Configure PingAccess applications so they are accessible to users through the Microsoft Azure MyApps portal.
- Install PingAccess and verify that you can access the administrative console. For information on
installing PingAccess, see Installing and Uninstalling PingAccess.Note:
The default credential set should be changed upon first usage. The default credentials for your PingAccess installation are:
Username: Administrator Password: 2Access
- Have a Microsoft Azure AD Premium account for access to the Application Proxy feature.
- Configure Microsoft Azure AD. For steps to configure Microsoft Azure AD, see https://docs.microsoft.com/azure/active-directory/application-proxy-ping-access.
- Configure PingAccess to use Azure AD as the token provider.
For each application that you want to configure:
-
Create a virtual host.
For more information on creating a virtual host, see Creating new virtual hosts.
Important:In a typical configuration for this solution, you will create a virtual host for every application.
- Click Applications and then go to Applications > Virtual Hosts.
- Click + Add Virtual Host.
-
In the Host field, enter the FQDN portion of
the Azure AD External URL.
For example, external URLs of https://app-tenant.msappproxy.net/ and https://app-tenant.msappproxy.net/AppName will both have a Host entry of app-tenant.msappproxy.net.
- In the Port field, enter 443.
- Click Save.
-
Create a web session.
For more information on creating a web session, see Creating web sessions.
- Click Access and then go to Web Sessions > Web Sessions.
- Click + Add Web Session.
- In the Name field, enter a name for the web session.
- From the Cookie Type list, select your cookie type, either Signed JWT or Encrypted JWT.
- In the Audience field, enter a unique value.
- In the Client ID field, enter the Azure AD application ID.
- From the Client Credentials Type list, select Secret.
- In the Client Secret field, enter the client secret you generated for the application in Azure AD.
- Optional:
To create and use custom claims with the Azure AD GraphAPI, click
Advanced and clear the Request
Profile and Refresh User
Attributes check-boxes.
For more information on using custom claims, see Optional - Use a custom claim.
- Click Save.
-
Create an identity mapping.
For more information on creating an identity mapping, see Creating header identity mappings.
Note:An identity mapping can be used with more than one application if more than one application is expecting the same data in the header.
- Click Access and then go to Identity Mappings > Identity Mappings.
- Click + Add Identity Mapping.
- In the Name field, enter a name.
- From the Type list, select Header Identity Mapping.
-
In the Attribute to Header Mapping table,
specify the required mappings.
For example.
Attribute Name Header Name upn
x-userprinciplename
email
x-email
oid
x-oid
scp
x-scope
amr
x-amr
- Click Save.
-
Create a site.
For more information on creating a site, see Adding sites.
Note:In some configurations, a site might contain more than one application. A site can be used with more than one application, where appropriate.
- Click Applications and then go to Sites > Sites.
- Click + Add Site.
- In the Name field, enter a name for the site.
-
In the Target field, specify the target.
The target is the hostname:port pair for the server hosting the application. Do not enter the path for the application in this field. For example, an application at https://mysite:9999/AppName will have a target value of
mysite:9999
. - From the Secure list, select whether or not the target is expecting secure connections.
- Click Save.
-
Create an application in PingAccess for each application in Azure that you want
to protect.
For more information on creating an application, see Adding an application.
- Click Applications and then go to Applications > Applications.
- Click + Add Application.
- In the Name field, enter a name for the application.
- In the Description field, enter a description for the application.
-
In the Context Root field, specify the context
root for the application.
For example, an application at
https://mysite:9999/AppName
will have a context root of/AppName
. If the application is on the root of the server, you can set the context root as/
. The context root must begin with a slash (/), must not end with a slash (/), and can be more than one layer deep, for example,/Apps/MyApp
. -
From the Virtual Host list, select the virtual
host you created.
Note:
The combination of virtual host and context root must be unique in PingAccess.
- From the Application Type list, select Web.
- From the Web Session list, select the web session you created.
- From the Site list, select the site you created that contains the application.
- From the Web Identity Mapping list, select the mapping you created.
- Select the Enabled check box to enable the site when you save.
- Click Save.