PingAccess

Configuring web session management settings

Configure web session management settings in PingAccess.

Steps

  1. Click Access, then go to Web Sessions > Web Session Management.

  2. In the Web Session Management section, select Key Roll Enabled to enable key rolling using the interval specified below.

  3. Enter the Key Roll Interval, in hours, to specify how often you want to roll the keys (the default is 24 hours).

    Key rollover updates keys at regular intervals to ensure the security of signed and encrypted PingAccess tokens.

  4. In the Issuer field, enter the published, unique identifier to be used with the web session (the default is PingAccess).

    Example:

    Set the issuer to a value that more closely represents your company. PingAccess inserts this value as the iss claim within the PingAccess token

  5. Select the Signing Algorithm used to protect the integrity of the PingAccess token (the default is ECDSA using P-256 Curve).

    PingAccess uses the algorithm when creating signed PingAccess tokens and when verifying signed tokens in a request from a user’s browser. The algorithm is also used for signing tokens in token mediation use cases when PingAccess tokens are encrypted

  6. Select the Encryption Algorithm used to encrypt and protect the integrity of the PingAccess Token (the default is AES 128 with CBC and HMAC SHA 256).

    PingAccess uses the algorithm when creating encrypted PingAccess tokens and when verifying them from a user’s browser.

    Higher encryption levels are available if the administrative console supports it. To enable higher encryption levels, update the administrative console Java Runtime Environment (JRE) to support unlimited strength security policy.

    In a clustered environment, add the security policy changes to the engines as well as the administrative console for the cluster.

  7. Enter the browser Cookie Name that contains the PingAccess token (the default is PA).

  8. In the Session State Cookie Name field, enter a name for the browser cookie to contain session state attributes.

  9. In the Update Token Window (s) field, enter the number of seconds before the idle timeout is updated in the PingAccess token.

    When this time window expires, PingAccess will reissue a new PingAccess cookie.

  10. In the Nonce Cookie Time to Live (m) field, enter the number of minutes for which the nonce cookie is valid.

    The default value is 5. PingAccess deletes cookies that are older than this threshold.

  11. In the Nonce SameSite Cookie list, select a level of restriction for when cookies can be sent in a cross-site request:

    Choose from:

    • Lax: The cookie should be sent on initial navigation to a site. It can be sent in same-site requests but not cross-site requests.

    • Strict: The cookie can’t be sent in top-level cross-site requests.

      The SameSite=Strict attribute provides greater protection against cross-site request forgery (CSRF), but cannot fully prevent it. Use the SameSite=Strict attribute as part of a more comprehensive CSRF protection strategy. Learn more in https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis-14#section-8.8.

    • None: The cookie can be used across different sites without restriction.

      To prevent browser compatibility issues, if PingAccess detects that the user’s browser matches any of the values set in the pa.websession.cookie.sameSiteExcludedUserAgentPatterns property in the run.properties file, PingAccess doesn’t add the SameSite=None attribute to cookies.

    • Disabled: PingAccess doesn’t set the SameSite attribute. The browser determines how to handle the cookie.

      A browser issue can prevent sign on if the SameSite Cookie attribute is set. Learn more in the PingAccess 7.0 SameSite cookie upgrade issue release note entry.

    • Legacy (default): Maintain the same behavior as in PingAccess 8.1 and earlier:

      • PingAccess sets the nonce cookie without a SameSite setting if either:

        • The web session is set to the Disabled SameSite setting.

        • The user-agent matches one of the pa.websession.cookie.sameSiteExcludedUserAgentPatterns.

      • PingAccess sets the nonce cookie to SameSite=None if:

        • The web session is set to any SameSite setting other than Disabled and does not match one of the pa.websession.cookie.sameSiteExcludedUserAgentPatterns.

  12. Click Save.