PingIntelligence

Configuring the PingIntelligence servlet filter

Configure the servlet filter for the PingIntelligence policy in the webdefault.xml file in PingFederate.

About this task

To define the PingIntelligence for APIs servlet filter:

Steps

  1. Add the the following filter configuration to the <pf_install>/pingfederate/etc/webdefault.xml file. Add the filter configuration within the <web-app></web-app> element.

    If there are multiple filters in the webdefault.xml file, then place pi4APIFilter at the end.

    		 
    <filter>
    <filter-name>pi4APIFilter</filter-name>
    <filter-class>com.pingidentity.pi.servlets.PI4APIServletFilter</filter-class>
    <init-param>
        <param-name>ASE-Primary-URL</param-name>
        <param-value>https://<IP address of primary ASE>:<Port number></param-value>
    </init-param>
    <init-param>
        <param-name>ASE-Secondary-URL</param-name>
        <param-value>https://<IP address of secondary ASE>:<Port number></param-value>
    </init-param>
    <init-param>
        <param-name>ASE-Token</param-name>
        <param-value><ASE authentication token></param-value>
    </init-param>
    <init-param>
          <param-name>Enable-Blocking</param-name>
          <param-value>false</param-value>
      </init-param>
  </filter>
  <filter-mapping>
    <filter-name>pi4APIFilter</filter-name>
    <url-pattern>/as/token.oauth2</url-pattern>
  </filter-mapping>

  2. Make sure the following configurations are set correctly:

    • The filter-class element is configured to com.pingidentity.pi.servlets.PI4APIServletFilter.

    • The pi4APIFilter is mapped to the token endpoint URL of PingFederate by configuring the url-pattern element to /as/token.oauth2.

    • The filter-name element in both the <filter> and <filter-mapping> blocks is pi4APIFilter.

  3. Substitute the actual values for the init parameters in the pi44APIFilter filter.

    The following table explains the PI4API init parameters in detail. The parameteers control the communication with API Security Enforcer (ASE). You can contact Ping Identity support team for the actual values of these parameters.

    Parameter Name Description

    ASE-Primary-URL

    The URL or IP address of the ASE primary host.

    To support high availability, PingIntelligence provides ASE primary and secondary nodes.

    ASE-Secondary-URL

    The URL or IP address of the ASE secondary host.

    ASE-Token

    The ASE sideband authentication token. You can obfuscate the sideband authentication token using one of the following utilities available in the PingFederate <pf_install>/pingfederate/bin/ directory:

    • On Windows: obfuscate.bat

    • On Linux: ./obfuscate.sh

    If you need further assistance in using the utility, contact Ping Identity support.

    Enable-Blocking

    You can optionally block a client that has been detected executing an attack. To block the client, you need to enable blocking in ASE by setting the Enable-Blocking to true. The default value is false.