--- title: Example routes created with Structured Editor (deprecated) description: Deprecated. Example routes created with the PingGateway Studio Structured Editor for SSO, CDSSO, OAuth 2.0, OIDC, SAML 2.0, throttling, and WebSocket component: pinggateway version: 2026 page_id: pinggateway:studio-guide:examples-se canonical_url: https://docs.pingidentity.com/pinggateway/2026/studio-guide/examples-se.html revdate: 2025-10-15T18:45:22Z keywords: ["Routes", "Security", "User Interface", "Single sign-on (SSO)", "Policy", "Configuration", "Cross Domain SSO (CDSSO)", "OAuth 2.0", "OpenID Connect (OIDC)", "SAML 2.0", "Throttling", "Proxy"] section_ids: example-sso-se: Single sign-on in Structured Editor example-pep-sso-se: Policy enforcement in Structured Editor example-pep-cdsso: Policy enforcement for CDSSO in Structured Editor example-rsintrospect-se: Token validation using the introspection endpoint in Structured Editor example-oidc-am: OpenID Connect in Structured Editor example-ttf-se: Token transformation in Structured Editor example-throttle-simple: Simple throttling filter in Structured Editor example-throttle-mapped: Mapped throttling filter in Structured Editor example-throttle-scriptable: Scriptable throttling filter in Structured Editor example-websocket-se: Proxy for websocket traffic in Structured Editor --- # Example routes created with Structured Editor (deprecated) The following sections give examples of use the structured editor to set up some routes from the [PingGateway guide](../gateway-guide/preface.html). | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | * The structured editor of Studio is deprecated. Learn more in the release notes page about [Deprecated](https://docs.pingidentity.com/pinggateway/release-notes/deprecated.html) features. * You can't configure secrets providers in Studio. Documentation examples generated with Studio refer to secrets providers you must configure separately in `config.json`. | ## Single sign-on in Structured Editor This section describes how to set up SSO in the structured editor of Studio. For more information about setting up SSO, refer to [Authentication with PingAM](../gateway-guide/sso-cdsso.html). 1. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 2. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/home/sso-studio` * Name : `sso-studio` 3. Configure authentication: 1. Select [icon: user, set=fa]Authentication. 2. Select Single Sign-On, and enter the following information: * AM service : Configure an AM service to use for authentication: * URI: `http://am.example.com:8088/openam` * Secrets Provider: `SystemAndEnvSecretStore-1` * Agent : * Username : `ig_agent` * Password Secret ID : `password.secret.id` Leave all other values as default. 4. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 5. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## Policy enforcement in Structured Editor This section describes how to set up PingGateway as a policy enforcement point in the structured editor of Studio. For more information about setting up policy enforcement, refer to [Enforce AM policy decisions](../gateway-guide/pep.html). 1. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 2. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/home/pep-sso` * Name : `pep-sso` The structured editor is displayed. 3. Configure authentication: 1. Select [icon: user, set=fa]Authentication. 2. Select Single Sign-On, and enter the following information: * AM service : Configure an AM service to use for authentication: * URI: `http://am.example.com:8088/openam` * Secrets Provider: `SystemAndEnvSecretStore-1` * Agent : The credentials of the agent you created in AM. * Username : `ig_agent` * Password Secret ID : `password.secret.id` Leave all other values as default. 4. Configure a PolicyEnforcementFilter: 1. Select [icon: key, set=fa]Authorization. 2. Select AM Policy Enforcement, and then select the following options: * Access Management configuration: * AM service : `http://am.example.com:8088/openam (/)`. * Access Management policies: * Policy set : `PEP-SSO` * AM SSO token : `${contexts.ssoToken.value}` Leave all other values as default. 5. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 6. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## Policy enforcement for CDSSO in Structured Editor This section describes how to set up PingGateway as a policy enforcement point for CDSSO in the structured editor of Studio. For more information about how to set up SSO, refer to [Decisions in different domains with PingAM](../gateway-guide/pep-cdsso.html) 1. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 2. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/home/pep-cdsso` * Name : `pep-cdsso` 3. Configure authentication: 1. Select [icon: user, set=fa]Authentication. 2. Select Cross-Domain Single Sign-On, and enter the following information: * AM service : * URI: `http://am.example.com:8088/openam` * Secrets Provider: `SystemAndEnvSecretStore-1` * Agent : The credentials of the agent you created in AM. * Username : `ig_agent_cdsso` * Password Secret ID : `password.secret.id` * Redirect endpoint : `/home/pep-cdsso/redirect` * Authentication cookie : * Path : `/home` Leave all other values as default. 4. Configure a PolicyEnforcementFilter: 1. Select [icon: key, set=fa]Authorization. 2. Select AM Policy Enforcement, and select the following options to reflect the configuration of the PingGateway agent in AM: * Access Management configuration: * AM service : `http://am.example.com:8088/openam (/)`. * Access Management policies: * Policy set : `PEP-CDSSO` * AM SSO token ID : `${contexts.cdsso.token}` Leave all other values as default. 5. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 6. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## Token validation using the introspection endpoint in Structured Editor This section sets up PingGateway as an OAuth 2.0 resource server, using the introspection endpoint, in the structured editor of Studio. 1. Set up AM as described in [Validating PingAM access tokens with introspection](../gateway-guide/oauth2-rs-introspect.html). In addition, create an OAuth 2.0 Client authorized to introspect tokens with the following values: * Client ID : `resource-server` * Client secret `password` * Scope(s) : `am-introspect-all-tokens` 2. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 3. Create a route with the following option: * Application URL: `https://app.example.com:8444/rs-introspect-se` 3. Configure authorization: 1. Select [icon: key, set=fa]Authorization > OAuth 2.0 Resource Server, and then select the following options: * Token resolver configuration: * Access token resolver: `OAuth 2.0 introspection endpoint` * Introspection endpoint URI: `http://am.example.com:8088/openam/oauth2/introspect` * Client name and Client secret : `resource-server` and `password` This is the name and password of the OAuth 2.0 client with the scope to examine (introspect) tokens, configured in AM. * Scope configuration: * Evaluate scopes: `Statically` * Scopes: `mail`, `employeenumber` * OAuth 2.0 Authorization settings: * Require HTTPS: Deselect this option * Enable cache: Deselect this option Leave all other values as default. 4. Add a StaticResponseHandler: 1. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: file-code, set=fa]Editor mode to switch into editor mode. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | After switching to Editor mode, you cannot go back. You will be able to use the JSON file editor to manually edit the route but will no longer be able use the full Studio interface to add or edit filters. | 2. Replace the last ReverseProxyHandler in the route with the following StaticResponseHandler, and then save the route: ```json "handler": { "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": [ "text/html; charset=UTF-8" ] }, "entity": "

Decoded access_token: ${contexts.oauth2.accessToken.info}

" } } ``` 5. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 6. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## OpenID Connect in Structured Editor This section describes how to set up PingGateway as an OpenID Connect relying party in the structured editor of Studio. For more information, refer to [AM as OIDC provider](../gateway-guide/oidc-am.html). 1. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 2. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/home/id_token` * Name: `07-openid` 3. Configure authentication: 1. Select [icon: user, set=fa]Authentication. 2. Select OpenID Connect, and then select the following options: * Client Filter: * Client Endpoint: `/home/id_token` * Require HTTPS: Deselect this option * Client Registration: * Client ID: `oidc_client` * Client secret: `password` * Scopes: `openid`, `profile`, and `email` * Basic authentication: Select this option * Issuer: * Well-known Endpoint: `http://am.example.com:8088/openam/oauth2/.well-known/openid-configuration` Leave all other values as default. 4. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 5. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## Token transformation in Structured Editor This section describes how to set up token transformation in the structured editor of Studio. For more information about setting up token transformation, refer to [OIDC ID tokens to SAML assertions with PingAM](../gateway-guide/ttf.html). 1. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 2. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/home/id_token` * Name : `50-idtoken` 3. Configure authentication: 1. Select [icon: user, set=fa]Authentication. 2. Select OpenID Connect, and enter the following information: * Client Filter : * Client Endpoint: `/home/id_token` * Require HTTPS: Deselect this option * Client Registration : * Client ID : `oidc_client` * Client secret : `password` * Scopes: `openid`, `profile`, and `email` * Basic authentication: Select this option * Issuer : * Well-known endpoint: `http://am.example.com:8088/openam/oauth2/.well-known/openid-configuration` Leave all other values as default, and save your settings. 