---
title: Authorize application access in journeys
description: Control access to OIDC applications by evaluating authorization policies in Advanced Identity Cloud journeys
component: pingoneaic
page_id: pingoneaic:use-cases:use-case-app-authz-journeys
canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-app-authz-journeys.html
llms_txt: https://docs.pingidentity.com/pingoneaic/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
keywords: ["Use Case", "Journeys", "Authorization", "Policy", "SAML", "OIDC", "Application"]
section_ids:
  app-authz-journeys-description: Description
  app-authz-journeys-goals: Goals
  app-authz-journeys-prereqs: Prerequisites
  app-authz-journeys-tasks: Tasks
  app-authz-journeys-task-1: "Task 1: Create a custom application"
  app-authz-journeys-task-2: "Task 2: Assign the test user to the application"
  app-authz-journeys-task-3: "Task 3: Restrict access to the application"
  app-authz-journeys-task-4: "Task 4: Create a journey to control application access"
  app-authz-journeys-task-5: "Task 5: Associate the journey with the application"
  app-authz-journeys-validation: Validation
  app-authz-journeys-validation-steps: Steps
  app-authz-explore-further: Explore further
  oidc-idp-reference: Reference material
---

# Authorize application access in journeys

## Description

Estimated time to complete: 30 minutes *(tooltip: This estimate assumes you complete the prerequisites first.)*

In this use case, you register an internal high-risk application named PayrollHub and add an access policy that allows only members of the `Managers` group to sign in during business hours.

You then add an [App Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/app-policy-decision.html) to a journey so that Advanced Identity Cloud automatically evaluates policy during authentication. This lets you verify access before sign-on completes, without writing custom scripts or configuring authorization separately.

The journey is also configured to run on every access attempt, so the authorization policy is evaluated each time an employee opens PayrollHub, even if they already have a session.

### Goals

After completing this use case, you'll know how to do the following:

* Onboard an OpenID Connect (OIDC) web application in Advanced Identity Cloud.

* Enforce application-specific authorization rules during authentication, filtering access by group membership and time-of-day restrictions.

* Use the App Policy Decision node in a journey to evaluate the application's access policy.

## Prerequisites

Before you start, make sure you have the following:

* A basic understanding of:

  * [Journeys and nodes](../journeys/journeys.html).

  * [Authorization and policy decisions](../am-authorization/what-is-authz-decision.html).

* Access to your Advanced Identity Cloud development environment as a tenant administrator.

* A test user [added to the Managers group](../idm-objects/manage-groups.html#create-a-group).

## Tasks

### Task 1: Create a custom application

In this task, you register PayrollHub as a custom OIDC web application in Advanced Identity Cloud. This represents the internal application that employees access from their company website.

1. In the Advanced Identity Cloud admin console, go to Applications and click [icon: add, set=material, size=inline] Custom Application.

2. Select OIDC - OpenId Connect as the sign-in method and Web as the application type.

3. On the Application Details page, enter `PayrollHub` as the application name, select an application owner from the list, and click Next.

4. Enter a client secret.

   Make a note of the Client ID and Client Secret values.

5. Click Create Application.

6. On the Sign On tab, configure the following:

   | Field        | Value                                |
   | ------------ | ------------------------------------ |
   | Sign-in URLs | `https://PayrollHub.internal/signin` |
   | Grant Types  | `Authorization Code`                 |
   | Scopes       | `openid profile`                     |

7. Click Save.

### Task 2: Assign the test user to the application

1. In the PayrollHub application, click the Users & Roles tab.

2. Click Add Member and select your test user.

3. Click Assign.

The test user is now able to sign on to PayrollHub.

### Task 3: Restrict access to the application

In this task, you add an access policy to PayrollHub that restricts sign-on to managers who have been given access to the application and are signing on during business hours.

The [App Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/app-policy-decision.html) evaluates this policy automatically during the authentication journey. Learn more in [Configure an application authorization policy](../app-management/configure-app-authorization-policy.html).

