---
title: Decisions with a claimsSubject and PingAM
description: Configure PingGateway to enforce a PingAM policy decision using claimsSubject to identify the subject
component: pinggateway
version: 2026
page_id: pinggateway:gateway-guide:pep-claims-subject
canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/pep-claims-subject.html
revdate: 2025-10-15T18:45:22Z
---

# Decisions with a claimsSubject and PingAM

This example extends [Decisions in the same domain with PingAM](pep-sso.html) to enforce a policy decision from AM using the `claimsSubject` instead of `ssoTokenSubject` to identify the subject.

Before you start, set up and test the example in [Decisions in the same domain with PingAM](pep-sso.html).

1. Set up AM:

   1. Select the policy `PEP-SSO` and add a new resource:

      * Resource Type: `URL`

      * Resource pattern: `*://*:*/*`

      * Resource value: `https://app.example.com:8444/home/pep-claims`

   2. In the same policy, add the following subject condition:

      * `Any of`

      * Type : `OpenID Connect/JwtClaim`

      * claimName : `iss`

      * claimValue : `am.example.com`

2. Add the following route to PingGateway:

   * Linux

     `$HOME/.openig/config/routes/04-pep-claims.json`

   * Windows

     `%appdata%\OpenIG\config\routes\04-pep-claims.json`

   ```json
   {
     "name": "pep-claims",
     "baseURI": "https://app.example.com:8444",
     "condition": "${find(request.uri.path, '^/home/pep-claims')}",
     "heap": [
       {
         "name": "SystemAndEnvSecretStore-1",
         "type": "SystemAndEnvSecretStore"
       },
       {
         "name": "AmService-1",
         "type": "AmService",
         "config": {
           "url": "http://am.example.com:8088/openam",
           "agent": {
             "username": "ig_agent",
             "passwordSecretId": "agent.secret.id"
           },
           "secretsProvider": "SystemAndEnvSecretStore-1"
         }
       }
     ],
     "handler": {
       "type": "Chain",
       "config": {
         "filters": [
           {
             "name": "SingleSignOnFilter-1",
             "type": "SingleSignOnFilter",
             "config": {
               "amService": "AmService-1"
             }
           },
           {
             "name": "PolicyEnforcementFilter-1",
             "type": "PolicyEnforcementFilter",
             "config": {
               "application": "PEP-SSO",
               "claimsSubject": {
                 "sub": "${contexts.ssoToken.info.uid}",
                 "iss": "am.example.com"
               },
               "amService": "AmService-1"
             }
           }
         ],
         "handler": "ReverseProxyHandler"
       }
     }
   }
   ```

   Source: [04-pep-claims.json](../_attachments/config/routes/04-pep-claims.json)

3. Test the setup:

   1. In your browser's privacy or incognito mode, go to <https://ig.example.com:8443/home/pep-claims> and accept the server certificate.

   2. Log in to AM as user `demo`, password `Ch4ng31t`.

      AM returns a policy decision that grants access to the sample application.