PingFederate OAuth Token Enforcement Policy

The PingFederate OAuth Token Enforcement policy connects to a PingFederate authorization server and enforces access according to its configuration. Anypoint platform supports the Ping Federate identity provider (IdP) configured for SAML 2.0-compliant identity management.

Consider doing the optional configuration tasks before using the PingFederate OAuth Token Enforcement policy:


This policy is available only if the following prerequisites are met:

  • Your Anypoint Platform organization is setup as a federated organization, using PingFederate.

  • Your user is the Anypoint Platform organization administrator, or has permissions to create or manage APIs.

If the OAuth token is not valid, PingFederate returns a 403 FORBIDDEN error.

Policy Implementation

This diagram shows how the PingFederate OAuth Token Enforcement policy works with an existing PingFederate authorization server to protect access to an API.

  • First, the client application gets requests the token directly from PingFederate before making an API call. The client application makes this request by authenticating with user credentials.

  • PingFederate supplies the client application with a valid token.

  • Next, the client application sends the valid token in the API call.

  • Mule, governed by the PingFederate OAuth Token Enforcement policy, checks that the token in the header or query parameter is valid and matches the correct scopes.

  • The policy invokes your organization’s PingFederate authorization server to validate the token and check scopes.

  • Finally, the API receives the call from the client application.

Configuring the Proxy Connection to PingFederate

You enable or disable the proxy network connection between the API and PingFederate by setting the anypoint.platform.ping_federate_enable_proxy_setting parameter. This parameter is located in the following wrapper configuration file, depending on the Mule Runtime or API Gateway Runtime version:

  • Mule Runtime 3.8.x with unified API Gateway: $MULE_HOME/conf/wrapper.conf

  • API Gateway Runtime 2.1.x and 2.2.x: /conf/wrapper.conf file from the API Gateway software distribution

Set the parameter to true or false. For example:<n>=-Danypoint.platform.ping_federate_enable_proxy_settings=true

By default, the ping_federate_enable_proxy_settings parameter is false, so the proxy connection between the API and PingFederate is disabled because the following proxy settings are ignored:<n>=-Danypoint.platform.proxy_host=localhost<n>=-Danypoint.platform.proxy_port=8080

Configuring Scope of Access

When you apply the PingFederate OAuth Token Enforcement Policy, you can configure scopes that the PingFederate server grants to applications that access your APIs under this policy. You need obtain the names of the scopes as defined in PingFederate. Scope names are case-sensitive.

Assuming you have deployed the API, to configure scopes:

  1. In API Manager, navigate to the API version details pagepage of your API.

  2. Click Apply.

  3. In the Configure PingFederate OAuth Token Enforcement Policy dialog, enter a space-separated list of strings that indicate the scope of application access to your API. This access needs to correspond to credentials defined for applications in PingFederate.

Incorporating Authorization into an API

Incorporate authorization to protect an API using the PingFederate OAuth Token Enforcement policy as previously described.