1. In the Advanced Identity Cloud admin console, go to Applications and open PayrollHub.

2. Click the Sign On tab.

3. In the Access Policy section, click [icon: add, set=material, size=inline] Create a Policy.

4. In the Add Access Policy modal, select Group-based Access and click Next.

5. Select All to restrict access to users who meet all criteria.

6. For the first policy condition, set the following values:

   |           |                         |
   | --------- | ----------------------- |
   | Condition | `User Group Membership` |
   | equals    |                         |
   | Value     | `Managers`              |

7. Click [icon: add, set=material, size=inline] then Add Condition.

8. For the second policy condition, set the following values:

   |            |                            |
   | ---------- | -------------------------- |
   | Condition  | `Day, Date, or Time Range` |
   | Time Range |                            |
   | Start Time | `08:00`                    |
   | End Time   | `18:00`                    |

9. Click [icon: add, set=material, size=inline] then Add Condition.

10. For the third condition, set the following values:

    |           |                               |
    | --------- | ----------------------------- |
    | Condition | `User Application Membership` |

11. Click Save.

The saved access policy looks similar to this:

![Access policy](_images/use-case-app-authz-journeys/app-authz-access-policy.png)

Only users who are in the Managers group, have access to the PayrollHub application, and sign on between 8am and 6pm can access PayrollHub.

All other users are denied access.

### Task 4: Create a journey to control application access

In this task, you create a custom journey to control access to the PayrollHub application.

The journey uses the [App Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/app-policy-decision.html) to check the application's access policy during authentication.

1. In the Advanced Identity Cloud admin console, click Journeys > Journeys.

2. Click [icon: add, set=material, size=inline] Add Journey, select Start from scratch, and then click Next.

3. Enter a name, for example `AppAuthorizationJourney`.

4. Select `people Alpha Realm Users - managed/alpha_user` as the identity object.

5. Save your changes.

   |   |                                                                                                                                                                                                                                                                                                                                                                                        |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You don't need to select the option to run the journey for all users regardless of current sessions because this is enabled by default for application journeys.Learn more in [Configure an authentication journey to always run](../am-authentication/configure-authentication-trees.html#enable-journey-completion) and [Custom journeys](../journeys/journeys.html#custom-journey). |

6. Add these nodes to the canvas:

   * Page node containing:

     * Platform Username node

     * Platform Password node

   * Data Store Decision node

   * App Policy Decision node

   * Failure

   * Success

7. Connect the nodes as follows:

   ![Get access token journey](_images/use-case-app-authz-journeys/app-authz-journey.png)

   |   |                                                                                                                                                           |
   | - | --------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | You could add an extra level of security by requiring multi-factor authentication (MFA) for users who are granted access by the App Policy Decision node. |

8. Click Save.

The App Policy Decision node identifies the calling application from the authentication request and evaluates the access policy configured on that application.

### Task 5: Associate the journey with the application

In this task, you configure PayrollHub to use the journey you created.

1. In the Advanced Identity Cloud admin console, go to Applications and open PayrollHub.

2. Go to Sign On > General Settings > Show advanced settings > Authentication.

3. Click Use a journey to authenticate users to this application.

4. In the Journey field, select `AppAuthorizationJourney`.

5. Click Save.

The application is now configured to use the journey you created to control access.

## Validation

Test that the journey correctly enforces your authorization policy.

### Steps

1. Open a browser in incognito mode and start an OAuth 2.0 authorization code sign-in flow, for example:

   `https://<tenant-env-fqdn>/am/oauth2/alpha/authorize?client_id=PayrollHub&redirectUri=http://www.PayrollHub.internal/signin&scope=openid&response_type=code`

2. Sign on between the hours of 8am and 6pm with a user who is a member of the `Managers` group and has access to PayrollHub.

   The user should be granted access and redirected to the application with an authorization code.

3. Sign on again with a user who isn't a member of the `Managers` group.

   The user should be denied access and the journey should reach the Failure node.

4. Sign on again with a valid user, then immediately start a second authorization code flow.

   Advanced Identity Cloud should prompt for credentials even though an active session exists, because the journey is configured to always run.

## Explore further

### Reference material

| **Reference**                                                                                           | **Description**                                                                                                          |
| ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ |
| [App Policy Decision node](https://docs.pingidentity.com/auth-node-ref/latest/app-policy-decision.html) | Provides information about the node configuration and outcomes, including evaluation of the application's access policy. |
| [Application access policy](../app-management/configure-app-authorization-policy.html).                 | How to configure an application access policy.                                                                           |
| [Default policy sets](../am-authorization/configuring-policy-sets.html#default-policy-sets)             | Information about the app authorization policy set included in Advanced Identity Cloud.                                  |
| [Application journeys](../app-management/application-journeys.html)                                     | Associate a journey with an OIDC or SAML app so users authenticate with a flow tailored to that application.             |
