--- title: Decisions in different domains with PingAM description: The following procedure gives an example of how to create a policy in AM and configure an agent that can request policy decisions, when PingGateway and AM are in different domains. component: pinggateway version: 2026 page_id: pinggateway:gateway-guide:pep-cdsso canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/pep-cdsso.html revdate: 2025-10-15T18:45:22Z --- # Decisions in different domains with PingAM The following procedure gives an example of how to create a policy in AM and configure an agent that can request policy decisions, when PingGateway and AM are in different domains. Before you start, set up and test the example in [Cross-domain single sign-on for PingAM](cdsso.html). 1. Set up AM: 1. In the AM admin UI, select Applications > Agents > Identity Gateway, and change the redirect URL for `ig_agent_cdsso`: * Redirect URL for CDSSO : `https://ig.ext.com:8443/home/pep-cdsso/redirect` 2. Select [icon: key, set=fa]Authorization > Policy Sets > New Policy Set, and add a policy set with the following values: * Id : `PEP-CDSSO` * Resource Types : `URL` * In the new policy set, add a policy with the following values: * Name : `CDSSO` * Resource Type : `URL` * Resource pattern : `*://*:*/*` * Resource value : `https://app.example.com:8444/home/pep-cdsso*` This policy protects the home page of the sample application. * On the Actions tab, add an action to allow HTTP `GET`. * On the Subjects tab, remove any default subject conditions, add a subject condition for all `Authenticated Users`. 2. Add the following route to PingGateway: * Linux `$HOME/.openig/config/routes/04-pep-cdsso.json` * Windows `%appdata%\OpenIG\config\routes\04-pep-cdsso.json` ```json { "name": "pep-cdsso", "baseURI": "https://app.example.com:8444", "condition": "${find(request.uri.path, '^/home/pep-cdsso')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent": { "username": "ig_agent_cdsso", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://am.example.com:8088/openam/" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "CrossDomainSingleSignOnFilter-1", "type": "CrossDomainSingleSignOnFilter", "config": { "redirectEndpoint": "/home/pep-cdsso/redirect", "authCookie": { "path": "/home", "name": "ig-token-cookie" }, "amService": "AmService-1" } }, { "name": "PolicyEnforcementFilter-1", "type": "PolicyEnforcementFilter", "config": { "application": "PEP-CDSSO", "ssoTokenSubject": "${contexts.cdsso.token}", "amService": "AmService-1" } } ], "handler": "ReverseProxyHandler" } } } ``` Source: [04-pep-cdsso.json](../_attachments/config/routes/04-pep-cdsso.json) | | | | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | When `verificationSecretId` isn't configured, PingGateway discovers and uses the AM JWK set to verify the signature of AM session tokens. If the JWK set isn't available, PingGateway doesn't verify the tokens. | 3. Test the setup: 1. In your browser's privacy or incognito mode, go to . 2. If you see warnings that the site isn't secure, respond to the warnings to access the site. PingGateway redirects you to AM for authentication. 3. Sign on to AM as user `demo`, password `Ch4ng31t`. When you have authenticated, AM redirects you back to the request URL, and PingGateway requests a policy decision. AM returns a policy decision that grants access to the sample application.