A PingAccess API access management deployment enables an organization to quickly set up an environment that provides a secure method of controlling access to APIs while integrating with existing identity management infrastructure.
Pressure from an expanding mobile device and
PingAccess Gateway sits at the perimeter of a protected network between mobile, in-browser, or server-based client applications and protected APIs and performs the following actions:
- Receives inbound API calls requesting protected applications
OAuth-protected API calls contain previously-obtained access tokens retrieved from PingFederate acting as an OAuth authorization server. OAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.
- Evaluates application and resource-level policies and validates access tokens in conjunction with PingFederate
- Acquires the appropriate target site security token (site authenticators) from the
Security Token Service (STS)or from a cache, including attributes and authorized scopes, should an API require identity mediation Security Token Service (STS) STS An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services.
- Makes authorized requests to the APIs and responses are received and processed
- Relays the responses on to the clients
The following sections describe sample proof of concept and production architectures for an API access management use case deployment: