Authorize gateways
Authorize gateways combine the advantages of centralized policy administration with the benefits of on-premise decision evaluation and enforcement.
An Authorize gateway acts as a bridge between policy management components in PingOne and runtime gateway instances in your organization’s infrastructure or cloud data center. Gateway instances have a small footprint and are easy to deploy across your staging pipelines.
Authorize gateways provide the following benefits:
- Cloud administration of policies
-
Use the latest features of the admin console for policy authoring and management in one place, without having to manage a policy administration point in your infrastructure.
- Reduced latency
-
Minimize latency by deploying multiple gateway instances alongside the resources you are protecting.
Authorize gateways excel in high-volume, low-latency scenarios, such as high-throughput transactions or API traffic. You can deploy policy-enforcing applications and decision evaluation gateway instances in close proximity, eliminating the need for traffic to flow through the PingOne platform.
- Data residency
-
If compliance and security considerations make on-premise deployment a requirement for your application, gateway instances enable access to your on-premise datastores without exposing sensitive data outside of your organization’s infrastructure.
- Privacy for internal services
-
Decision evaluations use data stored in information points (HTTP services) that aren’t exposed to the public internet.
How Authorize gateways work
Authorize gateways process authorization decisions within the boundaries of your network and under your control, while policy management and deployment services run in the cloud-based PingOne platform.
The following components are involved:
| Component | Description |
|---|---|
Policy administration point |
PingOne Authorize serves as the centralized policy administration point where you configure and manage authorization policies and the attributes and services that provide context in authorization decisions. Learn more about PingOne Authorize in Introduction to Authorization. |
Authorize gateway |
The Authorize gateway communicates between PingOne and gateway instances in your organization’s infrastructure. Use Authorize gateways to publish authorization policy versions to gateway instances and keep them up-to-date. |
| Component | Description |
|---|---|
Gateway instances |
Authorize gateway instances evaluate authorization policy versions published from PingOne in order to make authorization decisions. Gateway instances are distributed as containerized images, and they maintain a WebSocket Secure connection with the PingOne platform. |
Information points |
Information points are HTTP services that provide context for authorization decisions. Information points can be publicly available services or services maintained in your infrastructure. |
Policy enforcement points |
Enforcement points are applications that consume authorization decisions. They’re maintained by your organization in your infrastructure. |
A WebSocket Secure connection maintains two-way communication between Authorize gateways in PingOne and gateway instances in your infrastructure as follows:
-
PingOne sends gateway configuration changes to gateway instances.
-
Gateway instances send errors and alerts, error logs, health state, and metrics to PingOne.
Error logs and metrics are collected for monitoring purposes only. This information isn’t exposed in the PingOne admin console, except for CPU % busy and Transaction time.
Gateway instances initiate the WebSocket connection, ensuring that you don’t have to open inbound firewalls in your network to this traffic.
Authorize gateways use publicly authenticated HTTPS APIs in PingOne for the following:
-
Token exchange to get an access token for PingOne APIs
-
Downloading authorization policy version deployments
-
PingOne service calls to get user details, group memberships, and risk information