For each application that you want to configure:

  1. Create a virtual host.

    For more information on creating a virtual host, see Creating new virtual hosts.

    Important:

    In a typical configuration for this solution, you will create a virtual host for every application.

    1. Click Applications and then go to Applications > Virtual Hosts.
    2. Click + Add Virtual Host.
    3. In the Host field, enter the FQDN portion of the Azure AD External URL.
      For example, external URLs of https://app-tenant.msappproxy.net/ and https://app-tenant.msappproxy.net/AppName will both have a Host entry of app-tenant.msappproxy.net.
    4. In the Port field, enter 443.
    5. Click Save.
  2. Create a web session.

    For more information on creating a web session, see Creating web sessions.

    1. Click Access and then go to Web Sessions > Web Sessions.
    2. Click + Add Web Session.
    3. In the Name field, enter a name for the web session.
    4. From the Cookie Type list, select your cookie type, either Signed JWT or Encrypted JWT.
    5. In the Audience field, enter a unique value.
    6. In the Client ID field, enter the Azure AD application ID.
    7. From the Client Credentials Type list, select Secret.
    8. In the Client Secret field, enter the client secret you generated for the application in Azure AD.
    9. Optional: To create and use custom claims with the Azure AD GraphAPI, click Advanced and clear the Request Profile and Refresh User Attributes check-boxes.

      For more information on using custom claims, see Optional - Use a custom claim.

    10. Click Save.
  3. Create an identity mapping.

    For more information on creating an identity mapping, see Creating header identity mappings.

    Note:

    An identity mapping can be used with more than one application if more than one application is expecting the same data in the header.

    1. Click Access and then go to Identity Mappings > Identity Mappings.
    2. Click + Add Identity Mapping.
    3. In the Name field, enter a name.
    4. From the Type list, select Header Identity Mapping.
    5. In the Attribute to Header Mapping table, specify the required mappings.
      For example.
      Attribute Name Header Name

      upn

      x-userprinciplename

      email

      x-email

      oid

      x-oid

      scp

      x-scope

      amr

      x-amr

    6. Click Save.
  4. Create a site.

    For more information on creating a site, see Adding sites.

    Note:

    In some configurations, a site might contain more than one application. A site can be used with more than one application, where appropriate.

    1. Click Applications and then go to Sites > Sites.
    2. Click + Add Site.
    3. In the Name field, enter a name for the site.
    4. In the Target field, specify the target.

      The target is the hostname:port pair for the server hosting the application. Do not enter the path for the application in this field. For example, an application at https://mysite:9999/AppName will have a target value of mysite:9999.

    5. From the Secure list, select whether or not the target is expecting secure connections.
    6. Click Save.
  5. Create an application in PingAccess for each application in Azure that you want to protect.

    For more information on creating an application, see Adding an application.

    1. Click Applications and then go to Applications > Applications.
    2. Click + Add Application.
    3. In the Name field, enter a name for the application.
    4. In the Description field, enter a description for the application.
    5. In the Context Root field, specify the context root for the application.

      For example, an application at https://mysite:9999/AppName will have a context root of /AppName. If the application is on the root of the server, you can set the context root as /. The context root must begin with a slash (/), must not end with a slash (/), and can be more than one layer deep, for example, /Apps/MyApp.

    6. From the Virtual Host list, select the virtual host you created.
      Note:

      The combination of virtual host and context root must be unique in PingAccess.

    7. From the Application Type list, select Web.
    8. From the Web Session list, select the web session you created.
    9. From the Site list, select the site you created that contains the application.
    10. From the Web Identity Mapping list, select the mapping you created.
    11. Select the Enabled check box to enable the site when you save.
    12. Click Save.