Authorize gateways

Authorize gateways combine the advantages of centralized policy administration with the benefits of on-premise decision evaluation and enforcement.

An Authorize gateway acts as a bridge between policy management components in PingOne and runtime gateway instances in your organization’s infrastructure or cloud data center. Gateway instances have a small footprint and are easy to deploy across your staging pipelines.

Authorize gateways provide the following benefits:

Cloud administration of policies: Use the latest features of our admin console for policy authoring and management in one place, without the need to manage a policy administration point in your infrastructure.
Reduced latency: Minimize latency by deploying multiple gateway instances alongside the resources you are protecting.

Authorize gateways are ideal for high-volume, low latency situations, such as high-throughput transactions or API traffic. You can set up policy-enforcing applications and decision evaluation gateway instances in close proximity, and traffic doesn’t need to flow through the PingOne platform.
Data residency: If compliance and security considerations make on-premise deployment a requirement for your application, gateway instances enable access to your on-premise datastores without exposing sensitive data outside of your organization’s infrastructure.
Privacy for internal services: Decision evaluations use data stored in information points (HTTP and LDAP services) that aren’t exposed to the public internet.

How Authorize gateways work

With Authorize gateways, authorization decisions are processed within the boundaries of your network and under your control, while policy management and deployment services run in the PingOne cloud.

The following components are involved:

Flow diagram showing the components involved in an Authorize gateway flow.

Management in PingOne
Component	Description
Policy administration point	PingOne Authorize serves as the centralized policy administration point where you configure and manage authorization policies and the attributes and services that provide context in authorization decisions.
Authorize gateway	The Authorize gateway communicates between PingOne and gateway instances in your organization’s infrastructure. Use Authorize gateways to publish policy versions to gateway instances and keep them up to date.

Decision evaluations on-premise
Component	Description
Gateway instances	Authorize gateway instances evaluate policy versions published from PingOne in order to make authorization decisions. Gateway instances are distributed as containerized images, and they maintain a WebSocket Secure connection with the PingOne platform.
Information points	Information points are HTTP services that provide context for authorization decisions. Information points can be publicly available services or services maintained in your infrastructure.
Policy enforcement points	Enforcement points are applications that consume authorization decisions. They’re maintained by your organization in your infrastructure.

A WebSocket Secure connection maintains two-way communication between Authorize gateways in PingOne and gateway instances in your infrastructure as follows:

PingOne sends gateway configuration changes to gateway instances.

Gateway instances send errors and alerts, error logs, health state, and metrics to PingOne.

Error logs and metrics are collected for monitoring purposes only. This information isn’t exposed in the PingOne admin console, except for CPU % busy and Transaction time.

Gateway instances initiate the WebSocket connection, ensuring that you don’t have to open inbound firewalls in your network to this traffic.

Authorize gateways use publicly authenticated HTTPS APIs in PingOne for the following:

Token exchange to get an access token for PingOne APIs
Downloading policy version deployment packages