7.3 PingAccess Product IT Administrator Administrator Audience Product documentation Content Type
Token mediation allows a PingAccess gateway to use a
PingFederate token generator to exchange the
PingAccess token or an OAuth bearer token for a
security token used by the foreign authentication system.
Note:
When planning a PingAccess deployment, take an
inventory of existing applications and their authentication requirements and
mechanisms. When an existing token-based authentication mechanism is in use,
retrofitting that mechanism might not always be desirable or cost-effective.
The access request is transparent to the user, allowing PingAccess to transparently manage access to systems
using those foreign tokens. The request is also transparent to the protected
application, which handles the access request as if it came from the user directly.
After token mediation, PingAccess caches the token
used to access the application for continued use during the session.
The following illustration shows an example of token mediation using PingFederate to exchange a PingAccess token or OAuth bearer token for a different
security token.
A user requests a resource from PingAccess
with a PingAccess token or OAuth bearer
token.
Note:
This example assumes the user has already obtained a PingAccess token or OAuth bearer token.
For information on how users authenticate with PingFederate and obtain a PingAccess token or OAuth bearer token,
see Session management configuration.
PingAccess evaluates resource-level
policies and performs token mediation by acquiring the appropriate security
token from the PingFederate STS specified by the
site authenticator.
PingAccess sends the request to the site
(web application) with the appropriate token.
PingAccess returns the response to the
client (step not pictured).
Note:
You can’t access a mediated token through a Groovy rule because token mediation
occurs after PingAccess
rule processing.
