After completing policy evaluation and determining that the authenticated user should be granted access to a site, PingAccess performs any required token mediation between the backend site and the authenticated user. PingAccess then grants the user access to the site.

Diagram illustrating the WAM flow between PingFederate and PingAccess.

Processing steps:

  1. When a user requests access to a web resource from PingAccess, PingAccess inspects the request for a PingAccess token.
  2. If the PingAccess token is missing, PingAccess redirects the user to an OP for authentication.

    When using an OpenID Provider (OP), you must already have an OAuth client configured in PingAccess.

    For steps on configuring an OAuth client within PingFederate, see Configure PingFederate as the token provider for PingAccess within the PingAccess documentation, and the Administrator's Reference Guide within the PingFederate documentation.

    To configure the OAuth client within PingAccess, see Connect PingAccess to PingFederate.

  3. The OP follows the appropriate authentication process, evaluates domain-level policies, and issues an OIDC ID token to PingAccess.
  4. PingAccess validates the ID token and issues a PingAccess token and sends it to the browser in a cookie during a redirect to the original target resource. After gaining access to the resource, PingAccess evaluates application and resource-level policies and can optionally audit the request.

    PingAccess can perform Token Mediation by exchanging the PingAccess token for the appropriate security token from the PingFederate Security Token Service (STS) or from a cache if token mediation occurred recently.

  5. PingAccess forwards the request to the target site.
  6. PingAccess processes the response from the site to the browser (step not shown).

For more information, see the session management scenario.