When a user authenticates, PingAccess applies your
configured application and resource-level policies to the Web Access Management (WAM)
request.
After completing policy evaluation and determining that the authenticated user should be
granted access to a site, PingAccess performs any
required token mediation between the backend site and the authenticated user. PingAccess then grants the user access to the site.
When a user requests access to a web resource from PingAccess, PingAccess inspects the request for a PingAccess token.
If the PingAccess token is missing,
PingAccess redirects the user to an
OpenID Provider (OP)OpenID Provider (OP)OP
In OAuth terms, an authorization server (AS). The OP/AS issues access tokens to protected
resources for approved clients (relying parties). The clients use the access token to
access the protected resources hosted by the OAuth resource server. for authentication.
Note:
When using an OP, you must already have an OAuth clientOAuth clientThe application in an OAuth framework that requests access to resources. If the request
is approved by the authorization server, the client is issued an access token for the
resources.
configured in PingAccess.
The OP follows the appropriate authentication process, evaluates domain-level
policies, and issues an OIDC ID token to PingAccess.
PingAccess validates the ID token and
issues a PingAccess token and sends it to
the browser in a cookie during a redirect to the original target resource.
After gaining access to the resource, PingAccess evaluates application and
resource-level policies and can optionally audit the request.
Note:
PingAccess can perform token
mediation by exchanging the PingAccess token for the appropriate
security token from the PingFederateSecurity Token Service (STS)Security Token Service (STS)STS
An entity responsible for responding to WS-Trust requests for validation and issuance of
security tokens used for SSO authentication to web services. or from a cache if token mediation
occurred recently.
PingAccess forwards the request to the
target site.
PingAccess processes the response from the
site to the browser (step not pictured).