Token mediation allows a PingAccess gateway to use a PingFederate token generator to exchange the PingAccess token or an OAuth bearer token for a security token used by the foreign authentication system.


When planning a PingAccess deployment, take an inventory of existing applications and their authentication requirements and mechanisms. When an existing token-based authentication mechanism is in use, retrofitting that mechanism might not always be desirable or cost-effective.

The access request is transparent to the user, allowing PingAccess to transparently manage access to systems using those foreign tokens. The request is also transparent to the protected application, which handles the access request as if it came from the user directly. After token mediation, PingAccess caches the token used to access the application for continued use during the session.

The following illustration shows an example of token mediation using PingFederate to exchange a PingAccess token or OAuth bearer token for a different security token.

Diagram illustrating token mediation between PingFederate and PingAccess.
  1. A user requests a resource from PingAccess with a PingAccess token or OAuth bearer token.

    This example assumes the user has already obtained a PingAccess token or OAuth bearer token. For information on how users authenticate with PingFederate and obtain a PingAccess token or OAuth bearer token, see Session management configuration.

  2. PingAccess evaluates resource-level policies and performs token mediation by acquiring the appropriate security token from the PingFederate STS specified by the site authenticator.
  3. PingAccess sends the request to the site (web application) with the appropriate token.
  4. PingAccess returns the response to the client (step not pictured).

You can’t access a mediated token through a Groovy rule because token mediation occurs after PingAccess rule processing.

You can configure token mediation cache settings in the file using the following parameters:

Defines the maximum number of entries in the local heap for token mediation. The default value is 10000.
Defines, in seconds, the time an entry in the token mediation cache can be idle before it is expired. The default value is 1800.
Defines, in seconds, the maximum time an entry can be in the token mediation cache. The default value is 14400.