4. Set up token transformation: 1. Select and enable Token transformation. 2. Enter the following information: * AM service : Configure an AM service to use for authentication and REST STS requests. * URI: `http://am.example.com:8088/openam` * Secrets Provider: `SystemAndEnvSecretStore-1` * Agent : The credentials of the agent you created in AM. * Username : `ig_agent` * Password Secret ID : `password.secret.id` * Username : `oidc_client` * Password : `password` * id\_token : `${contexts.oauth2Info.idToken}` * Instance : `openig` 5. Add a StaticResponseHandler: 1. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: file-code, set=fa]Editor mode to switch into editor mode. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | After switching to Editor mode, you cannot go back. You will be able to use the JSON file editor to manually edit the route but will no longer be able use the full Studio interface to add or edit filters. | 2. Replace the last ReverseProxyHandler in the route with the following StaticResponseHandler, and then save the route: ```json "handler": { "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": [ "text/plain; charset=UTF-8" ] }, "entity": "{\"id_token\":\n\"${contexts.oauth2Info.idToken}\"} \n\n\n{\"saml_assertions\":\n\"${contexts.sts.issuedToken}\"}" } } ``` 6. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 7. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## Simple throttling filter in Structured Editor This section describes how to set up a simple throttling filter in the structured editor of Studio. For more information about how to set up throttling, refer to [Configure simple throttling](../gateway-guide/throttling.html#throttling-simple). 1. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 2. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/home/throttle-simple` * Name : `00-throttle-simple` 3. Select and enable [icon: filter, set=fa]Throttling. 4. In GROUPING POLICY, apply the rate to a single group. All requests are grouped together, and the default throttling rate is applied to the group. By default, no more than 100 requests can access the sample application each second. 5. In RATE POLICY, select Fixed, and allow 6 requests each 10 seconds. 6. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 7. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## Mapped throttling filter in Structured Editor This section describes how to set up a mapped throttling filter in the structured editor of Studio. For more information about how to set up throttling, refer to [Configure mapped throttling](../gateway-guide/throttling.html#throttling-mapped). 1. Set up AM as described in [Validating PingAM access tokens with introspection](../gateway-guide/oauth2-rs-introspect.html). In addition, create an OAuth 2.0 Client authorized to introspect tokens with the following values: * Client ID : `resource-server` * Client secret `password` * Scope(s) : `am-introspect-all-tokens` 2. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 3. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/home/throttle-mapped-se` * Name : `00-throttle-mapped-se` 4. Configure authorization: 1. Select [icon: key, set=fa]Authorization > OAuth 2.0 Resource Server, and then select the following options: * Token resolver configuration: * Access token resolver: `OAuth 2.0 introspection endpoint` * Introspection endpoint URI: `http://am.example.com:8088/openam/oauth2/introspect` * Client name and Client secret : `resource-server` and `password` This is the name and password of the OAuth 2.0 client with the scope to examine (introspect) tokens, configured in AM. * Scope configuration: * Evaluate scopes: `Statically` * Scopes: `mail`, `employeenumber` * OAuth 2.0 Authorization settings: * Require HTTPS: Deselect this option * Enable cache: Deselect this option Leave all other values as default. 5. Configure throttling: 1. Select and enable [icon: filter, set=fa]Throttling. 2. Set up the grouping policy: 1. In GROUPING POLICY, apply the rate to independent groups of requests. Requests are split into different groups according to criteria, and the throttling rate is applied to each group. 2. Select to group requests by custom criteria. Enter `${contexts.oauth2.accessToken.info.mail}` as the custom expression. This expression defines the subject in the OAuth2Context. 3. Set up the rate policy: 1. In RATE POLICY, select Mapped. 2. Select to map requests by custom criteria. 3. Enter the custom expression `${contexts.oauth2.accessToken.info.status}`. 4. In Default Rate, select Edit and change the default rate to 1 request each 10 seconds. 5. In Mapped Rates, add the following rate for `gold` status: * Match Value : `gold` * Number of requests : `6` * Period : `10 seconds` 6. Add a different rate for `silver` status: * Match Value : `silver` * Number of requests : `3` * Period : `10 seconds` 7. Add a different rate for `bronze` status: * Match Value : `bronze` * Number of requests : `1` * Period : `10 seconds` 8. Save the rate policy. 