Define a managed API service to represent your API so that PingOne Authorize can help your API gateway enforce access control.
A managed API service enables PingOne Authorize to recognize requests for your API and instructs the API gateway to allow access from authorized clients only and block access from unauthorized clients.
An API service definition includes a pointer to the API and to the specific parts of the API that you want to protect. The definition includes an option to enable custom access control policies for complex authorization scenarios. The definition also specifies whether directory services and access token validation are managed by PingOne or managed externally.
You must deploy the API service after you make configuration changes, such as updating a setting or adding an operation.
- Go to .
- Click the + icon next to API Services to add an API service.
For the Name, enter a name that identifies the API
The name must be unique across all API services and resources.
Enter one or more Base URLs for the API represented by
the API service.
You can enter multiple URLs to support aliases for the same service, such as a vanity URL in addition to the domain URL. To add another URL, click + Add Base URL. URLs must be valid.
To enable custom policies for the API service and its operations, select the
Enable Custom Policies check box.
This generates a policy tree for the API service, enabling you to add your own custom authorization policies for the APIs managed by this API service.Note:
After you save the API service, you can't change this setting. This setting is not available if you select External Services in the next step. Custom policies are enabled by default for external token service providers.
Select a user directory and token source:
- PingOne SSO: PingOne manages user directory services and access token validation for the API service. This is the default option.
- External Services: The API gateway manages access token validation services through external providers, such as PingFederate. This requires you to configure your API gateway to pass validated token claims to PingOne in decision requests.
After you save the API service, you can’t change whether the directory and token source are managed by PingOne or by external providers.
A corresponding resource is created that establishes a relationship between the API service and PingOne in order to define the audience for the API service’s access token.
If you selected External Services in step 6, PingOne Authorize is now configured to recognize the API.
If you selected PingOne SSO in step 6, complete steps 9 - 12.
On the Advanced tab, click the
Pencil icon to add a scope.
In the Name field, enter a name for the scope.
The scope defines which resources an API client can access. An application requests a scope for the resource associated with an API service in order to set the audience for the access token. For consistency, you might use a lowercase version of the API service name and replace spaces with hyphens.
- Optional: Enter a description for the scope.
Click Save, and then click
PingOne Authorize is now configured to recognize the API.
- If PingOne is managing user directory and access token validation services for the protected API service, add a PingOne application that is allowed to access the protected API service. To allow access, grant the application the same scope that you configured for the API service. For more information, see Editing scopes for an application.
- Define operations for protected API actions.
- Add custom policies for the API service.