In this configuration, PingAccess completely manages the OIDC authentication for the SPA, maintains a cookie-based web session with the browser, and replaces the cookie for an OAuth access token (or other identity mappings) before invoking the target API. You must perform additional steps to support this configuration.

  1. Configure Apigee to intercept calls for PingAccess.

    If you selected the Use context root as reserved resource base path check box on the PingAccess application you plan to use in conjunction with Apigee, skip ahead to step 2. When enabled, this feature provides reserved PingAccess resources from that application’s context root, which makes step 1 unnecessary.

    1. In Apigee, go to Develop > API Proxies and click Create New.
    2. On the Create Proxy page, click No Target.
    3. In the Name field, enter PingAccess.
    4. In the Base Path field, enter /pa.
      A screen capture showing the Proxy Details page with PingAccess in the Name field and /pa in the Base path field.
    5. In the Policies section of the Navigator, click + to add a policy.
    6. Add a Flow Callout Policy, and in the Shared Flow list, select PingAuth.
    7. Click Save.
    8. In the Proxy Endpoints section of the navigator, select PreFlow, then add the flow callout policy as a Request Step .
      A screen capture showing the Flow Callout Policy in the PreFlow tab.
    9. Save and deploy the new proxy.
  2. Add a Web+API application in PingAccess:
    1. Go to Applications > Applications and click +Application.
    2. Enter a Name, and then enter the Context Root and select or create Virtual Host(s) values to match how the application’s APIs are exposed from your Apigee environment.

      To create a Virtual Host, click +Create below the field name.

      A screen capture showing the top of the configured application. The Name, Context Root, and Virtual Host(s) fields are filled out accordingly.
  3. Configure the web session:
    1. In the Application Type list, select Web+API.
    2. Under Web Session, click +Create.
    3. Enter the web session details, including the OIDC sign-on details configured in your OpenID Provider (OP).

      PingAccess can only manage the OIDC authentication on behalf of the browser if PingAccess, through Apigee, is configured as the redirect URL in your OIDC provider.

      For example,

    4. Click Save to save the web session.
    5. Under Web Identity Mapping, click +Create.
    6. Name the identity mapping Access Token and select the type Web Session Access Token.

      This configures PingAccess to forward the OAuth Access Token it obtains from the OIDC provider Authorization Server as the bearer token to the API behind Apigee.

    7. Click Save.
    A screen capture showing the configured web session.
  4. In the Access Validation list, select the form of access validation that will be applied for non-web API clients, such as mobile applications.
  5. Configure Apigee as the application destination:
    1. In the Destination list, select Sideband.
    2. In the Sideband Client list, select the sideband client that you created earlier.
    3. Click Save.
    A screen capture showing the Destination field with Sideband selected as the destination. Apigee is selected in the Sideband Client field.