When a user authenticates, PingAccess applies your configured application and resource-level policies to the Web Access Management (WAM) request.
After completing policy evaluation and determining that the authenticated user should be granted access to a site, PingAccess performs any required token mediation between the backend site and the authenticated user. PingAccess then grants the user access to the site.Processing steps:
- When a user requests access to a web resource from PingAccess, PingAccess inspects the request for a PingAccess token.
- If the PingAccess token is missing,
PingAccess redirects the user to an
OpenID Provider (OP) for authentication. Note:
When using an OP, you must already have an OAuth client configured in PingAccess.
- For information on configuring an OAuth client within PingFederate, see Configure PingFederate as the token provider for PingAccess and the Administrator's Reference Guide in the PingFederate documentation.
- To configure the OAuth client within PingAccess, see Connect PingAccess to PingFederate.
- The OP follows the appropriate authentication process, evaluates domain-level policies, and issues an OIDC ID token to PingAccess.
- PingAccess validates the ID token and
issues a PingAccess token and sends it to
the browser in a cookie during a redirect to the original target resource.
After gaining access to the resource, PingAccess evaluates application and resource-level policies and can optionally audit the request.Note:
PingAccess can perform token mediation by exchanging the PingAccess token for the appropriate security token from the PingFederate Security Token Service (STS) or from a cache if token mediation occurred recently.
- PingAccess forwards the request to the target site.
- PingAccess processes the response from the site to the browser (step not pictured).
For more information, see the Session management configuration.