With dynamic authorization, policies must be able to retrieve attributes frequently from policy information providers (PIPs) at runtime.
The services and datastores from which additional policy information is retrieved range from development and testing environments to preproduction and production environments.
For example, you might use a Trust Framework service to retrieve a user's consent from the PingDirectory Consent API. This service depends on the URL of the Consent API, the username and password that are used for authentication, and other items that vary between development, preproduction, and production environments.
About policy configuration keys
To avoid hard-coding values such as URLs, usernames, or passwords, Trust Framework attributes can refer to policy configuration keys, which are key/value pairs defined outside of the Trust Framework and provided to the policy engine at runtime.
To define a Trust Framework attribute that uses a policy configuration key, configure the attribute with a Configuration Key resolver and the name of the policy configuration key.
For example, in the following image, an attribute called
ConsentServiceBaseUri is configured to use a policy configuration
The means by which policy configuration keys are provided to the policy engine differ based on whether the PingAuthorize Server is configured to use external PDP mode or embedded PDP mode, as shown in the following table.
|Where to define policy configuration keys
|External PDP mode
An options file and run the Policy Editor’s setup tool.
|Embedded PDP mode
The PingAuthorize Server configuration.