When a user authenticates, PingAccess applies the application and resource-level policies to the Web Access Management (WAM) request.
After policy evaluation is passed, any required token mediation between the backend site and the authenticated user is performed. The user is then granted access to the site.
Processing steps:
- When a user requests access to a web resource from PingAccess, PingAccess inspects the request for a PingAccess token.
- If the PingAccess token is missing,
PingAccess redirects the user to an
OpenID Connect Provider (OP) for authentication. Note:
When using an OP, you must already have an OAuth client configured in PingAccess. For steps on configuring an OAuth client within PingFederate, see the PingFederate Administrator's Manual. To configure the OAuth client within PingAccess, see the PingAccess scenario to configure a token provider.
- The OP follows the appropriate authentication process, evaluates domain-level policies, and issues an OpenID Connect (OIDC) ID token to PingAccess.
- PingAccess validates the ID token and
issues a PingAccess token and sends it to
the browser in a cookie during a redirect to the original target resource.
After
gaining access to the resource, PingAccess
evaluates application and resource-level policies and
optionally audits the request. Note:
PingAccess can perform Token Mediation by exchanging the PingAccess token for the appropriate security token from the PingFederate security token service (STS) or from a cache if token mediation occurred recently.
- PingAccess forwards the request to the target site.
- PingAccess processes the response from the site to the browser (step not shown).
For more information, see the session management scenario.