PingFederate OAuth Token Enforcement Policy
The PingFederate OAuth Token Enforcement policy connects to a PingFederate authorization server and enforces access according to its configuration. Anypoint platform supports the Ping Federate identity provider (IdP) configured for SAML 2.0-compliant identity management.
Consider doing the optional configuration tasks before using the PingFederate OAuth Token Enforcement policy:
This policy is available only if the following prerequisites are met:
Your Anypoint Platform organization is setup as a federated organization, using PingFederate.
Your user is the Anypoint Platform organization administrator, or has permissions to create or manage APIs.
If the OAuth token is not valid, PingFederate returns a
403 FORBIDDEN error.
This diagram shows how the PingFederate OAuth Token Enforcement policy works with an existing PingFederate authorization server to protect access to an API.
First, the client application gets requests the token directly from PingFederate before making an API call. The client application makes this request by authenticating with user credentials.
PingFederate supplies the client application with a valid token.
Next, the client application sends the valid token in the API call.
Mule, governed by the PingFederate OAuth Token Enforcement policy, checks that the token in the header or query parameter is valid and matches the correct scopes.
The policy invokes your organization’s PingFederate authorization server to validate the token and check scopes.
Finally, the API receives the call from the client application.
You enable or disable the proxy network connection between the API and PingFederate by setting the
anypoint.platform.ping_federate_enable_proxy_setting parameter. This parameter is located in the following wrapper configuration file, depending on the Mule Runtime or API Gateway Runtime version:
Mule Runtime 3.8.x with unified API Gateway:
API Gateway Runtime 2.1.x and 2.2.x:
/conf/wrapper.conffile from the API Gateway software distribution
Set the parameter to true or false. For example:
By default, the ping_federate_enable_proxy_settings parameter is false, so the proxy connection between the API and PingFederate is disabled because the following proxy settings are ignored:
When you apply the PingFederate OAuth Token Enforcement Policy, you can configure
scopes that the PingFederate server grants to applications that access your APIs under this policy. You need obtain the names of the scopes as defined in PingFederate. Scope names are case-sensitive.
Assuming you have deployed the API, to configure
In API Manager, navigate to the API version details pagepage of your API.
In the Configure PingFederate OAuth Token Enforcement Policy dialog, enter a space-separated list of strings that indicate the scope of application access to your API. This access needs to correspond to credentials defined for applications in PingFederate.
Incorporate authorization to protect an API using the PingFederate OAuth Token Enforcement policy as previously described.