• Create a third-party service with PingAuthorize configured as the target. Learn more in Adding third-party services.
  • Confirm that you are not using the agent model. PingAuthorize response filtering rules aren't available for agent deployments.
Important:

Ensure that the sideband API setting request-context-method is set to request in PingAuthorize. Learn more about how to set this property and why it is necessary in Request context configuration in the PingAuthorize documentation.

A response filtering rule can modify the response given by PingAccess, based on the response from the PingAuthorize response API.

Important:

The PingAuthorize sideband API cannot accept gzipped data from upstream server responses. To prevent the upstream server from sending compressed responses, ensure that upstream server requests add or replace the Accept-Encoding header with Accept-Encoding: identity.

To add a PingAuthorize response filtering rule:

  1. Click Access and then go to Rules > Rules.
  2. Click + Add Rule.
  3. In the Name field, enter a unique name, up to 64 characters long.

    Special characters and spaces are allowed.

  4. In the Type list, select PingAuthorize Response Filtering.
  5. In the Third Party Service list, select your PingAuthorize service.
  6. In the Shared Secret field, enter the shared secret from PingAuthorize.
  7. To include the HTTP request body in the HTTP request data sent to PingAuthorize, select the Include Request Body check box.

    If PingAuthorize needs the request body for an access decision, make sure that this check box is selected. Otherwise, clearing the check box could improve performance.

    This option is selected by default.

  8. To include the HTTP response body in the HTTP response data sent to PingAccess, select the Include Response Body check box.

    If PingAuthorize needs the response body to modify the response that it gives to a user, make sure that this check box is selected. Otherwise, clearing the check box could improve performance.

    This option is selected by default.

  9. Optional: To configure advanced options, click Show Advanced:
    1. Optional: In the Sideband Endpoint field, enter the sideband API endpoint location.
    2. Optional: In the Shared secret header name field, enter a header in which to send the shared secret.
    3. Optional: In the Additional Request Headers section, enter a Header Name and Header Value for any additional headers that you want to include in the request to PingAuthorize. Click + Add Row to add other headers as necessary.

      PingAuthorize can use the additional headers to determine the policy set that's most relevant to the request context.

      If an additional header that you configured appears in a user request, PingAccess replaces the original request header and its corresponding values with the Header Value that you configured. If you leave the Header Value field blank, PingAccess removes this header from the request to PingAuthorize.

      If the Header Value contains the substrings "${APPLICATION_NAME}" or "${RESOURCE_NAME}", PingAccess replaces those strings with the name of the requested application or resource as defined in PingAccess.

    4. Optional: In the Additional Response Headers section, enter a Header Name and Header Value for any additional headers that you want to include in the modified response. Click + Add Row to add other headers as necessary.

      PingAuthorize can use the additional headers to determine the policy set that's most relevant to the response context.

      If an additional header that you configured appears in the response, PingAccess replaces the original response header and its corresponding values with the Header Value that you configured. If you leave the Header Value field blank, PingAccess removes this header from the response.

      If the Header Value contains the substrings "${APPLICATION_NAME}" or "${RESOURCE_NAME}", PingAccess replaces those strings with the name of the requested application or resource as defined in PingAccess.

  10. Click Save.