6. Select [icon: chain, set=fa]Chain, and change the order of the filters so [icon: filter, set=fa]Throttling comes after [icon: key, set=fa]Authorization. 7. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 8. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## Scriptable throttling filter in Structured Editor This section describes how to set up a scriptable throttling filter in the structured editor of Studio. For more information about how to set up throttling, refer to [Configure scriptable throttling](../gateway-guide/throttling.html#throttling-scriptable). 1. Set up AM as described in [Validating PingAM access tokens with introspection](../gateway-guide/oauth2-rs-introspect.html). In addition, create an OAuth 2.0 Client authorized to introspect tokens with the following values: * Client ID: `resource-server` * Client secret: `password` * Scope(s): `am-introspect-all-tokens` 2. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 3. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/home/throttle-scriptable-se` * Name: `00-throttle-scriptable-se` 4. Configure authorization: 1. Select [icon: key, set=fa]Authorization > OAuth 2.0 Resource Server, and then select the following options: * Token resolver configuration: * Access token resolver: `OAuth 2.0 introspection endpoint` * Introspection endpoint URI: `http://am.example.com:8088/openam/oauth2/introspect` * Client name and Client secret : `resource-server` and `password` This is the name and password of the OAuth 2.0 client with the scope to examine (introspect) tokens, configured in AM. * Scope configuration: * Evaluate scopes: `Statically` * Scopes: `mail`, `employeenumber` * OAuth 2.0 Authorization settings: * Require HTTPS: Deselect this option * Enable cache: Deselect this option Leave all other values as default. 5. Configure throttling: 1. Select and enable [icon: filter, set=fa]Throttling. 2. Set up the grouping policy: 1. In GROUPING POLICY, apply the rate to independent groups of requests. Requests are split into different groups according to criteria, and the throttling rate is applied to each group. 2. Select to group requests by custom criteria. 3. Enter `${contexts.oauth2.accessToken.info.mail}` as the custom expression. 3. Set up the rate policy: 1. In RATE POLICY, select Scripted. 2. Select to create a new script, and name it `X-User-Status`. So that you can easily identify the script, use a name that describes the content of the script. 3. Add the following argument/value pairs: * argument: `status`, value: `gold` * argument: `rate`, value: `6` * argument: `duration`, value: `10 seconds` * Replace the default script with the content of a valid Groovy script. For example, enter the following script: ```groovy if (contexts.oauth2.accessToken.info.status == status) { return new ThrottlingRate(rate, duration) } else { return null } ``` Alternatively, skip the step to define arguments, and add the following script instead: ```groovy if (contexts.oauth2.accessToken.info.status == 'gold') { return new ThrottlingRate(6, '10 seconds') } else { return null } ``` | | | | - | ------------------------------------------------------- | | | Studio doesn't check the validity of the Groovy script. | 4. Enable the default rate, and set it to 1 request each 10 seconds. 5. Save the rate policy. The script is added to the list of reference scripts available to use in scriptable throttling filters. 6. Select [icon: chain, set=fa]Chain, and change the order of the filters so [icon: filter, set=fa]Throttling comes after [icon: key, set=fa]Authorization. 7. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 8. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there. ## Proxy for websocket traffic in Structured Editor This section describes how to set up PingGateway to proxy WebSocket traffic, in the structured editor of Studio. For more information about how to set up proxying for WebSocket traffic, refer to [WebSocket traffic with PingAM](../gateway-guide/websocket.html). 1. In PingGateway Studio, create a route: 1. Go to `http://ig.example.com:8085/studio`, and then select [icon: plus, set=fa]Create a route. 2. Select [icon: list-ul, set=fa]Structured to use the structured editor. 2. Select Advanced options on the right, and create a route with the following options: * Base URI: `https://app.example.com:8444` * Condition: Path: `/websocket-se` * Name : `websocket-se` * Enable WebSocket: Select this option 1. Select [icon: user, set=fa]Authentication. 2. Select Single Sign-On, and enter the following information: * AM service : Configure an AM service to use for authentication: * URI: `http://am.example.com:8088/openam` * Secrets Provider: `SystemAndEnvSecretStore-1` * Agent : * Username : `ig_agent` * Password Secret ID : `password.secret.id` Leave all other values as default. 3. On the top-right of the screen, select [icon: ellipsis-v, set=fa]and [icon: share-square, set=fa]Display to review the route. 4. Select [icon: cloud-upload-alt, set=fa]Deploy to push the route to the PingGateway configuration. You can check the `$HOME/.openig/config/routes` folder to see that the route is there.