PingOne

Configuring the authorization plugin for Kong Gateway

Learn how to configure the authorization plugin to set up a connection between Kong Gateway and PingOne.

Before you begin

Make sure the pingoneauthorize-api-tutorials container is running in Docker.

Steps

  1. To access Kong Manager, go to http://localhost:8002.

  2. Select the default workspace, and then click Plugins.

    Screen capture of the Plugins page in Kong Manager showing the ping-auth plugin.

    The ping-auth plugin is already installed in your tutorial environment. Now you’ll configure it.

  3. On the ping-auth line, click Edit.

  4. On the Update ping-auth plugin page, click the toggle to enable the plugin.

    Screen capture of the Enable toggle for the ping-auth plugin in Kong Manager.

    Next, you’ll enter the service URL by copying it from PingOne Authorize.

  5. In PingOne, go to Authorization > API Gateways.

    This is where you register the gateway and authorize it to work with PingOne.

    Screen capture of the API Gateways page in PingOne Authorize.

  6. Copy the Service URL and enter it in the Config.Service Url field in Kong Manager.

    Screen capture of ping-auth plugin Config.Service Url and Config.Shared Secret fields in Kong Manager.

    You need a credential to authorize Kong Gateway to connect to PingOne. First, add the gateway.

  7. In PingOne, click the icon next to API Gateways to add a gateway.

  8. Enter Kong for the name of the gateway, and then click Save.

    Screen capture of the Add an API Gateway window in PingOne Authorize.

    Next, you’ll get the gateway credential to authorize Kong.

  9. Click the icon next to Credentials and copy the credential. Click Done.

    The gateway credential is the shared secret that authenticates the ping-auth plugin to PingOne Authorize. Version 1.2 of the plugin supports referenceable secrets. For security reasons, store the gateway credential in a vault supported by Kong. Learn more in Secrets Management and Environment Variables Vault in the Kong documentation.
    Screen capture of the API Gateway credential window in PingOne Authorize.

  10. In Kong Manager, enter the gateway credential in the Config.Shared Secret field.

  11. Click Update, and then click Update Plugin.

    Result:

    Kong Gateway is configured to work with PingOne. Try the Postman request again to see if access has changed.

  12. In Postman, select the Get all memes by user.0 request and click Send.

    Result:

    You receive a 404 Not Found error. This is because PingOne doesn’t recognize the Meme Game API yet. By default, requests to unknown APIs fail closed, ensuring that access to an unknown API is blocked.

    Troubleshooting:

    Not getting the right results? Learn more in Viewing API Access Management events in your PingOne environment audit log.

Result

Now you have Kong Gateway connected to PingOne so that you can manage its access control behavior in PingOne.

Next steps

In the last step, the request was blocked because PingOne isn’t configured to recognize the Meme Game API yet. Let’s tackle that next.