--- title: Configuring Kong Gateway for PingOne Authorize integration description: Integrate PingOne Authorize with Kong Gateway by installing and configuring the integration kit. component: pingone page_id: pingone:authorization_using_pingone_authorize:p1az_configuring_kong_for_p1az_integration canonical_url: https://docs.pingidentity.com/pingone/authorization_using_pingone_authorize/p1az_configuring_kong_for_p1az_integration.html revdate: July 31, 2025 section_ids: steps: Steps result: Result next-steps: Next steps --- # Configuring Kong Gateway for PingOne Authorize integration To integrate PingOne Authorize with [Kong Gateway](https://docs.konghq.com/gateway/latest), install and configure the integration kit. You'll use [LuaRocks](https://luarocks.org/modules/pingidentity/kong-plugin-ping-auth) to install the integration kit. ## Steps 1. Run the following command to install the plugin: ``` luarocks install kong-plugin-ping-auth ``` Learn more in the [Kong Gateway plugin installation](https://docs.konghq.com/gateway/latest/plugin-development/distribution/#install-the-plugin) documentation. 2. After installation, load the plugin into Kong by editing the `plugins = bundled,ping-auth` property in the `kong.conf` file. Alternatively, you can use the equivalent environment variable to set this property: `KONG_PLUGINS = bundled,ping-auth`. 3. Restart Kong Gateway to apply the plugin. 4. To verify that Kong loads the plugin successfully, check for the debug-level message `Loading plugin: ping-auth` in Kong's `error.log` file. 5. Use the Kong Gateway UI or API to complete the configuration. * Kong Gateway UI * Kong Gateway API 1. In Kong Manager, select the **default** workspace, and then go to **API Gateway > Plugins**. ![Screen capture of the Plugins page in Kong Manager.](_images/p1-az-aam-kong-plugins.png) 2. Click the **More Options (⋮)** icon next to the `ping-auth` plugin, and then select **Edit**. 3. On the **Edit Plugin: ping-auth** page, click the toggle to enable the plugin. ![Screen capture of the Enable toggle for the ping-auth plugin in Kong Manager.](_images/p1-az-aam-kong-plugins-enable.png) 4. (Optional) To enable the plugin for specific consumers, services, or routes, click **Scoped** and then enter **Gateway Service**, **Route**, and **Consumer** information as necessary. 5. Paste the **Service URL** from the [API gateway you added in PingOne Authorize](p1az_configuring_p1az_for_kong_integration.html) into the **service\_url** field. This is the full URL of the Ping Identity policy provider. ![Screen capture of ping-auth plugin configuration fields in Kong Manager.](_images/p1-az-aam-kong-plugins-service-url.png) 6. In the **shared\_secret** field, enter the API gateway credential you created in PingOne Authorize. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The gateway credential is the shared secret that authenticates the `ping-auth` plugin to PingOne Authorize. Version 1.2.0 of the plugin supports referenceable secrets. For security reasons, store the gateway credential in a vault supported by Kong. Learn more in [Secrets Management](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/) and [Environment Variables Vault](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/env/) in the Kong documentation. | 7. (Optional) Configure additional options in Kong Manager: | Option | API Field Name | Description | | -------------------------------- | ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **connection\_keepAlive\_ms** | `connection_keepAlive_ms` | The duration to keep the connection alive for reuse. The default is `6000` milliseconds. | | **connection\_timeout\_ms** | `connection_timeout_ms` | The duration to wait before the connection times out. The default is `10000` milliseconds. | | **enable\_debug\_logging** | `enable_debug_logging` | Controls if requests and responses are logged at the debug level. The default is `false`.For log messages to show in the `error.log`, you must set `log_level = debug` in `kong.conf`. | | **verify\_service\_certificate** | `verify_service_certificate` | Controls whether the service certificate is verified. This is intended for testing purposes, and the default is `true`. | 8. Click **Save**, and then click **Update Plugin**. 1) Include the following JSON object in a POST request to https\://\/plugins: ```json { "name": "ping-auth", "enabled": true, "config": { "service_url": "", "shared_secret": "", "secret_header_name": "" } } ``` * `service_url`: The **Service URL** from the [API gateway you added in PingOne Authorize](p1az_configuring_p1az_for_kong_integration.html). * `shared_secret`: The API gateway credential you created in PingOne Authorize. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The gateway credential is the shared secret that authenticates the `ping-auth` plugin to PingOne Authorize. Version 1.2.0 of the plugin supports referenceable secrets. For security reasons, store the gateway credential in a vault supported by Kong. Learn more in [Secrets Management](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/) and [Environment Variables Vault](https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/env/) in the Kong documentation. | * `secret_header_name`: The name of the header in which the shared secret is provided. The default header name is `CLIENT-TOKEN`. Learn more in the [Kong Gateway Admin API](https://docs.konghq.com/gateway/api/admin-ee/latest/#/operations/create-plugin) documentation. 2) (Optional) Configure additional options: | Option | API Field Name | Description | | -------------------------------- | ---------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **connection\_keepAlive\_ms** | `connection_keepAlive_ms` | The duration to keep the connection alive for reuse. The default is `6000` milliseconds. | | **connection\_timeout\_ms** | `connection_timeout_ms` | The duration to wait before the connection times out. The default is `10000` milliseconds. | | **enable\_debug\_logging** | `enable_debug_logging` | Controls if requests and responses are logged at the debug level. The default is `false`.For log messages to show in the `error.log`, you must set `log_level = debug` in `kong.conf`. | | **verify\_service\_certificate** | `verify_service_certificate` | Controls whether the service certificate is verified. This is intended for testing purposes, and the default is `true`. | ## Result Kong Gateway is now configured to work with PingOne Authorize. ## Next steps Define a managed API service that represents your API so that PingOne Authorize can help your API gateway enforce access control. Learn more in [Defining your API in PingOne Authorize](p1az_add_api_service.html).