--- title: Restrict access to Studio description: "When PingGateway is running in development mode, by default the Studio endpoint is open and accessible. To allow only specific users to access Studio, configure a \"studioProtectionFilter\" in admin.json with a SingleSignOnFilter or CrossDomainSingleSignOnFilter." component: pinggateway version: 2026 page_id: pinggateway:studio-guide:restrict-access canonical_url: https://docs.pingidentity.com/pinggateway/2026/studio-guide/restrict-access.html revdate: 2025-01-02T12:52:32Z keywords: ["Routes", "Security", "User Interface"] --- # Restrict access to Studio When PingGateway is running in development mode, by default the Studio endpoint is open and accessible. To allow only specific users to access Studio, configure a `"studioProtectionFilter"` in `admin.json` with a SingleSignOnFilter or CrossDomainSingleSignOnFilter. The following example uses a SingleSignOnFilter to require users to authenticate with AM before they can access Studio, and protects the request from Cross Site Request Forgery (CSRF) attacks. 1. Set up AM: 1. Select Services > Add a Service and add a Validation Service with the following Valid goto URL Resources: * `http://ig.example.com:8085/*` * `http://ig.example.com:8085/*?*` 2. Register a PingGateway agent with the following values, as described in [Register a PingGateway agent in AM](preface.html#register-agent-am): * Agent ID: `ig_agent` * Password: `password` | | | | - | ----------------------------------------------------------------------------------------------------------------- | | | Use secure passwords in a production environment. Consider using a password manager to generate secure passwords. | 2. Set up PingGateway: 1. Set an environment variable for the PingGateway agent password, and then restart PingGateway: ```console $ export AGENT_SECRET_ID='cGFzc3dvcmQ=' ``` The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded. 2. Add the following `admin.json` configuration to PingGateway: ```json { "mode": "DEVELOPMENT", "properties": { "SsoTokenCookieOrHeader": "iPlanetDirectoryPro" }, "adminConnector": { "host": "ig.example.com", "port": 8085 }, "connectors": [ { "port": 8080 }, { "port": 8443 } ], "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent" : { "username" : "ig_agent", "passwordSecretId" : "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://am.example.com:8088/openam/", "ssoTokenHeader": "&{SsoTokenCookieOrHeader}" } } ], "studioProtectionFilter": { "type": "ChainOfFilters", "config": { "filters": [ { "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "type": "CsrfFilter", "config": { "cookieName": "&{SsoTokenCookieOrHeader}", "failureHandler": { "type": "StaticResponseHandler", "config": { "status": 403, "headers": { "Content-Type": [ "text/plain" ] }, "entity": "Request forbidden" } } } } ] } } } ``` Source: [admin-StudioProtectionFilter.json](../_attachments/config/admin-StudioProtectionFilter.json) Notice the following features of the configuration: * The `mode` is `development`, so by default the Studio endpoint is open and unfiltered. * The `properties` object sets a configuration parameter for the value of the SSO token cookie or header, which is used in AmService and CorsFilter. * The AmService uses the PingGateway agent in AM for authentication. The agent password for AmService is provided by a SystemAndEnvSecretStore in the heap. * The `"studioProtectionFilter"` calls the [SingleSignOnFilter](../reference/SingleSignOnFilter.html) to redirect unauthenticated requests to AM. It uses the [CsrfFilter](../reference/CsrfFilter.html) to protect requests from CSRF attacks. 3. Restart PingGateway to take into account the changes to `admin.json`. 3. Test the setup: 1. If you are logged in to AM, log out and clear any cookies. 2. Go to . The SingleSignOnFilter redirects the request to AM for authentication. 3. Log in to AM with user `demo`, password `Ch4ng31t`. The Studio Routes screen is displayed.