PingAuthorize

Testing policies

Test PingAuthorize policies from end-to-end with visualization tools that show the complete decision flow.

Steps

  1. Go to Policies.

  2. Select the policy you want to test and then click the Test tab.

  3. Define the test scenario:

    1. In the Domain list, select any domains you want to include as request parameters.

    2. In the Service list, select any services you want to include as request parameters.

    3. In the Identity Provider list, select any identity providers you want to include as request parameters.

    4. In the Action list, select any actions you want to include as request parameters.

    5. In the Attributes list, select any attributes you want to include as request parameters and provide sample values.

    6. In the Overrides section, configure attribute and service values to override the default behavior of those elements.

      For example, if an attribute is defined with a request parameter resolver and no value is specified in the test request, the decision service resolves that attribute from the Overrides configuration.

      You can override any attribute’s value, regardless of its resolution or processing details.

    Example:

    Using the Users starting a new game policy from the tutorials as an example, the following testing scenario uses the HttpRequest.AccessToken attribute in a request to test whether the policy returns a deny decision when the token’s subject claim ends with @example.com.

    Screen capture of the Testing Scenario tab showing a request with the Meme Game - Games service, the inbound-POST action, and the HttpRequest.AccessToken attribute set to a value of {"active": true, "sub": "user.99@example.com"}

  4. Click Execute.

    Result:

    The Visualization tab shows test results. As expected, the request is denied.

    Screen capture of the Test Results Visualization Tab showing a deny result

  5. Examine the decision flow to make sure decisions are evaluated according to your expectations.

    You can click any box in the flow to show more details.

  6. Click the other tabs for additional details:

    • Request tab: Shows the JSON request sent to the decision engine, allowing you to confirm that the expected information was sent.

    • Response tab: Shows the complete, high-verbosity response for the decision.

      If the same comparison condition is attached to more than one rule in the policy subtree, the decision response only includes the evaluation of the first occurrence of this condition. Although the condition is only included once in the response, the decision engine evaluates this condition wherever it’s needed to make a decision.

      If the parent policy of the first instance of this condition isn’t applicable to the request, the decision response doesn’t include evaluation of any rule containing this condition. This behavior is the same regardless of the rule’s outcome (Permit, Deny, Not Applicable).

    • Output tab: Shows details about the decision, including the time it took to evaluate policies and rules.

    • Attributes tab: Shows details about the attributes used in the decision.

    • Services tab: Shows details about the services used in the decision.

  7. To repeat the test using a different scenario, on the Testing Scenario tab, change the parameters and then click Execute.