A PingAccess web access management (WAM) deployment enables an organization to quickly set up an environment that provides a secure method of managing access rights to web-based applications while integrating with existing identity management infrastructure.
With growing numbers of internal and external users, and more and more enterprise resources available online, it is important to ensure that qualified users can access only those applications to which they have permission. A WAM environment provides authentication and policy-based access management while integrating with existing infrastructure.
Deployed at the perimeter of a protected network between browsers and protected web-based applications, PingAccess Gateway performs the following actions:
- Receives inbound calls requesting access to web applications
Web session-protected requests contain a previously-obtained PingAccess token in a cookie derived from the user's profile during an
OpenID Connect (OIDC)based sign on at PingFederate. OpenID Connect (OIDC) OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management.
- Evaluates application and resource-level policies and validates the tokens in conjunction with an OIDC Policy configured within PingFederate
- Acquires the appropriate target security token (site authenticators) from the
Security Token Service (STS)or from a cache, including attributes and authorized scopes, should a web application require identity mediation Security Token Service (STS) STS An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services.
- Makes authorized requests to the sites where the web applications reside and responses are received and processed
- Relays the responses on to the browsers
The following sections describe sample proof of concept and production architectures for a WAM use case deployment: