--- title: PingGateway configuration templates description: "Template routes for common PingGateway configurations: proxy and capture, login forms, cookie handling, password replay, and header-based authentication" component: pinggateway version: 2026 page_id: pinggateway:configure:templates canonical_url: https://docs.pingidentity.com/pinggateway/2026/configure/templates.html revdate: 2025-10-15T18:45:22Z keywords: ["Configuration", "Proxy", "Password", "Policy", "Agent"] section_ids: template-proxy-capture: Proxy and capture template-simple-login: Simple login form template-login-cookie: Login form with cookie from login page template-login-replay-cookie-filters: Login form with password replay and cookie filters template-login-hidden-value: Login which requires a hidden value from the login page template-http-and-https: HTTP and HTTPS application template-am-integration-headers: AM integration with headers --- # PingGateway configuration templates This page shows template routes for common configurations. Before you start, set up PingGateway and the sample application as described in [Getting started with PingGateway](../getting-started/preface.html). Modify the template routes for your deployment. Before you use a route in production, review the points in [PingGateway security](../security-guide/preface.html). ## Proxy and capture When you followed the instructions in [Getting started with PingGateway](../getting-started/preface.html), you enabled PingGateway to proxy and capture application requests and server responses. This template route uses a DispatchHandler to change the scheme to HTTPS on login. ```json { "handler": { "type": "DispatchHandler", "config": { "bindings": [ { "condition": "${request.uri.path == '/login'}", "handler": "ReverseProxyHandler", "baseURI": "https://app.example.com:8444" }, { "condition": "${request.uri.scheme == 'http'}", "handler": "ReverseProxyHandler", "baseURI": "http://app.example.com:8081" }, { "handler": "ReverseProxyHandler", "baseURI": "https://app.example.com:8444" } ] } }, "condition": "${find(request.uri.query, 'demo=capture')}" } ``` Source: [20-capture.json](../_attachments/config/routes/20-capture.json) Try this example with the sample application: 1. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 2. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/20-capture.json` * Windows `%appdata%\OpenIG\config\routes\20-capture.json` 3. Go to The sample application displays the login page. To use this as a default route with a real application: 1. Make sure PingGateway connects to the protected application over HTTPS. 2. Change the `baseURI` settings to match the target application. 3. Remove the route-level condition on the handler that specifies a `demo` query string parameter. ## Simple login form This template route intercepts the login page request, replaces it with a login form, and logs the user into the target application with hard-coded username and password credentials. ```json { "handler": { "type": "Chain", "config": { "filters": [ { "type": "PasswordReplayFilter", "config": { "loginPage": "${request.uri.path == '/login'}", "request": { "method": "POST", "uri": "https://app.example.com:8444/login", "form": { "username": [ "MY_USERNAME" ], "password": [ "MY_PASSWORD" ] } } } } ], "handler": "ReverseProxyHandler" } }, "condition": "${find(request.uri.query, 'demo=simple')}" } ``` Source: [21-simple.json](../_attachments/config/routes/21-simple.json) Try this example with the sample application: 1. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 2. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/21-simple.json` * Windows `%appdata%\OpenIG\config\routes\21-simple.json` 3. Replace `MY_USERNAME` with `demo`, and `MY_PASSWORD` with `Ch4ng31t`. 4. Go to . The sample application profile page for the demo user displays information about the request. To use this as a default route with a real application: 1. Make sure PingGateway connects to the protected application over HTTPS. 2. Change the `uri`, `form`, and `baseURI` to match the target application. 