Configuring Kong Gateway for PingOne Authorize integration

To integrate PingOne Authorize with Kong Gateway, install and configure the integration kit. You’ll use LuaRocks to install the integration kit.

Steps

Run the following command to install the plugin:
```
luarocks install kong-plugin-ping-auth
```
Learn more in the Kong Gateway plugin installation documentation.
After installation, load the plugin into Kong by editing the plugins = bundled,ping-auth property in the kong.conf file.

Alternatively, you can use the equivalent environment variable to set this property: KONG_PLUGINS = bundled,ping-auth.
Restart Kong Gateway to apply the plugin.
To verify that Kong loads the plugin successfully, check for the debug-level message Loading plugin: ping-auth in Kong’s error.log file.
Use the Kong Gateway UI or API to complete the configuration.

Kong Gateway UI
Kong Gateway API

In Kong Manager, select the default workspace, and then go to API Gateway > Plugins.
Click the More Options (⋮) icon next to the ping-auth plugin, and then select Edit.
On the Edit Plugin: ping-auth page, click the toggle to enable the plugin.
(Optional) To enable the plugin for specific consumers, services, or routes, click Scoped and then enter Gateway Service, Route, and Consumer information as necessary.
Paste the Service URL from the API gateway you added in PingOne Authorize into the service_url field.

This is the full URL of the Ping Identity policy provider.

In the shared_secret field, enter the API gateway credential you created in PingOne Authorize.

The gateway credential is the shared secret that authenticates the ping-auth plugin to PingOne Authorize. Version 1.2.0 of the plugin supports referenceable secrets. For security reasons, store the gateway credential in a vault supported by Kong. Learn more in Secrets Management and Environment Variables Vault in the Kong documentation.

(Optional) Configure additional options in Kong Manager:

Option API Field Name Description

Option	API Field Name	Description
connection_keepAlive_ms	`connection_keepAlive_ms`	The duration to keep the connection alive for reuse. The default is `6000` milliseconds.
connection_timeout_ms	`connection_timeout_ms`	The duration to wait before the connection times out. The default is `10000` milliseconds.
enable_debug_logging	`enable_debug_logging`	Controls if requests and responses are logged at the debug level. The default is `false`. For log messages to show in the `error.log`, you must set `log_level = debug` in `kong.conf`.
verify_service_certificate	`verify_service_certificate`	Controls whether the service certificate is verified. This is intended for testing purposes, and the default is `true`.

connection_keepAlive_ms

connection_keepAlive_ms

The duration to keep the connection alive for reuse. The default is 6000 milliseconds.

connection_timeout_ms

connection_timeout_ms

The duration to wait before the connection times out. The default is 10000 milliseconds.

enable_debug_logging

enable_debug_logging

Controls if requests and responses are logged at the debug level. The default is false.

For log messages to show in the error.log, you must set log_level = debug in kong.conf.

verify_service_certificate

verify_service_certificate

Controls whether the service certificate is verified. This is intended for testing purposes, and the default is true.

Click Save, and then click Update Plugin.

Include the following JSON object in a POST request to https://<KONG_URL>/plugins:

{
  "name": "ping-auth",
  "enabled": true,
  "config": {
    "service_url": "<service URL>",
    "shared_secret": "<shared secret>",
    "secret_header_name": "<shared secret header name>"
  }
}

service_url: The Service URL from the API gateway you added in PingOne Authorize.

shared_secret: The API gateway credential you created in PingOne Authorize.

secret_header_name: The name of the header in which the shared secret is provided. The default header name is CLIENT-TOKEN.

Learn more in the Kong Gateway Admin API documentation.

(Optional) Configure additional options: