Configuring IdP discovery using a persistent cookie
PingFederate’s proprietary identity provider (IdP)-discovery method makes use of an IdP persistent reference cookie (IPRC) to track the identity provider with whom a user last authenticated.
About this task
There are three significant differences between standard IdP discovery and the IPRC method:
-
Standard IdP discovery can be used only with SAML 2.0, but the IPRC can be used with any federation protocol.
-
The common domain cookie (CDC) can be configured as a temporary, session-based cookie. The IPRC always persists for a configurable period of time.
-
The CDC is set by the IdP and is readable by both federation partners. The IPRC is set by the service provider (SP), using information in the SAML assertion, and cannot be accessed by the IdP.
The deployed connection configuration between SP and IdP partners must include SP-initiated single sign-on (SSO).
Steps
-
Edit the
org.sourceid.websso.profiles.sp.IdpIdCookieSupport.xml
file located in the<pf_install>/pingfederate/server/default/data/config-store
directory. -
Set the value of
EnableIdpIdCookie
totrue
. -
Optional: Modify the remaining elements in the configuration, as described in the following table.
Field Description IdpIdCookieName
The name of the IPRC set by the SP installation. The default is
IdPId
. The cookie name cannot contain any of the following characters:&
,>
,<
,;
, a comma, or a space.IdpIdCookieLifeTimeInDays
The lifetime for the cookie. The default is
365
days and a maximum of24855
days. The browser will delete the cookie when the period is expired.ShowIdpSelectionList
If set to
true
, the default, the SP displays a list of IdPs that can be used to initiate the SSO event if the cookie is not set. If set tofalse
, the SP installation generates an error page. -
Start or restart PingFederate.
After an IPRC cookie is set, the only way to change the IdP to whom the SP will send Authentication Requests for the user is to do one of the following: wait for the cookie to expire, delete the cookie, or perform IdP-initiated SSO using the new IdP.