--- title: Configuring Kong Konnect for PingOne Authorize integration description: For Kong Konnect to use PingOne Authorize as an external authorization policy runtime service, you must download, install, and configure the [.codeph]``ping-auth`` plugin. component: pingone page_id: pingone:authorization_using_pingone_authorize:p1_az_configuring_konnect_for_integration canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1_az_configuring_konnect_for_integration.html revdate: June 13, 2025 section_ids: control-plane: Adding the ping-auth plugin to your control plane steps: Steps steps-2: Steps result: Result: result-2: Result: data-plane-nodes: Uploading files to data plane nodes about-this-task: About this task steps-3: Steps example: Example: plugin-konnect: Configuring the ping-auth plugin in Konnect steps-4: Steps result-3: Result steps-5: Steps result-4: Result --- # Configuring Kong Konnect for PingOne Authorize integration For Kong Konnect to use PingOne Authorize as an external authorization policy runtime service, you must download, install, and configure the `ping-auth` plugin. To configure the `ping-auth` plugin in Kong Konnect, you must: * [Add the ping-auth plugin to your control plane](#control-plane) * [Upload files to data plane nodes](#data-plane-nodes) * [Configure the ping-auth plugin in Konnect](#plugin-konnect) ## Adding the ping-auth plugin to your control plane Use the `ping-auth` plugin's `schema.lua` file to create the configurable object required by Konnect. Konnect uses this file to create a plugin entry in the plugin catalog for your control plane. If the plugin schema should be available in multiple control planes, add the schema individually to each one. You can manage schemas for custom plugins through the Konnect UI or the Konnect Control Planes Config API. * Konnect UI * Konnect API | | | | - | ------------------------------------------------------------------------------ | | | The UI isn't available when using KIC in Konnect. Use the Konnect API instead. | #### Steps 1. Download version 1.0.8-1 or later of the `kong-plugin-ping-auth` src from . | | | | - | ------------------------------------------------------------------------------- | | | Support for Kong Konnect is available in version 1.0.8 and later of the plugin. | 2. Extract the `src.rock` file and store it on your local computer. Verify that you have the following files in the extracted `/kong-plugin/ping-auth` folder: * `access.lua` * `handler.lua` * `Network_handle.lua` * `response.lua` * `schema.lua` 3. In **Gateway Manager**, open a control plane. 4. In the sidebar, click **Plugins**, then click **New Plugin**. 5. On the **Custom Plugins** tab, click **Create** on the **Custom Plugin** tile. 6. Click **Select File**, then select the `schema.lua` file that you extracted in step 2. 7. Make sure your file displays correctly in the preview, then click **Save**. When using the `/plugin-schemas` API, authenticate your requests with either a personal access token or a system account token by including it in the `Authorization` header: ``` --header 'Authorization: Bearer kpat_xgfT' ``` #### Steps 1. Upload the `schema.lua` file for your plugin using the `/plugin-schemas` endpoint: ```shell curl -i -X POST \ https://{region}.api.konghq.com/konnect-api/api/runtime_groups/{controlPlaneId}/v2/plugin-schemas \ --header 'Content-Type: application/json' \ --data "{\"lua_schema\": }" ``` ##### Result: You should get an `HTTP 201` response. 2. To check that your schema was uploaded, use the following request: ```shell curl -i -X GET \ https://{region}.api.konghq.com/konnect-api/api/runtime_groups/{controlPlaneId}/v1/available-plugins ``` ##### Result: This request returns an `HTTP 200` response with the schema for your plugin as a JSON object. ## Uploading files to data plane nodes ### About this task After you upload the `ping-auth` plugin's schema to Konnect, upload the following files for the plugin to each Kong Konnect data plane node: * `access.lua` * `handler.lua` * `Network_handle.lua` * `response.lua` * `schema.lua` | | | | - | ---------------------------------------------------------------------------------------------- | | | If a data plane node doesn't have these files, the `ping-auth` plugin cannot run on that node. | Follow the Kong Gateway [plugin deployment](https://docs.konghq.com/gateway/latest/plugin-development/distribution/) instructions to set up the plugin on each node. Instructions can vary depending on your platform. If you're running Kong Gateway on Docker, the following instructions are provided as an example. Install the `ping-auth` plugin inside the Kong Konnect Docker container for each node. Copy or mount the plugin's source code into the container. ### Steps 1. In your control plane, go to **Data Plane Nodes**, then click **New Data Plane Node**. 2. Select a **Platform**, for example **Linux (Docker)**, and **Generate a certificate**. ![Screen capture of the 'Self-managed Hybrid Data Plane Node' screen.](_images/pat1703177191420.png) 3. Copy the generated docker run command and add the following snippet to it. Substitute your own source and target paths. * The *\* is the location where you extracted the `ping-auth` plugin files. This is the parent folder that contains the `ping-auth` folder. * The *\* is where you keep custom Kong plugins. This is the path to the `ping-auth` plugin. ``` -v "//ping-auth://ping-auth" \ -e "KONG_PLUGINS=bundled,ping-auth" \ -e "KONG_LUA_PACKAGE_PATH=//?.lua;;" \ ``` 4. To start a data plane node with the `ping-auth` plugin loaded, run the command. #### Example: For example, the command will look something like this, including the three snippet lines from the previous step. In this example, `plugins/kong` represents the *\* and `usr/local/share/lua/5.1/kong/plugins` represents the *\*. ```shell docker run -d \ -v "/plugins/kong/ping-auth:/usr/local/share/lua/5.1/kong/plugins/ping-auth" \ -e "KONG_PLUGINS=bundled,ping-auth" \ -e "KONG_LUA_PACKAGE_PATH=/usr/local/share/lua/5.1/kong/plugins/?.lua;;" \ -e "KONG_ROLE=data_plane" \ -e "KONG_DATABASE=off" \ -e "KONG_VITALS=off" \ -e "KONG_NGINX_WORKER_PROCESSES=1" \ -e "KONG_CLUSTER_MTLS=pki" \ -e "KONG_CLUSTER_CONTROL_PLANE=.cp0.konghq.com:443" \ -e "KONG_CLUSTER_SERVER_NAME=.cp0.konghq.com" \ -e "KONG_CLUSTER_TELEMETRY_ENDPOINT=.tp0.konghq.com:443" \ -e "KONG_CLUSTER_TELEMETRY_SERVER_NAME=.tp0.konghq.com" \ -e "KONG_CLUSTER_CERT=" \ -e "KONG_CLUSTER_CERT_KEY=" \ -e "KONG_LUA_SSL_TRUSTED_CERTIFICATE=system" \ -e "KONG_KONNECT_MODE=on" \ -p 8000:8000 \ -p 8443:8443 \ kong/kong-gateway: ``` 5. To confirm the Docker deployment, run the following command: ``` "docker logs [container id]" ``` ![Screen capture of the 'Create a Data Plane Node' screen confirming deployment of the configured Data Plane Node.](_images/ics1703181728936.png) ## Configuring the ping-auth plugin in Konnect After you've uploaded the `ping-auth` plugin's schema to Konnect, configure the plugin in Gateway Manager or use the Kong API. | | | | - | ----------------------------------------------------------------------------- | | | Test the operation of the `ping-auth` plugin before you use it in production. | * Konnect UI * Kong API #### Steps 1. In **Gateway Manager**, click **Plugins** in the sidebar, then click **New Plugin**. 2. On the **Custom Plugins** tab, click the **ping-auth** plugin. 3. (Optional) To enable the plugin for specific consumers, services, or routes, click **Scoped**, and then enter **Service**, **Route**, and **Consumer** information. 4. In the **Service Url** field, enter the API gateway service URL that you saved when you [prepared PingOne Authorize for Konnect integration](p1_az_preparing_for_kong_konnect_integration.html). 5. In the **Shared Secret** field, enter the credential that you saved earlier. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The gateway credential is the shared secret that authenticates the `ping-auth` plugin to PingOne Authorize. Version 1.2.0 of the plugin supports referenceable secrets. For security reasons, store the gateway credential in a vault supported by Kong. Learn more in [Secrets Management in Konnect](https://docs.konghq.com/konnect/gateway-manager/configuration/vaults/) and [Environment Variables Vault](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/env/) in the Kong documentation. | ![Screen capture of the Kong Konnect configure plugin screen showing configuration credentials.](_images/yln1703206046720.png) 6. Configure the following additional fields: | Option | API Field Name | Description | | ------------------------------ | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Connection KeepAlive Ms** | `connection_keepAlive_ms` | The duration to keep the connection alive for reuse. The default is `60000` milliseconds. | | **Connection Timeout Ms** | `connection_timeout_ms` | The duration to wait before the connection times out. The default is `10000` milliseconds. | | **Enable Debug Logging** | `enable_debug_logging` | Controls whether requests and responses are logged at the debug level. The default is `false`. For log messages to show in `error.log`, you must set `log_level = debug` in `kong.conf`. | | **Verify Service Certificate** | `verify_service_certificate` | Controls whether the service certificate is verified. This is intended for testing purposes, and the default is `true`. | 7. Click **Save**. #### Result Kong Konnect is now configured to work with PingOne Authorize. #### Steps 1. Send the following in a POST request to `https://{region}.api.konghq.com/konnect-api/api/runtime_groups/{controlPlaneId}/plugins`: ```json { "name": "ping-auth", "enabled": true, "config": { "enable_debug_logging": true, "verify_service_certificate": false, "secret_header_name": "", "service_url": "https://", "shared_secret": "" } } ``` The following fields are required for this API request: * `Secret_header_name`: The header name in which the shared secret is provided. You can provide additional configuration in accordance with the Kong API specification. * `Service_url`: The full service URL of the API gateway in PingOne. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | You saved the service URL when you [prepared PingOne Authorize for Konnect integration](p1_az_preparing_for_kong_konnect_integration.html). To find this credential in PingOne, go to **Authorization > API Gateways**. | * `Shared_secret`: The shared secret value to authenticate this plugin to PingOne. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The gateway credential is the shared secret that authenticates the `ping-auth` plugin to PingOne Authorize. Version 1.2.0 of the plugin supports referenceable secrets. For security reasons, store the gateway credential in a vault supported by Kong. Learn more in [Secrets Management in Konnect](https://docs.konghq.com/konnect/gateway-manager/configuration/vaults/) and [Environment Variables Vault](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/env/) in the Kong documentation. | 2. (Optional) Configure additional fields: | Option | API Field Name | Description | | ------------------------------ | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Connection KeepAlive Ms** | `connection_keepAlive_ms` | The duration to keep the connection alive for reuse. The default is `60000` milliseconds. | | **Connection Timeout Ms** | `connection_timeout_ms` | The duration to wait before the connection times out. The default is `10000` milliseconds. | | **Enable Debug Logging** | `enable_debug_logging` | Controls whether requests and responses are logged at the debug level. The default is `false`. For log messages to show in `error.log`, you must set `log_level = debug` in `kong.conf`. | | **Verify Service Certificate** | `verify_service_certificate` | Controls whether the service certificate is verified. This is intended for testing purposes, and the default is `true`. | #### Result Kong Konnect is now configured to work with PingOne Authorize.