PingFederate Server

Specifying a service URL (WS-Federation)

The service endpoint URL is where PingFederate sends request for security token (RST) and single log-out (SLO) messages.

About this task

To protect against session token hijacking, PingFederate provides an option to validate wreply for SLO. When this option is enabled, you can specify additional allowed domains and paths on this tab. PingFederate validates the locations against a consolidated list of allowed domains and paths from all active WS-Federation connections before redirecting the end users to their destinations.

The settings to enter additional allowed domains and paths appear only if the option to validate wreply for SLO is enabled. For more information, see Managing partner redirect validation.

Steps

  1. Enter the WS-Federation protocol endpoint at the identity provider (IdP) site in the Endpoint URL field.

    You can enter a relative path, starting with a forward slash, if you have provided a base URL on the General Info tab.

  2. Optional: Specify additional allowed domains and paths.

    1. Indicate whether to mandate secure connections when this resource is requested under Require HTTPS.

      This selection is recommended to ensure that the validation will always prevent message interception for this type of potential attack, under all conceivable permutations.

      This check box is selected by default.

    2. Enter the expected domain name or IP address of this resource under Valid Domain Name.

      Enter a value without the protocol, such as example.com or 10.10.10.10.

      Prefix a domain name with a wildcard followed by a period to include subdomains using one entry. For instance, *.example.com covers hr.example.com or email.example.com but not example.com, the parent domain.

      While using an initial wildcard provides the convenience of allowing multiple subdomains using one entry, consider adding individual subdomains to limit the redirection to a list of known hosts.

    3. Optional: Enter the exact path of this resource under Valid Path.

      Start with a forward slash, without any wildcard characters in the path. If left blank, any path under the specified domain or IP address is allowed. This value is case-sensitive. For instance, /inbound/Consumer.jsp allows /inbound/Consumer.jsp but rejects /inbound/consumer.jsp.

      You can allow specific query parameters with or without a fragment by appending them to the path. For instance, /inbound/Consumer.jsp?area=West&team=IT#ref1001 matches /inbound/Consumer.jsp?area=West&team=IT#ref1001 but not /inbound/Consumer.jsp?area=East&team=IT#ref1001.

    4. Optional: Select the check box under Allow Any Query/Fragment to allow any query parameters or fragment for this resource.

      Selecting this check box also means that no query parameter and fragment are allowed in the path defined under Valid Path.

      This check box is not selected by default.