PingAuthorize

Configuring external PDP mode

You can use the administrative console or dsconfig to configure external PDP mode. To prepare the Policy Editor for making authorization decisions, you must create a Policy External Server to represent the Policy Editor, assign the Policy External Server to the Policy Decision Service, and set the PDP mode to external.

To send a request in external PDP mode, the major versions of the PingAuthorize Server and the Policy Editor must match, and the Policy Editor’s minor version must be greater than or equal to that of the PingAuthorize Server. For example:

  • If the PingAuthorize Server version is 10.1 and the Policy Editor version is 10.2, the request succeeds.

  • If the PingAuthorize Server version is 10.2 and the Policy Editor version is 10.1, the request fails.

Before you begin

You need the following values to configure the PingAuthorize Server to use external PDP mode:

  • The shared secret, which is specified or generated automatically when you install the Policy Editor.

    To obtain the shared secret after installation, copy the core.Authentication.SharedSecret value from the PingAuthorize-PAP/config/configuration.yml file.

  • The branch name, which corresponds to the policy branch you want to evaluate requests against in the Policy Editor.

  • The decision node, which is the ID of the policy tree node that’s evaluated first during policy processing. To get the decision node ID:

    1. In the Policy Editor, go to Policies.

    2. In the policy tree, select the node that you want to use as the root node.

      This is typically the top-level node of your policy tree.

    3. Click the hamburger menu and select Copy ID to clipboard.

      Screen capture of the Policies tab showing the Copy ID to clipboard option

  • Admin console

  • dsconfig

Configuring external PDP mode using the administrative console

Steps

  1. In the PingAuthorize administrative console, go to Configuration > Data Sources > External Servers.

  2. Click New External Server and, in the list, select Policy External Server.

  3. In the New Policy External Server window, specify the following information:

    • Name

    • Base URL

    • Shared Secret

    • Decision Node

    • Branch

    Screen capture of the New Policy External Server window with the Name, Base URL, Shared Secret, Decision Node, and Branch fields highlighted. The Save button is in the upper right of the screen.

  4. Click Save.

  5. Go to Authorization and Policies > Policy Decision Service.

  6. In the PDP Mode list, select external.

  7. In the Policy Server list, select the name you gave to the policy external server in step 3.

    Screen capture of the Edit Policy Decision Service window with the PDP Mode and Policy Server lists configured as specified

  8. Click Save To PingAuthorize Server Cluster.

Configuring external PDP mode using dsconfig

Steps

  • Use the dsconfig commands in the following code block to configure external PDP mode:

    dsconfig create-external-server \
  --server-name "{PAP_Name}" \
  --type policy \
  --set "base-url:https://<pap-hostname>:<pap-port>" \
  --set "shared-secret:pingauthorize" \
  --set "branch:Default Policies" \
  --set "decision-node:<your decision node ID value>"

dsconfig set-policy-decision-service-prop \
  --set pdp-mode:external \
  --set "policy-server:{PAP_Name}"