3. Remove the route-level condition on the handler that specifies a `demo` query string parameter. ## Login form with cookie from login page This template route intercepts the login page request, replaces it with the login form, and signs the user on to the target application with hard-coded username and password credentials. The route uses a default [CookieFilter](../reference/CookieFilter.html) to manage cookies. By default, the filter intercepts cookies from the protected application and stores them in the PingGateway session. It doesn't send the cookies to the browser. ```json { "handler": { "type": "Chain", "config": { "filters": [ { "type": "PasswordReplayFilter", "config": { "loginPage": "${request.uri.path == '/login'}", "request": { "method": "POST", "uri": "https://app.example.com:8444/login", "form": { "username": [ "MY_USERNAME" ], "password": [ "MY_PASSWORD" ] } } } }, { "type": "CookieFilter" } ], "handler": "ReverseProxyHandler" } }, "condition": "${find(request.uri.query, 'demo=cookie')}" } ``` Source: [22-cookie.json](../_attachments/config/routes/22-cookie.json) Try this example with the sample application: 1. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 2. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/22-cookie.json` * Windows `%appdata%\OpenIG\config\routes\22-cookie.json` 3. Replace `MY_USERNAME` with `kramer`, and `MY_PASSWORD` with `N3wman12`. 4. Go to . The sample application page displays. 5. Refresh your connection to . Compared to [Login form with cookie from login page](#template-login-cookie), this example displays additional information about the session cookie: ``` Cookies session-cookie=123…​ ``` To use this as a default route with a real application: 1. Make sure PingGateway connects to the protected application over HTTPS. 2. Change the `uri` and `form` to match the target application. 3. Remove the route-level condition on the handler that specifies a `demo` query string parameter. ## Login form with password replay and cookie filters When a user without a valid session tries to access a protected application, this template route works with an application to return a login page. The route uses a PasswordReplayFilter to find the login page with a pattern to match a mock AM classic UI page. The route uses a default [CookieFilter](../reference/CookieFilter.html) to manage cookies. The CookieFilter retains cookies from the browser and doesn't forward them to the protected application. Similarly, the CookieFilter retains cookies in set-cookie headers from the protected application and doesn't forward them to the browser. ```json { "handler": { "type": "Chain", "config": { "filters": [ { "type": "PasswordReplayFilter", "config": { "loginPageContentMarker": "OpenAM\\s\\(Login\\)", "request": { "comments": [ "An example based on OpenAM classic UI: ", "uri is for the OpenAM login page; ", "IDToken1 is the username field; ", "IDToken2 is the password field; ", "host takes the OpenAM FQDN:port.", "The sample app simulates OpenAM." ], "method": "POST", "uri": "https://app.example.com:8444/openam/UI/Login", "form": { "IDToken0": [ "" ], "IDToken1": [ "demo" ], "IDToken2": [ "Ch4ng31t" ], "IDButton": [ "Log+In" ], "encoded": [ "false" ] }, "headers": { "host": [ "app.example.com:8081" ] } } } }, { "type": "CookieFilter" } ], "handler": "ReverseProxyHandler" } }, "condition": "${find(request.uri.query, 'demo=classic')}" } ``` Source: [23-classic.json](../_attachments/config/routes/23-classic.json) Try this example with the sample application: 1. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 2. Save the file as `$HOME/.openig/config/routes/23-classic.json`. 3. Use the following `curl` command to check that it works: ```console $ curl -D- http://ig.example.com:8080/login?demo=classic ``` Output ``` HTTP/1.1 200 OK Set-Cookie: IG_SESSIONID=24446BA29E866F840197C8E0EAD57A89; Path=/; HttpOnly ... ``` To use this as a default route with a real application: 1. Change the `uri` and `form` to match the target application. 2. Remove the route-level condition on the handler that specifies a `demo` query string parameter. ## Login which requires a hidden value from the login page This template route extracts a hidden value from the login page and posts a static login form to the target application. ```json { "properties": { "appBaseUri": "https://app.example.com:8444" }, "handler": { "type": "Chain", "config": { "filters": [ { "type": "PasswordReplayFilter", "config": { "loginPage": "${request.uri.path == '/login'}", "loginPageExtractions": [ { "name": "hidden", "pattern": "loginToken\\s+value=\"(.*)\"" } ], "request": { "method": "POST", "uri": "${appBaseUri}/login", "form": { "username": [ "MY_USERNAME" ], "password": [ "MY_PASSWORD" ], "hiddenValue": [ "${attributes.extracted.hidden}" ] } } } } ], "handler": "ReverseProxyHandler" } }, "condition": "${find(request.uri.query, 'demo=hidden')}", "baseURI": "${appBaseUri}" } ``` Source: [24-hidden.json](../_attachments/config/routes/24-hidden.json) The parameters in the PasswordReplayFilter form, `MY_USERNAME` and `MY_PASSWORD`, take string values or expressions. Try this example with the sample application: 1. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 2. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/24-hidden.json` * Windows `%appdata%\OpenIG\config\routes\24-hidden.json` 3. Replace `MY_USERNAME` with `scarter`, and `MY_PASSWORD` with `S9rain12`. 4. Add the following route to PingGateway to serve the sample application .css and other static resources: * Linux `$HOME/.openig/config/routes/00-static-resources.json` * Windows `%appdata%\OpenIG\config\routes\00-static-resources.json` ```json { "name" : "00-static-resources", "baseURI" : "https://app.example.com:8444", "condition": "${find(request.uri.path,'^/css') or matchesWithRegex(request.uri.path, '^/.*\\\\.ico$') or matchesWithRegex(request.uri.path, '^/.*\\\\.gif$')}", "handler": "ReverseProxyHandler" } ``` Source: [00-static-resources.json](../_attachments/config/routes/00-static-resources.json) 5. Go to . To use this as a default route with a real application: 1. Make sure PingGateway connects to the protected application over HTTPS. 2. Change the `loginPage`, `loginPageExtractions`, `uri`, and `form` to match the target application. 3. Remove the route-level condition on the handler that specifies a `demo` query string parameter. ## HTTP and HTTPS application This template route proxies traffic to an application with both HTTP and HTTPS ports. The application uses HTTPS for authentication and HTTP for the general application features. When all login requests use HTTPS, you must add the login filters and handlers to the chain. ```json { "handler": { "type": "DispatchHandler", "config": { "bindings": [ { "condition": "${request.uri.scheme == 'http'}", "handler": "ReverseProxyHandler", "baseURI": "http://app.example.com:8081" }, { "condition": "${request.uri.path == '/login'}", "handler": { "type": "Chain", "config": { "comment": "Add one or more filters to handle login.", "filters": [], "handler": "ReverseProxyHandler" } }, "baseURI": "https://app.example.com:8444" }, { "handler": "ReverseProxyHandler", "baseURI": "https://app.example.com:8444" } ] } }, "condition": "${find(request.uri.query, 'demo=https')}" } ``` Source: [25-https.json](../_attachments/config/routes/25-https.json) Try this example with the sample application: 1. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 2. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/25-https.json` * Windows `%appdata%\OpenIG\config\routes\25-https.json` 3. Go to . The login page of the sample application is displayed. To use this as a default route with a real application: 1. Make sure PingGateway connects to the protected application over HTTPS. 2. Change the `loginPage`, `loginPageExtractions`, `uri`, and `form` to match the target application. 3. Remove the route-level condition on the handler that specifies a `demo` query string parameter. ## AM integration with headers This template route logs the user into the target application using headers like those from AM policy agents. If a header contains only a username or subject to look up in an external data source, you must add an attribute filter to the chain to retrieve the credentials. ```json { "handler": { "type": "Chain", "config": { "filters": [ { "type": "PasswordReplayFilter", "config": { "loginPage": "${request.uri.path == '/login'}", "request": { "method": "POST", "uri": "https://app.example.com:8444/login", "form": { "username": [ "${request.headers['username'][0]}" ], "password": [ "${request.headers['password'][0]}" ] } } } } ], "handler": "ReverseProxyHandler" } }, "condition": "${find(request.uri.query, 'demo=headers')}" } ``` Source: [26-headers.json](../_attachments/config/routes/26-headers.json) Try this example with the sample application: 1. Make sure PingGateway connects to the sample application over HTTPS with a route to access static resources. Learn more in [Using the sample application](../getting-started/start-sampleapp.html). 2. Add the route to PingGateway: * Linux `$HOME/.openig/config/routes/26-headers.json` * Windows `%appdata%\OpenIG\config\routes\26-headers.json` 3. Use the `curl` command to simulate the headers from a policy agent: ```console $ curl \ --header "username: kvaughan" \ --header "password: B5ibery12" \ http://ig.example.com:8080/login?demo=headers ``` Output ``` ... Howdy, kvaughan ... ``` To use this as a default route with a real application: 1. Make sure PingGateway connects to the protected application over HTTPS. 2. Change the `loginPage`, `uri`, and `form` to match the target application. 3. Remove the route-level condition on the handler that specifies a `demo` query string parameter.