With growing numbers of internal and external users, and more and more enterprise resources available online, it is important to ensure that qualified users can access only those applications to which they have permission. A WAM environment provides authentication and policy-based access management while integrating with existing infrastructure.

Deployed at the perimeter of a protected network between browsers and protected web-based applications, PingAccess Gateway performs the following actions:

  • Receives inbound calls requesting access to web applications

    Web session-protected requests contain a previously-obtained PingAccess token in a cookie derived from the user's profile during an OpenID Connect (OIDC) based sign on at PingFederate.

  • Evaluates application and resource-level policies and validates the tokens in conjunction with an OIDC Policy configured within PingFederate
  • Acquires the appropriate target security token (site authenticators) from the PingFederate security token service (STS) or from a cache, including attributes and authorized scopes, should a web application require identity mediation
  • Makes authorized requests to the sites where the web applications reside and responses are received and processed
  • Relays the responses on to the browsers

The following sections describe sample proof of concept and production architectures for a WAM use case deployment: