About the API security gateway - PingAuthorize - 9.2

PingAuthorize
bundle
pingauthorize-92
ft:publication_title
PingAuthorize
Product_Version_ce
PingAuthorize 9.2
category
ContentType
Product
Productdocumentation
paz-92
pingauthorize
ContentType_ce
Product documentation
  • PingAuthorize
  • Release Notes
  • PingAuthorize 9.2.0.4 (November 2023)
  • PingAuthorize 9.2.0.3 (September 2023)
  • PingAuthorize 9.2.0.2 (August 2023)
  • PingAuthorize 9.2.0.1 (May 2023)
  • PingAuthorize 9.2 (December 2022)
  • PingAuthorize 9.1.0.4 (November 2023)
  • PingAuthorize 9.1.0.3 (August 2023)
  • PingAuthorize 9.1.0.2 (March 2023)
  • PingAuthorize 9.1.0.1 (December 2022)
  • PingAuthorize 9.1 (June 2022)
  • PingAuthorize 9.0.0.6 (August 2023)
  • PingAuthorize 9.0.0.5 (April 2023)
  • PingAuthorize 9.0.0.4 (January 2023)
  • PingAuthorize 9.0.0.2 (July 2022)
  • PingAuthorize 9.0.0.1 (February 2022)
  • PingAuthorize 9.0 (December 2021)
  • Previous Releases
  • Introduction to PingAuthorize
  • Getting started with PingAuthorize (tutorials)
  • Using the tutorials
  • Setting up your environment
  • Starting PingAuthorize
  • Verifying proper startup
  • Accessing the GUIs
  • Stopping PingAuthorize
  • About the tutorial configuration
  • Tutorial 1: Importing default policies
  • Introduction to the Trust Framework and default policies
  • Tutorial 2: Configuring fine-grained access control for an API
  • Configuring a reverse proxy for the Meme Game API
  • Testing the reverse proxy
  • For further consideration: The PingAuthorize API security gateway, part 1
  • Adding a policy for the Create Game endpoint
  • For further consideration: The PingAuthorize API security gateway, part 2
  • Testing the policy from the Policy Editor
  • Testing the policy by making an HTTP request
  • For further consideration: Decision Visualiser
  • Modifying the rule for the Create Game endpoint
  • For further consideration: Resolvers and value processors
  • Conclusion
  • Tutorial 3: Configuring attribute-based access control for API resources
  • Configuring the API security gateway
  • Creating the gateway API endpoint
  • Testing the gateway
  • Creating a policy based on user credentials
  • Creating a service for the Shared Answers endpoint
  • Creating a policy for the Shared Answers endpoint
  • Testing the policy
  • Creating an attribute from user data
  • Adding logic to allow non-Youngstown users
  • Testing that the policy blocks Youngstown users
  • Creating a policy based on the API response
  • Creating an attribute from response data
  • Adding logic to allow family-friendly memes
  • Testing that the policy blocks Youngstown users from viewing age 13+ memes
  • Allowing unrated memes
  • Testing the default value
  • Creating an advice to provide a more useful error message
  • Testing the advice
  • Conclusion
  • Tutorial (optional): Creating SCIM policies
  • Tutorial: Creating the policy tree
  • Tutorial: Creating SCIM access token policies
  • Creating a policy for permitted access token scopes
  • Testing the policy with cURL
  • Defining the email scope
  • Testing the email scope with cURL
  • Defining the profile scope
  • Testing the profile scope with cURL
  • Defining the scimAdmin scope
  • Adding the scimAdmin retrieve rule
  • Adding the scimAdmin create/modify rule
  • Adding the scimAdmin search rule
  • Adding the scimAdmin delete rule
  • Creating a policy for permitted OAuth2 clients
  • Testing the client policy with cURL
  • Creating a policy for permitted audiences
  • Testing the audience policy with cURL
  • Tutorial: Creating a policy for role-based access control
  • Testing the policy with cURL
  • Example files
  • Conclusion
  • Installing and uninstalling PingAuthorize
  • Docker deployment
  • Deployment requirements when using Docker
  • Deploying PingAuthorize Server and Policy Editor using Docker
  • Deploying PingAuthorize Server using Docker
  • Deploying PingAuthorize Policy Editor using Docker
  • Post-setup steps (Docker deployment)
  • Next steps
  • Manual installation
  • Before you install manually
  • System requirements
  • About license keys
  • Creating a Java installation dedicated to PingAuthorize
  • Preparing a Linux environment
  • Setting the file descriptor limit
  • Setting the maximum user processes
  • Disabling file system swapping
  • Managing system entropy
  • Enabling the server to listen on privileged ports
  • Obtaining the installation packages
  • Setting up a PostgreSQL database
  • Installing the server and the Policy Editor manually
  • Installing the server manually
  • Installing the PingAuthorize Policy Editor manually
  • Installing the PingAuthorize Policy Editor interactively
  • Example: Installing and configuring the Policy Editor interactively
  • Installing the PingAuthorize Policy Editor noninteractively
  • Clustering and scaling
  • Post-setup steps (manual installation)
  • Next steps
  • Signing on to the administrative console
  • Signing on to the PingAuthorize Policy Editor
  • Changing the PingAuthorize Policy Editor authentication mode
  • Changing the Policy Editor authentication mode for manual installs
  • Changing the Policy Editor authentication mode for Docker deployments
  • Configuring an OIDC provider for single sign-on requests from PingAuthorize
  • Uninstalling PingAuthorize
  • Upgrading PingAuthorize
  • Upgrade considerations
  • Upgrade considerations introduced in PingAuthorize 8.x
  • Docker upgrades
  • Upgrading PingAuthorize Server using Docker
  • Upgrading the PingAuthorize Policy Editor using Docker
  • Manual upgrades
  • Upgrading PingAuthorize Server manually
  • Reverting an update
  • Upgrading the PingAuthorize Policy Editor manually
  • Policy-related upgrades
  • Backing up policies
  • Upgrading the Trust Framework and policies
  • Upgrading a PostgreSQL policy database
  • PingAuthorize Integrations
  • Apigee API gateway integration
  • Setting up PingAuthorize for Apigee integration
  • Configuring Apigee for PingAuthorize integration
  • Adding the PingAuthorize Shared Flow to Apigee
  • Adding an API proxy in Apigee
  • Configuring an OAuth flow in Apigee (optional)
  • Attaching the PingAuthorize Shared Flow to API proxies
  • Troubleshooting the Apigee integration
  • Troubleshooting API client HTTP 5xx errors
  • Troubleshooting API client HTTP 4xx errors
  • Setting up error response handling in the target server
  • Enable logging in Apigee
  • Kong API gateway integration
  • Preparing PingAuthorize for Kong Gateway integration
  • Setting up Kong Gateway
  • Troubleshooting the Kong Gateway integration
  • Troubleshooting API client HTTP 5xx errors
  • API client HTTP 4xx errors
  • Enabling error logging in Kong Gateway
  • Enabling debug logging for the Kong Gateway plugin
  • MuleSoft API gateway integration
  • Deploying the custom MuleSoft policy for PingAuthorize
  • Applying the custom MuleSoft policy for PingAuthorize
  • PingAuthorize Server Administration Guide
  • Running PingAuthorize
  • Starting PingAuthorize Server
  • Running PingAuthorize Server as a foreground process
  • Starting PingAuthorize Server at boot time (Unix/Linux)
  • Starting PingAuthorize Server at boot time (Windows)
  • Registering PingAuthorize Server as a Windows service
  • Running multiple service instances
  • Deregistering and uninstalling services
  • Log files for Windows services
  • Starting PingAuthorize Policy Editor
  • Stopping PingAuthorize Server
  • Stopping PingAuthorize Policy Editor
  • Restarting PingAuthorize Server
  • About the API security gateway
  • API gateway request and response flow
  • Gateway configuration basics
  • API security gateway authentication
  • API security gateway policy requests
  • API gateway policy request attributes
  • Gateway API Endpoint configuration properties that affect policy requests
  • API gateway path parameters
  • Basic example
  • Advanced example
  • API security gateway HTTP 1.1 support
  • Gateway error templates
  • Configuring error templates example
  • About the Sideband API
  • API gateway integration
  • Sideband API configuration basics
  • Authenticating to the Sideband API
  • Creating a shared secret
  • Deleting a shared secret
  • Rotating shared secrets
  • Customizing the shared secret header
  • Authenticating API server requests
  • Sideband API policy requests
  • Sideband API policy request attributes
  • Sideband API Endpoint configuration properties
  • Sideband API path parameters
  • Basic example
  • Advanced example
  • Request context configuration
  • Sideband access token validation
  • Sideband error templates
  • Example: Configure error templates
  • About the SCIM service
  • SCIM API request and response flow
  • SCIM configuration basics
  • About the create-initial-config tool
  • Example: Mapped SCIM resource type for devices
  • SCIM endpoints
  • SCIM authentication
  • SCIM policy requests
  • SCIM policy request attributes
  • About SCIM searches
  • SCIM search policy processing
  • Search request authorization
  • Search response authorization
  • Using paged SCIM searches
  • Lookthrough limit for SCIM searches
  • Disabling the SCIM REST API
  • About the SCIM user store
  • Defining the LDAP user store
  • Defining the LDAP user store with create-initial-config
  • Defining the LDAP user store manually
  • Location management for load balancing
  • Automatic backend LDAP server discovery
  • Joining a PingAuthorize Server to an existing PingDirectory Server topology
  • Joining a topology at setup
  • Joining a topology with manage-topology
  • Configuring a load-balancing algorithm with an LDAP external template
  • Configuring automatic backend LDAP server discovery
  • LDAP health checks
  • Configuring a health check using dsconfig
  • Connecting non-LDAP data stores
  • Managing Server SDK Extensions
  • About the Server SDK
  • Available types of extensions
  • About the Authorization Policy Decision APIs
  • JSON PDP API request and response flow
  • JSON PDP API request format
  • JSON PDP API response format
  • Authenticating to the JSON PDP API
  • Creating a shared secret
  • Deleting a shared secret
  • Rotating shared secrets
  • Customizing the shared secret header
  • XACML-JSON PDP API request and response flow
  • Requests
  • Authorization
  • Decision processing
  • Responses
  • Example
  • Policy Editor configuration
  • Specifying custom configuration with an options file
  • Key store configuration for policy information providers
  • Example: Configure a trust store for a policy information provider
  • Policy Editor configuration with runtime environment variables
  • Changing the default JWT claim for the OIDC user ID
  • Configuring the JWKS endpoint cache
  • Configuring Trust Framework attribute caching for development
  • Configuring Policy Editor security headers
  • Manage policy database credentials
  • Setting database credentials at initial setup
  • Changing database credentials
  • Specifying database credentials when you start the GUI
  • Docker: Setting the initial database credentials
  • Docker: Changing database credentials
  • Configuring SpEL Java classes for value processing
  • Setting the request list length for Decision Visualizer
  • HTTP caching
  • Policy administration
  • About the Trust Framework
  • Environment-specific Trust Framework attributes
  • Example
  • Define the policy information provider in the Trust Framework
  • Define policy configuration keys in a development environment
  • Define policy configuration keys in a preproduction environment
  • Create policies in a development environment
  • Configuring external PDP mode
  • Changing the active policy branch
  • Default and example policies
  • Importing and exporting policies
  • Loading a policy snapshot
  • Exporting a policy snapshot
  • Exporting a policy deployment package
  • Using the Deployment Manager
  • Setting up an Amazon S3 deployment package store
  • Creating an S3 bucket
  • Configuring the IAM user policy
  • Configuring the IAM user
  • Configuring the Policy Editor to publish to a deployment package store
  • Publishing to a deployment package store
  • Adding a filesystem deployment package store
  • Adding an Amazon S3 deployment package store
  • Adding an Azure deployment package store
  • Prepare policies for production
  • Example: Define a policy information provider key store for MTLS
  • Example: Define a policy information provider trust store
  • Example: Add SpEL Java classes to the allowed list
  • Use policies in a production environment
  • Policy database backups
  • Restoring a policy database from a backup
  • Policy application management with signed deployment packages
  • Example: Configure signed deployment packages for healthcare
  • Configuring Trust Framework attribute caching for production
  • User profile availability in policies
  • Access token validators
  • Access token validator types
  • Handling signed JWTs
  • Handling signed and encrypted JWTs
  • Token resource lookup methods
  • Server configuration
  • Administration accounts
  • About the dsconfig tool
  • PingAuthorize administrative console
  • About the configuration audit log
  • About the config-diff tool
  • Certificates
  • Replacing the server certificate
  • Preparing a new keystore with the replacement key pair
  • Using an existing key pair
  • Replacing the certificate associated with the original key pair
  • Importing earlier trusted certificates into the new keystore
  • Updating the server configuration to use the new certificate
  • Replacing the key store and trust store files
  • Retiring the previous certificate
  • Listener certificates
  • Replacing listener certificates
  • X.509 certificates
  • Certificate subject DNs
  • Certificate key pairs
  • Certificate extensions
  • Certificate chains
  • About representing certificates, private keys, and certificate signing requests
  • Certificate trust
  • Keystores and truststores
  • Transport Layer Security (TLS)
  • TLS handshakes
  • Key agreement
  • LDAP StartTLS extended operation
  • About the manage-certificates tool
  • Available manage-certificates subcommands
  • Using manage-certificates as a simple certification authority
  • Common manage-certificates arguments
  • Listing the certificates in a keystore
  • Generating self-signed certificates
  • Generating certificate signing requests
  • Importing signed and trusted certificates
  • Exporting certificates
  • Enabling TLS support during server setup
  • Enabling TLS support after setup
  • Configuring key and trust manager providers
  • Configuring TLS connection handlers
  • Updating the topology registry
  • Troubleshooting TLS-related issues
  • Log messages
  • About manage-certificates check-certificate-usability
  • ldapsearch for TLS-related arguments
  • Using low-level TLS debugging
  • Configure the Policy Decision Service
  • User store configuration
  • Configure access token validation
  • Configure PingOne to use SSO for the administrative console
  • Configure traffic through a load balancer
  • PingAuthorize Server configuration with dsconfig
  • Configuring the PingAuthorize user store
  • Configuring the PingAuthorize OAuth subject search
  • Configuring PingAuthorize logging
  • Deployment automation and server profiles
  • Variable substitution using manage-profile
  • Layout of a server profile
  • setup-arguments.txt
  • dsconfig/
  • server-root/
  • server-sdk-extensions/
  • variables-ignore.txt
  • server-root/permissions.properties
  • misc-files/
  • About the manage-profile tool
  • manage-profile generate-profile
  • manage-profile setup
  • manage-profile replace-profile
  • Common manage-profile workflows
  • Creating a server profile
  • Installing a new environment
  • Scaling up your environment
  • Rolling out an update
  • Server profiles in a pets service model
  • Server status
  • Server availability
  • User Store Availability gauge
  • Endpoint Average Response Time (Milliseconds) gauge
  • HTTP Processing (Percent) gauge
  • Policy Decision Service Availability gauge
  • Auto-healing for unavailable servers
  • Available gauges
  • Common server alarms
  • Managing monitoring
  • Profiling server performance using the Stats Logger
  • Enabling the Stats Logger
  • Configuring multiple Periodic Stats Loggers
  • Logging HTTP performance statistics using the Periodic Stats Logger
  • StatsD monitoring endpoint
  • Sending StatsD metrics to Splunk
  • Managing HTTP correlation IDs
  • About HTTP correlation IDs
  • Server SDK support
  • Enabling or disabling correlation ID support
  • Configuring the correlation ID response header
  • How the server manages correlation IDs
  • Example: HTTP correlation ID
  • Command-line tools
  • Saving command options in a file
  • Creating a tools properties file
  • Evaluation priority of command-line options
  • Sample dsconfig batch files
  • Running task-based tools
  • Diagnostic and decision data
  • Exporting policy data
  • Enable detailed logging
  • Policy Decision Logger
  • Debug Trace logger
  • Debug logger
  • About the Decision Response View
  • Visualizing a policy decision response
  • Capture debugging data with the collect-support-data tool
  • About the layout of the PingAuthorize Server folders
  • About the layout of the PingAuthorize Policy Editor folders
  • PingAuthorize Policy Administration Guide
  • Getting started
  • Version control (Branch Manager)
  • Creating a new top-level branch
  • Creating a subbranch from a commit
  • Importing a branch
  • Deleting a branch
  • Merging branches
  • Reverting branch changes
  • Committing changes
  • Generating snapshots
  • Partial snapshot export and merging
  • Creating a partial snapshot export
  • Merging a partial snapshot
  • Creating a deployment package
  • Deleting a deployment package
  • Trust Framework
  • Domains (Authorization Policy Decision APIs only)
  • Services
  • Resources
  • Policy information providers
  • Common settings
  • HTTP services
  • LDAP services
  • Camel services
  • Attributes
  • Creating an attribute
  • Attribute name, description, and location
  • Resolvers
  • Resolver types
  • Conditional resolvers
  • Value processing for a resolver
  • Attribute caching
  • Value settings
  • Attribute interpolation
  • Actions
  • Identity classifications and IdP support
  • Named conditions
  • Value processing
  • Chained value processors
  • Trust Framework testing
  • Viewing Trust Framework entity dependencies
  • Policy management
  • Policy sets, policies, and rules
  • Policies and policy sets
  • Creating policies and policy sets
  • Adding targets to a policy
  • Conditional targets (Applies to)
  • Advice
  • Provided advice
  • Custom advice
  • Rules and combining algorithms
  • Rule structure
  • Policy testing
  • Repeating policies and attributes
  • Policy solutions
  • Use case: Using consent to determine access to a resource
  • Getting a path component from the request URL
  • Getting the requestor identifier from the access token
  • Searching for consent by resource owner to requestor
  • Getting consent status from the consent record
  • Creating a policy to check consent and then permit or deny access
  • Use case: Using consent to change a response
  • Creating a policy to check consent and then change the server response
  • Use case: Using a SCIM resource type or a policy request action to control behavior
  • Getting the SCIM resource type and the action being executed
  • Creating a policy to permit or deny the creation of resources
  • Creating a policy to control the set of actions for a specific resource
  • Creating a policy to restrict the ability to delete based on resource type
  • Creating a policy to dynamically modify a resource based on the SCIM resource type
  • Restricting the modification of attributes
  • Allowing attributes to be modified by administrators
  • Adding attributes to an allow list
  • Test Suite
  • Advice types
  • Add Filter
  • Combine SCIM Search Authorizations
  • Denied Reason
  • Exclude Attributes
  • Filter Response
  • Include Attributes
  • Modify Attributes
  • Modify Headers
  • Modify query
  • Modify SCIM Patch
  • Regex Replace Attributes
  • Management REST API documentation

When you configure PingAuthorize Server for the APIapplication programming interface (API) A specification of interactions available for building software to access an application or service. gateway pattern, the server and gateway provide dynamic authorization management between a client and a REST API.

See the following topics for specific details about the functionality of the API security gateway.

  • API gateway request and response flow
  • Gateway configuration basics
  • API security gateway authentication
  • API security gateway policy requests
  • API security gateway HTTP 1.1 support
  • Gateway error templates
Back to home page