## Step up authorization for a transaction

Before you begin, set up and test the example in [Enforce a simple policy](#pep-cdsso).

1. In the Advanced Identity Cloud admin UI, select [icon: code, set=material, size=inline] Scripts > Auth Scripts > New Script > Journey Decision Node > Next, and add a default Journey Decision Node Script called `TxTestPassword`:

   ```javascript
   /*
     - Data made available by nodes that have already executed are available in the sharedState variable.
     - The script should set outcome to either "true" or "false".
    */

   var givenPassword = nodeState.get("password").asString()

   if (givenPassword.equals("7890")) {
     outcome = "true"
   } else {
     outcome = "false"
   }
   ```

   Source: [TxTestPassword.js](../_attachments/scripts/TxTestPassword.js)

2. Configure a journey:

   1. Click [icon: account_tree, set=material, size=inline] Journeys and add a journey with the following configuration:

      * Name: `Tx01_Tree`

      * Identity Object: `Alpha realm users`

        The browser displays the journey canvas.

   2. In Nodes > Basic Authentication, drag a Password Collector node onto the canvas.

   3. In Nodes > Utilities, drag a Scripted decision node onto the canvas.

   4. Configure the scripted decision node as follows:

      * Script: select `TxTestPassword`

      * Outcomes: enter `true` and `false`

   5. Connect the nodes as shown:

      ![Authentication journey](_images/auth.jpg)

      Learn about configuring journeys in the [PingOne Advanced Identity Cloud Docs](https://docs.pingidentity.com/pingoneaic/home.html)

3. Edit the authorization policy:

   1. In the Advanced Identity Cloud admin UI, select [icon: open_in_new, set=material, size=inline] Native Consoles > Access Management to open the AM admin UI.

   2. Select [icon: key, set=fa]Authorization > Policy Sets > PEP-CDSSO and add the following environment condition to the `CDSSO` policy:

      * `All of`

      * Type: `Transaction`

      * Script name: `Authenticate to tree`

      * Strategy Specifier: `Tx01_Tree`

4. Test the setup:

   1. In a browser, go to <https://ig.ext.com:8443/home/cdsso> and accept the server certificate.

      If you haven't previously authenticated to PingOne Advanced Identity Cloud, the CrossDomainSingleSignOnFilter redirects the request to PingOne Advanced Identity Cloud for authentication.

   2. Sign on to PingOne Advanced Identity Cloud as user `demo`, password `Ch4ng3!t`.

   3. Enter the password `7890` required by the script `TxTestPassword`.

      PingOne Advanced Identity Cloud redirects you back to the request URL and PingGateway requests a policy decision. PingOne Advanced Identity Cloud returns a policy decision based on the authentication journey.