---
title: PingAM policy enforcement
description: PingGateway as a policy enforcement point (PEP) uses the PolicyEnforcementFilter to intercept requests for a resource and provide information about the request to AM.
component: pinggateway
version: 2026
page_id: pinggateway:gateway-guide:policy-enforcement
canonical_url: https://docs.pingidentity.com/pinggateway/2026/gateway-guide/policy-enforcement.html
revdate: 2026-01-15
keywords: ["Configuration", "Policy", "Authentication", "Authorization"]
section_ids:
  deny_requests_without_advice: Deny requests without advice
  about-pep-advices-redirect: Deny requests with advice as parameters in a redirect response
  about-pep-advices-header: Deny requests with advice in a header
  next_steps: Next steps
---

# PingAM policy enforcement

PingGateway as a policy enforcement point (PEP) uses the PolicyEnforcementFilter to intercept requests for a resource and provide information about the request to AM.

AM as a policy decision point (PDP) evaluates requests based on their context and the configured policies. AM then returns decisions indicating what actions are allowed or denied and any advice, subject attributes, or static attributes for the specified resources.

You can find more information in the [PolicyEnforcementFilter](../reference/PolicyEnforcementFilter.html) and AM's [Authentication and SSO](https://docs.pingidentity.com/pingam/8.1/am-authentication/preface.html) documentation.

## Deny requests without advice

The following image shows a simplified flow of information when AM denies a request without advice.

![policydp-allowdeny-noadvices](https://kroki.io/plantuml/svg/eNqNUs1q3DAQvusphlxyWickpYdQAk4hWx9cQttjLrP22BbIGlWS1_Ej9TX6ZB3Zuybb7U8MRmLm-2NG6upSwUd2k9dtF-HnD7i5vrmFTTrew5O2LRQ12ajjJDDv2GPUbJWCb50OUHFNIGdk2BEMgWqgl8oMQe_JTKCtIKylKnFg1LH7hyQEbuKInoA9BPJ7XVHI1N8ZwFY8uGnIBwhD1f1RIWUz1KKBWUFTUDB2DB3uKZXIS2htBYWw07ZObkaINhBg64l6Af0ne6YurxQOke3Q78gr5dBHXWmHQr148DxKmgvAAIf7KSDpbjHSiNOz1W1GL9g7Q1nF_Uwqtuf4vHy22J9B8_IU-nVuAzoncOfO8c4ppQ6pNvfF9g6-0PeBQkxzw0oGKLNdRVSx3dzn5R0UtmHfL2vAHQ8C7wj8QlV5-WGBPbGMcoKaKh3SjvNy8fi9jiauvmgMj1QrkG-2c24NNRelcEwaHMueVug66lc9MrLIo7bsTsu60zZTZqznJzLzIWV4RG0GT5_Q1oZ8eryNbqWwpDnaJO9T5NrOsmy5z7af-Y2Kr4K_u76FR_Y7XUvYg5atVfp_AZvgPMg=?id=fig-policydp-allowdeny-noadvices)

## Deny requests with advice as parameters in a redirect response

The following image shows a simplified flow of information when AM denies a request with advice and PingGateway returns the advices as parameters in a redirect response.

This is the default flow, most used for web applications.

![policydp-noauthheader](https://kroki.io/plantuml/svg/eNqFU0Fu2zAQvPMVC19yshMkRQ9BEcANEFcHA0HSQw--rMW1RYDisiRlxU_qN_qyLiVbtuPE9UXGamZ2OEOp6ysFj-y3wayrBH__wO3N7R2M8-MrPBu3hkKTSyZtBRY8B0yGnVLwszIRStYE8kwMS4ImkgZ6K20TzYbsFowThHNUZg60JlUXJCHyKrUYCDhApLAxJcWJ-pwB7GQHr1YUIsSmrD5UyN4srdFCp2AoKmgrhgo3lEcUxLRxgkJYGqfzNitEFwlwHYhqAf3H-0RdXStsErumXlJQymNIpjQehTr6HrgVNyPACLv_p4CsO8NELW4Xzqwn9Ia1tzQpue5IxewcP50vHNZn0On8FPravQb0XuDen-O9V2pnavxQzO7hhX43FFOODUvJT6IdNFQxGz9M5_dQuBWHum8Bl9wIvCIIPVVN5z3qmSXILWgqTcwN5_nxCknSSPg524Xo6L4vcSVHwJqkmthtHBLMVG2C3Kdsr4_hMn2g9o5eyek98mAzcHfO4_nRyuleuJEzSvVlf13fKT9yDinRwccp_JNlH8EuHHd3S46Xj4rZaIh0KOhlqOLb5S7ez9GmoR-0llvSCuTXCXt_UM5DGewbjZ7li1Fk5bM57Xeg_4IMfUJjm0A_0GlLYeHkU_1ycwdPHJZGC0NJReet7-T_ARg4nD4=?id=fig-policydp-noauthheader)

