CrossDomainSingleSignOnFilter

When PingGateway and AM are running in the same domain, the SingleSignOnFilter can be used for SSO. When PingGateway and AM are running in different domains, AM cookies aren’t visible to PingGateway because of the same-origin policy. The CrossDomainSingleSignOnFilter provides a mechanism to push tokens issued by AM to PingGateway running in a different domain.

When this filter processes a request, it injects the CDSSO token, the session user ID, and the full claims set into the CdSsoContext. If an error occurs during authentication, information is captured in the CdSsoFailureContext.

You can find an example of how to configure CDSSO and information about the CDSSO data flow in Cross-domain single sign-on (CDSSO).

WebSocket notifications for sessions

When WebSocket notifications are set up for sessions, PingGateway receives a notification from AM when a user logs out of AM, or when the AM session is modified, closed, or times out. PingGateway then evicts entries that are related to the event from the sessionCache.

For information about setting up WebSocket notifications, using them to clear the session cache, and including them in the server logs, refer to WebSocket notifications.

Usage

{
  "name": string,
  "type": "CrossDomainSingleSignOnFilter",
  "config": {
    "amService": AmService reference,
    "redirectEndpoint": configuration expression<url>,
    "authenticationService": configuration expression<string>,
    "authCookie": {
      "name": configuration expression<string>,
      "domain": configuration expression<string>,
      "httpOnly": configuration expression<boolean>,
      "path": configuration expression<string>,
      "sameSite": configuration expression<enumeration>,
      "secure": configuration expression<boolean>
    },
    "redirectionMarker": {
      "enabled": configuration expression<boolean>,
      "name": configuration expression<string>
    },
    "defaultLogoutLandingPage": configuration expression<url>,
    "logoutExpression": runtime expression<boolean>,
    "failureHandler": Handler reference,
    "verificationSecretId": configuration expression<secret-id>,
    "secretsProvider": SecretsProvider reference,
    "lifetime": configuration expression<duration>
  }
}

Properties

amService

"amService": AmService reference, required

The AmService to use.

redirectEndpoint

"redirectEndpoint": configuration expression<url>, required

The URI to which AM redirects the browser with the authentication token or an authentication error. The filter checks that the authentication was initiated by PingGateway.

Configure this URI to be the same as that in AM.

To make sure the redirect is routed back to the CrossDomainSingleSignOnFilter, include the endpoint in the route condition in one of the following ways:

As a sub-path of the condition path.

For example, use the following route condition with the following endpoint:
```
"condition": "${find(request.uri.path, '^/home/cdsso')}"
```
```
"redirectEndpoint": "/home/cdsso/callback"
```
To match the route condition.

For example, use the following route condition with the following endpoint:
```
"condition": "${find(request.uri.path, '^/home/cdsso')}"
```
```
"redirectEndpoint": "/home/cdsso"
```

With this route condition, all POST requests on the condition path are treated as AM CDSSO callbacks. Any POST requests that aren’t the result of an AM CDSSO callback fail.

As a specific path that isn’t related to the condition path.

To make sure the redirect is routed back to this filter, include the redirect endpoint as a path in the filter condition.

For example, use the following route condition with the following endpoint:
```
"condition": "${find(request.uri.path, '^/home/cdsso/redirect') || find(request.uri.path, '^/ig/cdssoRedirectUri')}"
```
```
"redirectEndpoint": "/ig/cdssoRedirectUri"
```

authenticationService

"authenticationService": configuration expression<string>,optional

The name of an AM authentication tree/journey to use for authentication. Learn more about trees in the AM documentation on authentication nodes and trees.

Default: AM’s default authentication tree.

authCookie

"authCookie": object, optional

The configuration of the cookie used to store the authentication.

"name": configuration expression<string>, optional: Name of the cookie containing the authentication token from AM.

For security, change the default name of cookies.

Default: ig-token-cookie

"domain": configuration expression<string>, optional: Domain to which the cookie applies.

Set a domain only if the user agent is able to reemit cookies on that domain on its next hop. For example, to reemit a cookie on the domain example.com, the user agent must be able to access that domain on its next hop.

Default: The fully qualified hostname of the user agent’s next hop.

"httpOnly": configuration expression<boolean>, optional: Flag to mitigate the risk of client-side scripts accessing protected cookies.

Default: true

"path": configuration expression<string>, optional: Path protected by this authentication.

Set a path only if the user agent is able to reemit cookies on the path. For example, to reemit a cookie on the path /home/cdsso, the user agent must be able to access that path on its next hop.

Default: The path of the request that got the Set-Cookie in its response.

"sameSite": configuration expression<enumeration>, optional

Options to manage the circumstances in which a cookie is sent to the server. Use one of the following values to reduce the risk of CSRF attacks:

STRICT: Send the cookie only if the request was initiated from the cookie domain. Not case-sensitive.

Use this value to reduce the risk of cross-site request forgery (CSRF) attacks.
LAX: Send the cookie only with GET requests in a first-party context, where the URL in the address bar matches the cookie domain. Not case-sensitive.

Use this value to reduce the risk of cross-site request forgery (CSRF) attacks.
NONE: Send the cookie whenever a request is made to the cookie domain. Not case-sensitive.

With this setting, set "secure": true to prevent browsers from rejecting the cookie. Learn more in SameSite cookies.

For CDSSO, set "sameSite": "none" and "secure": "true".

For security reasons, many browsers require a secure browser connection (HTTPS) for "sameSite":"none". If the connection used by the browser isn’t secure (HTTP), the browser won’t supply cookies with "sameSite": "none".

Learn more in Cross-domain single sign-on (CDSSO).

Default: LAX

"secure": configuration expression<boolean>, optional: Flag to limit the scope of the cookie to secure channels.

Set this flag only if the user agent is able to reemit cookies over HTTPS on its next hop. For example, to reemit a cookie with the secure flag, the user agent must be connected to its next hop by HTTPS.

Default: false

redirectionMarker

"redirectionMarker": configuration expression<object>, optional

A redirect marker for the CDSSO flow. If the marker is present in the CDSSO flow, the request isn’t redirected for authentication.

This feature is on by default to prevent redirect loops when the session cookie isn’t present in the CDSSO flow. The cookie can be absent from the flow if it doesn’t include PingGateway’s domain.

"enabled": configuration expression<boolean>, optional

true: When the session is empty or invalid, PingGateway checks the request goto query parameter for the presence of the redirection marker:
- If the redirection marker is present, PingGateway fails the request.
- If the redirection marker isn’t present, PingGateway redirects the user-agent for login.
false: PingGateway never checks the request goto query parameter for the presence of a redirection marker.

Default: true

"name": configuration expression<string>, optional: The name of the redirection marker query parameter to use when enabled is true.

Default: _ig

defaultLogoutLandingPage

"defaultLogoutLandingPage": configuration expression<url>, optional

The URL to which a request is redirected if logoutExpression is evaluated as true.

If this property isn’t an absolute URL, the request is redirected to the PingGateway domain name.

This parameter is effective only when logoutExpression is specified.

Default: None, processing continues.

logoutExpression

A flag to indicate whether a request initiates logout processing before reaching the protected application.

false: The request doesn’t initiate logout processing:
- If a valid AM session is found, the request is forwarded to the protected application.
- If a valid AM session isn’t found, the request triggers login.
true: The request initiates logout processing:
- If a valid AM session is found, the session is revoked, and the request is forwarded as follows:
  - If defaultLogoutLandingPage is defined, the request is forwarded to the specified logout page.
  - If defaultLogoutLandingPage isn’t defined, the request is forwarded to the protected application without any other validation.
- If a valid session isn’t found, the request is forwarded to the protected application without any other validation.

To prevent unwanted access to the protected application, use logoutExpression with extreme caution as follows:

Define a defaultLogoutLandingPage.
If you don’t define a defaultLogoutLandingPage, specify logoutExpression to resolve to true only for requests that target dedicated logout pages of the protected application.

Consider the following examples when a defaultLogoutLandingPage isn’t configured:

This expression resolves to true only for requests with /app/logout in their path:
```
"logoutExpression": ${startsWith(request.uri.rawPath, '/app/logout')}
```
When a request matches the expression, the AM session is revoked, and the request is forwarded to the /app/logout page.
This expression resolves to true for all requests that contain logOff=true in their query parameters:
```
"logoutExpression": ${find(request.uri.query, 'logOff=true')}
```
When a request matches the expression, the AM session is revoked, and the request is forwarded to the protected application without any other validation. In this example, an attacker can bypass PingGateway’s security mechanisms by adding ?logOff=true to a request.

Default: ${false}

failureHandler

"failureHandler": Handler reference, optional

Handler to treat the request if an error occurs during authentication.

If an error occurs during authentication, PingGateway populates a CdSsoFailureContext with details of the error and any associated Throwable. This is available to the failure handler so it can respond appropriately.

Be aware the failure handler doesn’t play a direct role in user authentication. It is only invoked if there is a problem that prevents user authentication from taking place.

A number of circumstances may cause the failure handler to be invoked, including:

The redirect endpoint is invalid.
The redirect endpoint is invoked without a valid CDSSO token.
The redirect endpoint is invoked inappropriately.
An error was reported by AM during authentication.

If no failure handler is configured, the default failure handler is used.

Default: HTTP 200 OK. The response entity contains details of the error.

verificationSecretId

"verificationSecretId": configuration expression<secret-id>, required if PingGateway can’t discover and use a JWK set specified by `amservice`

The secret ID for the secret to verify the signature of AM session tokens. This secret ID must point to a CryptoKey.

PingGateway verifies the token as follows:

If verificationSecretId is NOT set, PingGateway validates the JWT against the JWKs provided by the AM service. There is no fallback.
If verificationSecretId is set with a secretsProvider, PingGateway validates the JWT signature with a named or valid secrets strategy:
- First, PingGateway uses a secret obtained with the secret ID:
  - For JWK sets, the secret ID should map to a kid of one of the JWKs.
  - For keystores, the secret ID should map to an alias of one of the keys associated with the secret ID.
- If PingGateway finds no named secrets, it tries with all valid secrets mapped to the secret ID.

Learn more in Validate the signature of signed tokens and Secrets.

secretsProvider

"secretsProvider": SecretsProvider reference, required when verificationSecretId is set

The SecretsProvider to query for passwords and cryptographic keys.

lifetime

"lifetime": configuration expression<duration>, optional

When more than one authentication happens during the lifetime of the session, this sets the duration after which PingGateway removes the initial CDSSO authentication session state.

Default: 5 minutes

Example

You can find an example that uses the CrossDomainSingleSignOnFilter in Cross-domain single sign-on (CDSSO).

More information

org.forgerock.openig.openam.CrossDomainSingleSignOnFilter

CdSsoContext

CdSsoFailureContext

SsoTokenContext

PingGateway 2024.11