Supporting Web+API Applications - PingAccess - 7.3

PingAccess

bundle
pingaccess-73
ft:publication_title
PingAccess
Product_Version_ce
PingAccess 7.3
category
Product
pa-73
pingaccess
ContentType_ce

PingAccess simplifies adding OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. and OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. to API-based web applications, such as single-page applications (SPAs).

In this configuration, PingAccess completely manages the OIDC authentication for the SPA, maintains a cookie-based web session with the browser, and replaces the cookie for an OAuth access tokenaccess token A data object by which a client authenticates to a resource server and lays claim to authorizations for accessing particular resources. (or other identity mappings) before invoking the target API. You must perform additional steps to support this configuration.

  1. Configure Apigee to intercept calls for PingAccess.
    Note:

    If you selected the Use context root as reserved resource base path check box on the PingAccess application you plan to use in conjunction with Apigee, skip ahead to step 2. When enabled, this feature provides reserved PingAccess resources from that application’s context root, which makes step 1 unnecessary.

    1. In Apigee, go to Develop > API Proxies and click Create New.
    2. On the Create Proxy page, click No Target.
    3. In the Name field, enter PingAccess.
    4. In the Base Path field, enter /pa.
      A screen capture showing the Proxy Details page with PingAccess in the Name field and /pa in the Base path field.
    5. In the Policies section of the Navigator, click + to add a policy.
    6. Add a Flow Callout Policy, and in the Shared Flow list, select PingAuth.
    7. Click Save.
    8. In the Proxy Endpoints section of the navigator, select PreFlow, then add the flow callout policy as a Request Step .
      A screen capture showing the Flow Callout Policy in the PreFlow tab.
    9. Save and deploy the new proxy.
  2. Add a Web+API application in PingAccess:
    1. Go to Applications > Applications and click +Application.
    2. Enter a Name, and then enter the Context Root and select or create Virtual Host(s) values to match how the application’s APIs are exposed from your Apigee environment.
      Note:

      To create a Virtual Host, click +Create below the field name.

      A screen capture showing the top of the configured application. The Name, Context Root, and Virtual Host(s) fields are filled out accordingly.
  3. Configure the web session:
    1. In the Application Type list, select Web+API.
    2. Under Web Session, click +Create.
    3. Enter the web session details, including the OIDC sign-on details configured in your OpenID Provider (OP)OpenID Provider (OP)OP In OAuth terms, an authorization server (AS). The OP/AS issues access tokens to protected resources for approved clients (relying parties). The clients use the access token to access the protected resources hosted by the OAuth resource server..
      Note:

      PingAccess can only manage the OIDC authentication on behalf of the browser if PingAccess, through Apigee, is configured as the redirect URL in your OIDC provider.

      For example, https://apigee.example.com/pa/oidc/cb.

    4. Click Save to save the web session.
    5. Under Web Identity Mapping, click +Create.
    6. Name the identity mapping Access Token and select the type Web Session Access Token.

      This configures PingAccess to forward the OAuth Access Token it obtains from the OIDC provider Authorization Server as the bearer token to the API behind Apigee.

    7. Click Save.
    A screen capture showing the configured web session.
  4. In the Access Validation list, select the form of access validation that will be applied for non-web API clients, such as mobile applications.
  5. Configure Apigee as the application destination:
    1. In the Destination list, select Sideband.
    2. In the Sideband Client list, select the sideband client that you created earlier.
    3. Click Save.
    A screen capture showing the Destination field with Sideband selected as the destination. Apigee is selected in the Sideband Client field.