Integrating PingOne Authorize with Amazon API Gateway

Ping Identity’s integration kit for Amazon API Gateway extends Amazon Web Services' (AWS) authorization capabilities through an external policy evaluation service.

Integration with Amazon API Gateway allows centralized management of API access control and application protection in PingOne Authorize while delegating enforcement to Amazon API Gateway. Learn more about how this integration kit interacts with PingOne Authorize in How API Access Management works.

Install and configure the integration kit in AWS to enable management of access control rules in PingOne Authorize.

To configure the integration kit:

Set up an API gateway in PingOne Authorize
Configure the Lambda authorizer

To troubleshoot the integration kit:

Configure CloudWatch logs

Policy limitations

The integration kit supports all of the basic rules for controlling access to your protected API resources.

Although you can use the authentication policy and time since last authentication basic rules to control access to sensitive resources, Amazon API Gateway does not return the full step-up challenge response. When these rules produce deny decisions, Amazon API Gateway returns a simple UNAUTHORIZED response that defaults to a 401 status code.

The following limitations apply to using custom policies for API services and operations with this integration kit:

Because the Lambda authorizer only executes on inbound requests, PingOne Authorize only evaluates policies that target the inbound request.
Because the integration kit doesn’t expose the request body to PingOne Authorize, the built-in PingOne.API Access Management.HTTP.Request.Body attribute is not available for authorizing inbound requests.
When the integration kit permits an inbound request, no request transformations are applied before Amazon API Gateway forwards the request to the backend API. This means that statements such as set-headers, set-query, and set-attributes have no effect.
Headers set in policy aren’t included in Amazon API Gateway’s response to the API client.

In policies that use the auth-challenge statement, only the httpStatus payload property affects the response. Setting this property to 401 results in an UNAUTHORIZED response that defaults to a 401 status code. Any other value results in an ACCESS_DENIED response that defaults to a 403 status code. To learn how to modify the default status code, refer to Gateway responses in the Amazon API Gateway documentation.