Configuring PingAccess applications for Azure

Configure PingAccess applications so they are accessible to users through the Microsoft Azure MyApps portal.

Before you begin

Install PingAccess and verify that you can access the administrative console. You can find more information on installing PingAccess in Installing and Uninstalling PingAccess.
The default credential set should be changed upon first usage. The default credentials for your PingAccess installation are:

Username: Administrator Password: 2Access
Have a Microsoft Azure AD Premium account for access to the Application Proxy feature.
Configure Microsoft Azure AD. Learn more about how to configure Microsoft Azure AD in https://docs.microsoft.com/azure/active-directory/application-proxy-ping-access in the Microsoft documentation.
Configure PingAccess to use Azure AD as the token provider.

About this task

For each application that you want to configure:

Steps

Create a virtual host.

You can find more information on creating a virtual host in Creating new virtual hosts.

In a typical configuration for this solution, you will create a virtual host for every application.
1. Click Applications and then go to Applications > Virtual Hosts.
2. Click Add Virtual Host.
3. In the Host field, enter the FQDN portion of the Azure AD External URL.
  
  Example:
  
  For example, external URLs of https://app-tenant.msappproxy.net/ and https://app-tenant.msappproxy.net/AppName will both have a Host entry of app-tenant.msappproxy.net.
4. In the Port field, enter 443.
5. Click Save.
Create a web session.

You can find more information on creating a web session in Creating web sessions.
1. Click Access and then go to Web Sessions > Web Sessions.
2. Click Add Web Session.
3. In the Name field, enter a name for the web session.
4. In the Cookie Type list, select your cookie type, either Signed JWT or Encrypted JWT.
5. In the Audience field, enter a unique value.
6. In the Client ID field, enter the Azure AD application ID.
7. In the Client Credentials Type list, select Secret.
8. In the Client Secret field, enter the client secret you generated for the application in Azure AD.
9. (Optional) To create and use custom claims with the Azure AD GraphAPI, click Advanced and clear the Request Profile and Refresh User Attributes checkboxes.
  
  You can find more information on using custom claims in Optional - Use a custom claim in the Microsoft documentation.
10. Click Save.
Create an identity mapping.

You can find more information on creating an identity mapping in Creating header identity mappings.

An identity mapping can be used with more than one application if more than one application is expecting the same data in the header.
1. Click Access and then go to Identity Mappings > Identity Mappings.
2. Click Add Identity Mapping.
3. In the Name field, enter a name.
4. In the Type list, select Header Identity Mapping.
5. In the Attribute to Header Mapping table, specify the required mappings.
  
  Example:
  
  Attribute Name Header Name
  
  upn
  
  x-userprinciplename
  
  email
  
  x-email
  
  oid
  
  x-oid
  
  scp
  
  x-scope
  
  amr
  
  x-amr
6. Click Save.
Create a site.

You can find more information on creating a site in Adding sites.

In some configurations, a site might contain more than one application. A site can be used with more than one application, where appropriate.
1. Click Applications and then go to Sites > Sites.
2. Click Add Site.
3. In the Name field, enter a name for the site.
4. In the Target field, specify the target.
  
  The target is the hostname:port pair for the server hosting the application. Do not enter the path for the application in this field. For example, an application at https://mysite:9999/AppName will have a target value of mysite:9999.
5. In the Secure list, select whether the target is expecting secure connections.
6. Click Save.
Create an application in PingAccess for each application in Azure that you want to protect.

You can find more information on creating an application in Adding an application.
1. Click Applications and then go to Applications > Applications.
2. Click Add Application.
3. In the Name field, enter a name for the application.
4. In the Description field, enter a description for the application.
5. In the Context Root field, specify the context root for the application.
  
  For example, an application at https://mysite:9999/AppName will have a context root of /AppName. If the application is on the root of the server, you can set the context root as /. The context root must begin with a slash (/), must not end with a slash (/), and can be more than one layer deep, for example, /Apps/MyApp.
6. In the Virtual Host list, select the virtual host you created.
  
  The combination of virtual host and context root must be unique in PingAccess.
7. In the Application Type list, select Web.
8. In the Web Session list, select the web session you created.
9. In the Site list, select the site you created that contains the application.
10. In the Web Identity Mapping list, select the mapping you created.
11. Select the Enabled checkbox to enable the site when you save.
12. Click Save.

PingAccess

Configuring PingAccess applications for Azure

Before you begin

About this task

Steps

Example:

Example: