This guide describes the deployment of PingIntelligence for APIs in a sideband configuration with MuleSoft API Gateway. A PingIntelligence policy is installed in the MuleSoft API Gateway and it passes API metadata to PingIntelligence for detailed API activity reporting and attack detection with optional client blocking.
The PingIntelligence policy works with APIs that are configured with basic endpoint and also with APIs that are configured with proxy endpoint. The policy is simpler to deploy when applied to APIs that are configured with the endpoint with proxy option since more API metadata is already accessible by the policy.
Traffic flow for MuleSoft integration without user information
Here is the traffic flow through the MuleSoft and PingIntelligence for APIs components.
- Client sends an incoming request to MuleSoft.
- The PingIntelligence policy running in MuleSoft collects API metadata and token attributes.
- MuleSoft makes an API call to send the request information to ASE. ASE checks the request against a registered set of APIs and checks the origin IP, cookie or OAuth2 token against the AI generated Blacklist. If all checks pass, ASE returns a 200-OK response to the MuleSoft. If not, a different response code is sent to MuleSoft. The request information is also logged by ASE and sent to the AI Engine for processing.
- If MuleSoft receives a 200-OK response from ASE, then it forwards the request to the backend server. Otherwise, the Gateway optionally blocks the client.
- The response from the backend server is received by MuleSoft. MuleSoft sends the response received from the backend server to the client.
- MuleSoft makes a second API call to pass the response information to ASE which sends the information to the AI engine for processing. ASE receives the response information and sends a 200-OK to MuleSoft.
- MuleSoft sends the response to the client.
Traffic flow for MuleSoft integration with user information
Here is the traffic flow through the MuleSoft and PingIntelligence for APIs components. PingFederate is used as the OAuth server to gather the user information.
- Client requests and receives an access token from PingFederate.
- Client sends a request with the access token received from PingFederate.
- MuleSoft verifies the authenticity of the access token with PingFederate.
- If the token is invalid, MuleSoft returns a 401-unauthorized message to the client.
- If the token is valid, the PingIntelligence policy running in MuleSoft collects API metadata and token attributes.
- MuleSoft makes an API call to send the request information to ASE. ASE checks the request against a registered set of APIs and checks the origin IP, cookie or OAuth2 token against the AI generated Blacklist. If all checks pass, ASE returns a 200-OK response to the MuleSoft. If not, a different response code is sent to MuleSoft. The request information is also logged by ASE and sent to the AI Engine for processing.
- If MuleSoft receives a 200-OK response from ASE, then it forwards the request to the backend server. Otherwise, the Gateway optionally blocks the client.
- The response from the backend server is received by MuleSoft. MuleSoft sends the response received from the backend server to the client.
- MuleSoft makes a second API call to pass the response information to ASE, which sends the information to the AI engine for processing. ASE receives the response information and sends a 200-OK to MuleSoft.
- MuleSoft sends the response to the client.