PingOne Advanced Identity Cloud

Authorize application access in journeys

Description

Estimated time to complete: 30 minutes

In this use case, you register an internal high-risk application named PayrollHub and add an access policy that allows only members of the Managers group to sign in during business hours.

You then add an App Policy Decision node to a journey so that Advanced Identity Cloud automatically evaluates policy during authentication. This lets you verify access before sign-on completes, without writing custom scripts or configuring authorization separately.

The journey is also configured to run on every access attempt, so the authorization policy is evaluated each time an employee opens PayrollHub, even if they already have a session.

Goals

After completing this use case, you’ll know how to do the following:

  • Onboard an OpenID Connect (OIDC) web application in Advanced Identity Cloud.

  • Enforce application-specific authorization rules during authentication, filtering access by group membership and time-of-day restrictions.

  • Use the App Policy Decision node in a journey to evaluate the application’s access policy.

Prerequisites

Before you start, make sure you have the following:

Tasks

Task 1: Create a custom application

In this task, you register PayrollHub as a custom OIDC web application in Advanced Identity Cloud. This represents the internal application that employees access from their company website.

  1. In the Advanced Identity Cloud admin console, go to Applications and click add Custom Application.

  2. Select OIDC - OpenId Connect as the sign-in method and Web as the application type.

  3. On the Application Details page, enter PayrollHub as the application name, select an application owner from the list, and click Next.

  4. Enter a client secret.

    Make a note of the Client ID and Client Secret values.

  5. Click Create Application.

  6. On the Sign On tab, configure the following:

    Field Value

    Sign-in URLs

    https://PayrollHub.internal/signin

    Grant Types

    Authorization Code

    Scopes

    openid profile

  7. Click Save.

Task 2: Assign the test user to the application

  1. In the PayrollHub application, click the Users & Roles tab.

  2. Click Add Member and select your test user.

  3. Click Assign.

The test user is now able to sign on to PayrollHub.

Task 3: Restrict access to the application

In this task, you add an access policy to PayrollHub that restricts sign-on to managers who have been given access to the application and are signing on during business hours.

The App Policy Decision node evaluates this policy automatically during the authentication journey. Learn more in Configure an application authorization policy.

  1. In the Advanced Identity Cloud admin console, go to Applications and open PayrollHub.

  2. Click the Sign On tab.

  3. In the Access Policy section, click add Create a Policy.

  4. In the Add Access Policy modal, select Group-based Access and click Next.

  5. Select All to restrict access to users who meet all criteria.

  6. For the first policy condition, set the following values:

    Condition

    User Group Membership

    equals

    Value

    Managers

  7. Click add then Add Condition.

  8. For the second policy condition, set the following values:

    Condition

    Day, Date, or Time Range

    Time Range

    Start Time

    08:00

    End Time

    18:00

  9. Click add then Add Condition.

  10. For the third condition, set the following values:

    Condition

    User Application Membership

  11. Click Save.

The saved access policy looks similar to this:

Access policy

Only users who are in the Managers group, have access to the PayrollHub application, and sign on between 8am and 6pm can access PayrollHub.

All other users are denied access.

Task 4: Create a journey to control application access

In this task, you create a custom journey to control access to the PayrollHub application.

The journey uses the App Policy Decision node to check the application’s access policy during authentication.

  1. In the Advanced Identity Cloud admin console, click Journeys > Journeys.

  2. Click add Add Journey, select Start from scratch, and then click Next.

  3. Enter a name, for example AppAuthorizationJourney.

  4. Select people Alpha Realm Users - managed/alpha_user as the identity object.

  5. Save your changes.

    You don’t need to select the option to run the journey for all users regardless of current sessions because this is enabled by default for application journeys.

  6. Add these nodes to the canvas:

    • Page node containing:

      • Platform Username node

      • Platform Password node

    • Data Store Decision node

    • App Policy Decision node

    • Failure

    • Success

  7. Connect the nodes as follows:

    Get access token journey
    You could add an extra level of security by requiring multi-factor authentication (MFA) for users who are granted access by the App Policy Decision node.
  8. Click Save.

The App Policy Decision node identifies the calling application from the authentication request and evaluates the access policy configured on that application.

Task 5: Associate the journey with the application

In this task, you configure PayrollHub to use the journey you created.

  1. In the Advanced Identity Cloud admin console, go to Applications and open PayrollHub.

  2. Go to Sign On > General Settings > Show advanced settings > Authentication.

  3. Click Use a journey to authenticate users to this application.

  4. In the Journey field, select AppAuthorizationJourney.

  5. Click Save.

The application is now configured to use the journey you created to control access.

Validation

Test that the journey correctly enforces your authorization policy.

Steps

  1. Open a browser in incognito mode and start an OAuth 2.0 authorization code sign-in flow, for example:

    https://<tenant-env-fqdn>/am/oauth2/alpha/authorize?client_id=PayrollHub&redirectUri=http://www.PayrollHub.internal/signin&scope=openid&response_type=code

  2. Sign on between the hours of 8am and 6pm with a user who is a member of the Managers group and has access to PayrollHub.

    The user should be granted access and redirected to the application with an authorization code.

  3. Sign on again with a user who isn’t a member of the Managers group.

    The user should be denied access and the journey should reach the Failure node.

  4. Sign on again with a valid user, then immediately start a second authorization code flow.

    Advanced Identity Cloud should prompt for credentials even though an active session exists, because the journey is configured to always run.

Explore further

Reference material

Reference Description

Provides information about the node configuration and outcomes, including evaluation of the application’s access policy.

How to configure an application access policy.

Information about the app authorization policy set included in Advanced Identity Cloud.

Associate a journey with an OIDC or SAML app so users authenticate with a flow tailored to that application.