This guide describes the deployment of PingIntelligence for APIs in a sideband configuration with PingAccess. A PingIntelligence policy is installed in PingAccess and passes API metadata to PingIntelligence for detailed API activity reporting and attack detection with optional client blocking.

The PingIntelligence sideband policy supports interception of OAuth Tokens that come as part of a query string. It also supports optional enablement of Asynchronous mode to API Security Enforcer (ASE).

The following diagram depicts the architecture of PingIntelligence for APIs components along with PingAccess and PingFederate.

Here is the traffic flow through the PingAccess and PingIntelligence for APIs components.

  1. Client requests and receives an access token from PingFederate.
  2. Client sends a request with the access token received from PingFederate.
  3. PingAccess verifies the authenticity of the access token with PingFederate.
  4. If the token is invalid, PingAccess returns a 401-unauthorized message to the client.
  5. If the token is valid, the PingIntelligence policy running in PingAccess collects API metadata and token attributes.
  6. PingAccess makes an API call to send the request information to ASE. ASE checks the request against a registered set of APIs and checks the client identifiers such as IP addresses, cookies against the AI generated Blacklist. If all checks pass, ASE returns a 200-OK response to the PingAccess. If not, a 403- forbidden response code is sent to PingAccess. The request information is also logged by ASE and sent to the API Behavioral Security (ABS) AI Engine for processing.
  7. If PingAccess receives a 200-OK response from ASE, it forwards the request to the backend server. Otherwise, the gateway optionally blocks the client. In synchronous mode, the gateway waits for a response from ASE before forwarding the request to backend server. However, if asynchronous mode is enabled, the gateway forwards the request to the backend server without waiting for the response from ASE. The ASE passively logs the request and forwards it to ABS for attack analysis. It performs attack detection without blocking of attacks.
  8. The response from the backend server is received by PingAccess. PingAccess sends the response received from the backend server to the client.
  9. PingAccess makes a second API call to pass the response information to ASE which sends the information to the ABS AI engine for processing. ASE receives the response information and sends a 200-OK to PingAccess.
  10. PingAccess sends the response to the client.