PingOne

API Access Management

API Access Management in PingOne Authorize integrates with your API gateway to secure your APIs with centralized access control policies.

You can control access to your APIs based on a number of factors, such as:

  • Access token scopes

  • User characteristics such as location, time zone, and full or part-time employee status

  • An allow list of IP addresses

Use built-in rules to get started with access control and custom policies for more complex access management scenarios. Statements enable you to include, modify, or exclude content in API requests and responses.

Key components

An API service is a logical container in PingOne Authorize that represents a related set of API operations you want to protect. API Access Management rejects requests that don’t match any API service’s base URL.

As a basic form of access control, API Access Management validates tokens issued by PingOne SSO and external token sources such as PingOne Advanced Identity Cloud and PingOne Advanced Services. API Access Management rejects requests without a valid access token. Learn more about access control with external token sources in External OAuth servers in PingOne Authorize.

An API gateway is the bridge between your protected API and PingOne Authorize. A PingOne Authorize integration kit works alongside your API gateway to intercept incoming API calls and enforce your authorization policies. Ping Identity provides integration kits for the following popular third-party gateways:

Learn more about API Access Management components and the decision request flow in How API Access Management works.

API Access Management works with HTTP APIs and OAuth 2.0 applications, but doesn’t work with SAML applications.

Getting started

Follow these high-level steps to configure API Access Management components. The process varies based on whether access tokens are issued by PingOne SSO or an external token source. ​

  • PingOne SSO

  • External token source

Using API Access Management with PingOne SSO as the token source

Before you begin

Make sure your PingOne environment includes PingOne SSO and PingOne Authorize.

Steps

  1. Define an API service that represents your protected APIs.

  2. Add an API gateway in PingOne that represents your gateway.

  3. Configure an integration kit to connect your API gateway to PingOne.

  4. Develop access control rules and policies for protected API operations:

    Choose from:

  5. Add an application in PingOne that represents an API client.

    You can find a detailed tutorial example in Adding a banking application in PingOne.

  6. Use the client application to make a request to the protected API.

    The request is routed through your API gateway and the integration kit, and then PingOne Authorize evaluates relevant policies and returns an authorization decision that permits or denies access to the requested API resource.

  7. To validate the process, examine recent decisions and the audit log.

Using API Access Management with an external token source

Before you begin

  • Make sure your PingOne environment includes PingOne Authorize.

  • Ensure that your token source issues access tokens that meet API Access Management requirements. Learn more in External OAuth servers.

Steps

  1. In the system that issues tokens, create an OAuth 2.0 client application.

    In the next steps, you’ll need the following information from the token issuer:

    • Token issuer identifier

    • JWKS endpoint URI or JWKS document

    • Token audience

  2. In PingOne, add an external OAuth server that represents your token issuer.

  3. Define an API service that represents your protected APIs.

    Select External OAuth Server as the access token source.

  4. Add an API gateway in PingOne that represents your gateway.

  5. Configure an integration kit to connect your API gateway to PingOne.

  6. Develop custom policies for protected API operations.

    You can use built-in attributes based on access token claims in your policies. Learn more about these attributes in Access token-related attributes.

  7. Use the client application to make a request to the protected API.

    The request is routed through your API gateway and the integration kit, and then PingOne Authorize evaluates relevant policies and returns an authorization decision that permits or denies access to the requested API resource.

  8. To validate the process, examine recent decisions and the audit log.