Pressure from an expanding mobile device and API economy can lead developers to hastily design and expose APIs outside the network perimeter. Standardized API access management leads to a more consistent, centrally-controlled model that ensures existing infrastructure and security policies are followed, thereby safeguarding an organization’s assets.

PingAccess Gateway sits at the perimeter of a protected network between mobile, in-browser, or server-based client applications and protected APIs and performs the following actions:

  • Receives inbound API calls requesting protected applications

    OAuth-protected API calls contain previously-obtained access tokens retrieved from PingFederate acting as an OAuth authorization server.

  • Evaluates application and resource-level policies and validates access tokens in conjunction with PingFederate
  • Acquires the appropriate target site security token (site authenticators) from the PingFederate Security Token Service (STS) or from a cache, including attributes and authorized scopes, should an API require identity mediation
  • Makes authorized requests to the APIs and responses are received and processed
  • Relays the responses on to the clients

The following sections describe sample proof of concept and production architectures for an API access management use case deployment: