PingOne

Integrating PingOne Authorize with Amazon Web Services

Ping Identity’s integration kit for Amazon Web Services (AWS) extends AWS’s authorization capabilities through an external policy evaluation service.

Integration with AWS allows centralized management of API access control and application protection in PingOne Authorize while delegating enforcement to AWS. Learn more about how this integration kit interacts with PingOne Authorize in How API Access Management works.

Install and configure the integration kit in AWS to enable management of access control rules in PingOne Authorize. The integration kit works with Amazon API Gateway or Amazon CloudFront.

To configure the integration kit:

Choose one:

  • Configure the integration kit as a Lambda authorizer that works with Amazon API Gateway.

  • Configure the integration kit as a Lambda@Edge function that works with Amazon CloudFront.

    Version 1.4.0 of the integration kit supports integration with Amazon CloudFront.

Policy limitations

The integration kit supports all of the basic rules for controlling access to your protected API resources.

Although you can use the authentication policy and time since last authentication basic rules to control access to sensitive resources, AWS doesn’t return the full step-up challenge response. When these rules produce deny decisions, AWS returns a simple deny response with an HTTP status code.

The following limitations apply to using custom policies for API services and operations with this integration kit:

  • PingOne Authorize only evaluates policies that target the inbound request.

  • The built-in PingOne.API Access Management.HTTP.Request.Body attribute is not available for authorizing inbound requests.

  • When PingOne Authorize permits an inbound request, no request transformations are applied before AWS forwards the request to the backend API.

  • Headers set in policy aren’t included in the AWS response to the client.

  • In policies that use the auth-challenge statement, only the httpStatus payload property affects the response.

    When deploying the integration kit with Amazon API Gateway, setting this property to 401 results in an UNAUTHORIZED response that defaults to a 401 status code. Any other value results in an ACCESS_DENIED response that defaults to a 403 status code. To learn how to modify the default status code, refer to Gateway responses in the Amazon API Gateway documentation.

  • When deploying the integration kit with CloudFront, responses for deny decisions don’t include response bodies.