Ping Identity provides a comprehensive suite of enterprise Identity and Access Management (IAM) solutions, with PingFederate and PingAccess forming a powerful duo to secure access across complex digital environments. Their integrated approach orchestrates identity and access management, providing granular control and robust security.
Understanding PingAccess
PingAccess serves as a centralized access security solution equipped with a comprehensive policy engine. Its core functionality is to provide secure access to applications and APIs down to the URL level, ensuring that only authorized users can access the resources they need. PingAccess can be deployed in two primary models: routing access requests through a gateway to the target site or intercepting them at the target web application server via a PingAccess agent. For an introduction to how PingAccess works, refer to the Ping Identity documentation.
In either scenario, PingAccess evaluates policies applied to access requests for the target application and makes a policy-based decision to grant or deny access. These policies can be highly granular, leveraging attributes such as ABAC (Attribute-Based Access Control), RBAC (Role-Based Access Control), authentication levels, IP addresses, web session attributes, and OAuth attributes and scopes. When access is granted, PingAccess can modify client requests and server responses to provide additional identity information required by the target application.
Integration with PingFederate and Token Mediation
PingAccess works in conjunction with PingFederate (or other common token providers supporting OAuth 2.0 and OpenID Connect (OIDC) protocols) to integrate identity-based access management policies through a federated identity store. In a typical WAM (Web Access Management) session initiation flow, when a user requests access, PingAccess checks for an existing PingAccess token. If missing, it redirects the user to an OpenID Provider (OP) for authentication, provided an OAuth client is already configured in PingAccess. The OP handles authentication, evaluates domain-level policies, and issues an OIDC ID token to PingAccess, which then validates it, issues its own PingAccess token, and sends it to the browser in a cookie during a redirect back to the original resource. PingAccess continuously validates authentication tokens with PingFederate, ensuring that if a user's context changes or a single logout occurs, all application sessions are immediately terminated. The capabilities of PingAccess are further detailed on the Ping Identity platform page.
A powerful capability is Token Mediation, which allows a PingAccess gateway to use a PingFederate token generator to exchange a PingAccess token or an OAuth bearer token for a different security token required by a foreign authentication system. This process is transparent to both the user and the protected application, meaning the application handles the access request as if it came directly from the user. After mediation, PingAccess caches the token for continued use during the session, with configurable cache settings. This orchestration of identity and access is crucial for hybrid IT and multi-cloud environments, addressing the complexity of modern enterprise architectures where applications reside across various domains and use different authentication mechanisms.
Key Capabilities and Benefits of PingAccess
PingAccess offers several key capabilities and benefits:
- Centralized Management: Manages access policies for web applications, APIs, and single-page applications across any domain from a single console.
- Foundational API Security: Controls access and limits transactions based on authorization scopes.
- Migration from Legacy WAM Systems: Offers tools and expertise for coexistence or full migration without significant downtime.
- Regulatory Compliance: Enables auditing of all access correlated by identity and context.
- Flexible Deployment Options: Includes gateway and agent models, and cloud deployment options like PingOne Advanced Services and PingOne Cloud Software, integrating easily with existing applications without requiring code or architecture changes.
This demonstrates that robust IAM solutions are not just about new deployments but also about providing a secure and efficient pathway for organizations to transition from older, fragmented access management systems to modern, centralized ones.