With growing numbers of internal and external users, and more and more enterprise resources available online, it is important to ensure that qualified users can access only those applications to which they have permission. A WAM environment provides authentication and policy-based access management while integrating with existing infrastructure.

Deployed at the perimeter of a protected network between browsers and protected web-based applications, PingAccess Gateway performs the following actions:

  • Receives inbound calls requesting access to web applications

    Web session-protected requests contain a previously-obtained PingAccess token in a cookie derived from the user's profile during an OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. based sign on at PingFederate.

  • Evaluates application and resource-level policies and validates the tokens in conjunction with an OIDC Policy configured within PingFederate
  • Acquires the appropriate target security token (site authenticators) from the PingFederate Security Token Service (STS)Security Token Service (STS)STS An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services. or from a cache, including attributes and authorized scopes, should a web application require identity mediation
  • Makes authorized requests to the sites where the web applications reside and responses are received and processed
  • Relays the responses on to the browsers

The following sections describe sample proof of concept and production architectures for a WAM use case deployment: