With dynamic authorization, policies must be able to retrieve attributes frequently from policy information providers (PIPs) at runtime.
The services and datastores from which additional policy information is retrieved range from development and testing environments to preproduction and production environments.
For example, you might use a Trust Framework service to retrieve a user's consent from the PingDirectory Consent API. This service depends on the URL of the Consent API, the username and password that are used for authentication, and other items that vary between development, preproduction, and production environments.
About policy configuration keys
To avoid hard-coding values such as URLs, usernames, or passwords, Trust Framework attributes can refer to policy configuration keys, which are key/value pairs defined outside of the Trust Framework and provided to the policy engine at runtime.
To define a Trust Framework attribute that uses a policy configuration key, configure the attribute with a Configuration Key resolver and the name of the policy configuration key.
For example, in the following image, an attribute called
ConsentServiceBaseUri
is configured to use a policy configuration
key called ConsentBaseUri
.
The means by which policy configuration keys are provided to the policy engine differ based on whether the PingAuthorize Server is configured to use external PDP mode or embedded PDP mode, as shown in the following table.
Mode | Where to define policy configuration keys |
---|---|
External PDP mode |
An options file and run the Policy Editor’s setup tool. See Define policy configuration keys in a development environment. |
Embedded PDP mode |
The PingAuthorize Server configuration. See Define policy configuration keys in a preproduction environment. |