## Deny requests with advice in a header

The following image shows a simplified flow of information when the request to PingGateway includes an `x-authenticate-response` header with the value `header`. If the header has any other value, the flow in [Deny requests with advice as parameters in a redirect response](#about-pep-advices-redirect) takes place.

To change the name of the `x-authenticate-response` header, refer to the `authenticateResponseRequestHeader` property of the [PolicyEnforcementFilter](../reference/PolicyEnforcementFilter.html#PolicyEnforcementFilter-authenticateResponseRequestHeader).

In this flow, AM denies the request with advice and PingGateway sends the response with the advice in the `WWW-authenticate` header.

Use this method for SDKs and single page applications. Placing advice in a header gives these applications more options for handling the advice.

![policydp-authheader](https://kroki.io/plantuml/svg/eNqtUstu2zAQvPMrFrrkJCdIih6MIoAQIK4PBoy4hXvwZSWuJSIUyZKUH_2j_ka_rEspcew4bS7RhdByZmdnluLyQsCddXuv6ibCn99wfXV9A3k6PsNcmRqmkkxUcc8w76zHqKwRAr41KkBlJQGf0UJJ0AWSQLtKd0FtSO9BGUYYQ1XiwFbF5j8tIdh13KInsB4C-Y2qKIzEvxlgDWvY9Zp8gNBVzZsd0myaatTQd1AUBGwbCw1uKJXI89DKMAqhVEYmNc1EEwiw9kQtg96ZfSQuLgV20ZquLckL4dBHVSmHTM0WTNMEc6wJCue4eU_KAAMs5sUpOGlMMNIW9yuj6hHtsHWaRpVte8J0co4vZiuD7Rm0mL2ao78GdI7hzp3jnROCB8pvp5MxPNDPjkJM8WHFOXLER_ws2-VsuElZsB3KPQVnObMsg4ZQkocV__X0LBsqWSamk_y2mI1hatbWt8MWsbQd4xoCP0iKYjag5paz2oOkSoX0QlL9eDTehOLlpd2suI8c9s1O2Da2xKsNvWLi3DVUPQKrwvuj9yQOYgzfTUJar36xzsMTbngMKYPlcpkXR62enfIlv_uIyqQX8zRYivZLPjhbkJHH9RNfH5TS6zrqeEgOtbZbkgL469Wce5FPRS48zzSYFqTZ-WnyB_oPSNB7VLrz9BWN1ORXhrP-dHUD99aXSjJDsOmXaA-N_wJKSYxT?id=fig-policydp-authheader)

Consider the following example GET with an `x-authenticate-response` header with the value `HEADER`:

```http
[CONTINUED]GET https://ig.example.com:8443/home HTTP/1.1
[CONTINUED]accept-encoding: gzip, deflate
[CONTINUED]Connection: close
[CONTINUED]cookie: iPlanetDirectoryPro=0Dx...e3A.*....; amlbcookie=01
[CONTINUED]Host: ig.example.com:8443
[CONTINUED]x-authenticate-response: HEADER
```

PingGateway returns a `WWW-Authenticate` header containing advice:

```http
HTTP/1.1 401 Unauthorized
WWW-Authenticate: SSOADVICE realm="/",advices="eyJ...XX0=",am_uri="http://openam.example.com:8080/am/"
transfer-encoding: chunked
connection: close
```

The advice decodes to a transaction condition advice:

```json
{"TransactionConditionAdvice":["493...3c4"]}
```

## Next steps

* [Enforce AM policy decisions](pep.html)

  * [Decisions in the same domain with PingAM](pep-sso.html)

  * [Requiring authentication to an PingAM realm](pep-sso-realm.html)

  * [Decisions in different domains with PingAM](pep-cdsso.html)

  * [Decisions with a claimsSubject and PingAM](pep-claims-subject.html)

  * [Notifications and the PingAM policy cache](pep-evict-cache.html)

* [Hardening PingAM authorization](stepup.html)

  * [Stepping up the PingAM authentication level](stepup-sso-session.html)

  * [Authorizing a single transaction with PingAM](stepup-sso-trx.html)