Configuring Kong Gateway for PingOne Authorize integration

To integrate PingOne Authorize with Kong Gateway, install and configure the integration kit. You’ll use LuaRocks to install the integration kit.

Steps

Run the following command to install the plugin:
```
luarocks install kong-plugin-ping-auth
```
Learn more in the Kong Gateway plugin installation documentation.
After installation, load the plugin into Kong by editing the plugins = bundled,ping-auth property in the kong.conf file.

Alternatively, you can use the equivalent environment variable to set this property: KONG_PLUGINS = bundled,ping-auth.
Restart Kong Gateway to apply the plugin.
To verify that Kong loads the plugin successfully, check for the debug-level message Loading plugin: ping-auth in Kong’s error.log file.
Use the Kong Gateway UI or API to complete the configuration.

Kong Gateway UI
Kong Gateway API

In Kong Manager, select the default workspace, and then click Plugins.
On the ping-auth line, click Edit.
On the Update ping-auth plugin page, click the toggle to enable the plugin.
(Optional) To enable the plugin for specific consumers, services, or routes, click Scoped and then enter Service, Route, and Consumer information as necessary.
Paste the Service URL from the API gateway you added in PingOne Authorize into the Config.Service Url field.

This is the full URL of the Ping Identity policy provider.

In the Config.Shared Secret field, enter the API gateway credential you created in PingOne Authorize.

The gateway credential is the shared secret that authenticates the ping-auth plugin to PingOne Authorize. Version 1.2 of the plugin supports referenceable secrets. For security reasons, store the gateway credential in a vault supported by Kong. Learn more in Secrets Management and Environment Variables Vault in the Kong documentation.

(Optional) Configure additional options in Kong Manager:

Option API Field Name Description

Option	API Field Name	Description
Config.Connection KeepAlive Ms	`connection_keepAlive_ms`	The duration to keep the connection alive for reuse. The default is `6000` milliseconds.
Config.Connection Timeout Ms	`connection_timeout_ms`	The duration to wait before the connection times out. The default is `10000` milliseconds.
Config.Enable Debug Logging	`enable_debug_logging`	Controls if requests and responses are logged at the debug level. The default is `false`. For log messages to show in the `error.log`, you must set `log_level = debug` in `kong.conf`.
Config.Verify Service Certificate	`verify_service_certificate`	Controls whether the service certificate is verified. This is intended for testing purposes, and the default is `true`.

Config.Connection KeepAlive Ms

connection_keepAlive_ms

The duration to keep the connection alive for reuse. The default is 6000 milliseconds.

Config.Connection Timeout Ms

connection_timeout_ms

The duration to wait before the connection times out. The default is 10000 milliseconds.

Config.Enable Debug Logging

enable_debug_logging

Controls if requests and responses are logged at the debug level. The default is false.

For log messages to show in the error.log, you must set log_level = debug in kong.conf.

Config.Verify Service Certificate

verify_service_certificate

Controls whether the service certificate is verified. This is intended for testing purposes, and the default is true.

Click Update, and then click Update Plugin.

Include the following JSON object in a POST request to https://<KONG_URL>/plugins:

{
  "name": "ping-auth",
  "enabled": true,
  "config": {
    "service_url": "<service URL>",
    "shared_secret": "<shared secret>",
    "secret_header_name": "<shared secret header name>"
  }
}

json

service_url: The Service URL from the API gateway you added in PingOne Authorize.

shared_secret: The API gateway credential you created in PingOne Authorize.

secret_header_name: The name of the header in which the shared secret is provided. The default header name is CLIENT-TOKEN.

Learn more in the Kong Gateway Admin API documentation.

(Optional) Configure additional options: