Product
Hosting Environment
Operating System
Capability
Task Type
Draft Beta
Close

Configure session management

Updated 94

Add to MyDocs | Hide Show Table of Contents

Configure session management

This document provides information regarding session management using PingAccess. Use this document to learn about the concepts involved and to configure PingAccess for server-side session management using PingFederate.

Web Sessions

Web Sessions define the policy for Web application session creation, lifetime, timeouts, and their scope. Multiple Web Sessions may be configured to scope the session to meet the needs of a target set of applications. This improves the security model of the session by preventing unrelated applications from impersonating the end user. Use the following tasks to configure secure Web Sessions for use with specific applications and to configure global Web Session settings.

Application scoped Web Sessions

PingAccess Tokens can be configured to have their Web Sessions scoped to a specific application. This improves the security model of the session by preventing unrelated applications from impersonating the end user.

Several controls exist to scope the PA Token to an application:

Audience Attribute
The audience attribute defines who the token is applicable to and is represented as a short, unique identifier. Requests are rejected that contain a PA Token with an audience that differs from what is configured in the Web Session associated with the target Resource.
Audience Suffix
The audience attribute is also used as a suffix of the cookie name to ensure uniqueness. For example, PA.businessAppAudience.
Cookie Domain
The cookie domain can also optionally be set to limit where the PA Token is sent.
Info: In addition to these controls, parameters such as session timeout can be adjusted to match the policy requirements of each application.

Corresponding OAuth clients must be defined in PingFederate for each Web Session. Redirect URL whitelists defined in PingFederate dictate from which servers and domains the session can originate. Controlling this within PingFederate enables flexibility of the attribute contract (and its fulfillment) for that particular application. This ensures that each application and its associated policies only deal with attributes related to it.

Tags Product > PingAccess > PingAccess 5.2; Product > PingAccess