Page created: 1 Nov 2021 |
Page updated: 3 May 2022
To integrate PingAccess with PingIntelligence components, complete the following steps in PingAccess:
Note: We recommend that you increase the default heap size in PingAccess before deploying the PingIntelligence policy for PingAccess 6.x. Refer to the instructions explained in Modifying the Java heap size for changing the default heap size. For more information, contact PingIdentity support.
Download the PingIntelligence policy from the Ping Identity download site and unzip it. The zip file contains three policy files based
on the JDK version. Use the policy based on your deployment environment.
PingIntelligence.jarfile into the
- Restart PingAccess.
Log in to PingAccess.
Note: To support fail-over, a secondary ASE is provisioned. Complete the following steps for both Primary and Secondary ASEs.
Add the Primary ASE as a Third-Party Service:
- In the left pane click Sites. Navigate to THIRD-PARTY SERVICES and click + Add Third-Party Service to add the Primary ASE.
- In the New Third-Party Service page, enter a name that
identifies the Primary ASE in NAME and enter the
endpoint used to reach the Primary ASE in
TARGET.Note: Select options under SECURE to connect PingAccess to PingIntelligence ASE using HTTPS.
- Click Save.
- Repeat step-5 to add the Secondary ASE as a Third-Party Service. Enter the Name and endpoint specific to the Secondary ASE.
Add PingIntelligence sideband rule :
- In the left pane click Rules. In the new Rule page, in the NAME field, enter the name of the rule for PingIntelligence.
- In the TYPE drop-down list, select PingIntelligence. This appears in the drop-down list after adding PingIntelligence.jar in PA_HOME in step 3.
- Select the ASE Endpoint for Primary ASE in PINGINTELLIGENCE ASE ENDPOINT drop-down list.
- Select the ASE Endpoint for Secondary ASE in PINGINTELLIGENCE ASE
ENDPOINT-BACKUP drop-down list.Note: If the Secondary ASE is not installed, you can choose Primary ASE Endpoint in PINGINTELLIGENCE ASE ENDPOINT-BACKUP drop-down list.
- In the PINGINTELLIGENCE ASE TOKEN field, enter ASE sideband token that is generated for authentication between PingAccess and ASE.
- If an OAuth token comes as part of a query string, enter the name of the query
string in the PINGINTELLIGENCE QS OAUTH field.Note: The PingIntelligence policy extracts the OAuth token from the query string, configured in PINGINTELLIGENCE QS OAUTH. A new Authorization header-
Authorization: Bearer <OAuth token>is added to the metadata sent to ASE. If there is an existing Authorization header, the token is prepended so that ABS AI engine can analyse it. If the query string has multiple query parameters with the same name, the first parameter is intercepted by the policy.
- Select the ENABLE ASYNC MODE to choose Asynchronous
mode between PingAccess and ASE. Note: The PingIntelligence policy supports both synchronous and asynchronous modes of communication between PingAccess and ASE. By default, the communication mode is synchronous. When the asynchronous mode is enabled, the PingAccess gateway does not wait for a response from ASE and sends the request to backend server. ASE performs attack detection without blocking of attacks in asynchronous mode.
Apply the rule by completing the following steps :
Note: You can selectively apply the PingIntellligence sideband rule to individual Resources as well. To apply the sideband rule, click the RESOURCES tab and move the rule from AVAILABLE RULES onto the policy bar. For more information, see Applying rules to applications and resources
- Edit the existing application.
- In the edit application page, click on API Policy.
- Under Available Rules, Click the sign for the PingIntelligence rule.
- After clicking on the sign, the PingIntelligence rule moves
under the API APPLICATION POLICY as shown in the screen
- Click Save to save the rule.