When a user authenticates, PingAccess applies your
configured application and resource-level policies to the Web Access Management (WAM)
request.
After completing policy evaluation and determining that the authenticated user should be
granted access to a site, PingAccess performs any
required token mediation between the backend site and the authenticated user. PingAccess then grants the user access to the site.
When a user requests access to a web resource from PingAccess, PingAccess inspects the request for a PingAccess token.
If the PingAccess token is missing,
PingAccess redirects the user to an
OpenID Provider (OP) for authentication.
Note:
When using an OP, you must already have an OAuth client
configured in PingAccess.
The OP follows the appropriate authentication process, evaluates domain-level
policies, and issues an OIDC ID token to PingAccess.
PingAccess validates the ID token and
issues a PingAccess token and sends it to
the browser in a cookie during a redirect to the original target resource.
After gaining access to the resource, PingAccess evaluates application and
resource-level policies and can optionally audit the request.
Note:
PingAccess can perform token
mediation by exchanging the PingAccess token for the appropriate
security token from the PingFederateSecurity Token Service (STS) or from a cache if token mediation
occurred recently.
PingAccess forwards the request to the
target site.
PingAccess processes the response from the
site to the browser (step not pictured).