When a user authenticates, PingAccess applies your configured application and resource-level policies to the Web Access Management (WAM) request.

After completing policy evaluation and determining that the authenticated user should be granted access to a site, PingAccess performs any required token mediation between the backend site and the authenticated user. PingAccess then grants the user access to the site.

Half Page Layer 1 Multiple Devices 2 Token App Website Access Security PingAccess PingFederate 1 1 2 2 3 3 4 4 5 5 Access Authorization Web apps Access OIDC authorization request and access token issued
  1. When a user requests access to a web resource from PingAccess, PingAccess inspects the request for a PingAccess token.
  2. If the PingAccess token is missing, PingAccess redirects the user to an OpenID Provider (OP) for authentication.
    Note:

    When using an OP, you must already have an OAuth client configured in PingAccess.

  3. The OP follows the appropriate authentication process, evaluates domain-level policies, and issues an OIDC ID token to PingAccess.
  4. PingAccess validates the ID token and issues a PingAccess token and sends it to the browser in a cookie during a redirect to the original target resource.

    After gaining access to the resource, PingAccess evaluates application and resource-level policies and can optionally audit the request.

    Note:

    PingAccess can perform token mediation by exchanging the PingAccess token for the appropriate security token from the PingFederate Security Token Service (STS) or from a cache if token mediation occurred recently.

  5. PingAccess forwards the request to the target site.
  6. PingAccess processes the response from the site to the browser (step not pictured).
Note:

For more information, see the Session management configuration.