PingOne Advanced Identity Cloud

Plan for security in Advanced Identity Cloud

When you set up your PingOne Advanced Identity Cloud tenant environments, you must ensure that they are configured with security in mind.

The following topics lay out a comprehensive list of actions to take to help you set up Advanced Identity Cloud as securely as possible. However, security is a very broad subject, and every Advanced Identity Cloud customer has different use cases; you are expected to do your own research to complement the information found in these topics.

You should also ensure any changes you make to security settings in Advanced Identity Cloud follow your own corporate security policies, especially in relation to password complexity and active features.

Network connections

HTTPS and HTTP

Always use HTTPS for connections into Advanced Identity Cloud.

Advanced Identity Cloud does not accept connections over HTTP. However, a client making API calls to Advanced Identity Cloud over HTTP instead of over HTTPS can still send unprotected credentials in an HTTP Authorization header, inadvertently exposing sensitive information. Even though Advanced Identity Cloud rejects the request, the credentials could be leaked to eavesdroppers.

Configure the cookie domain in your Advanced Identity Cloud tenant to ensure only users and entities from trusted domains can be authenticated.

By default, Advanced Identity Cloud sets the cookie domain based on the fully qualified hostname of a tenant, such as id.mycompany.co.uk. However, you may want to change the cookie domain to mycompany.co.uk so Advanced Identity Cloud can communicate with any subdomain.

CORS

Configure cross-origin resource sharing (CORS) to securely share browser resources across domains.

In Advanced Identity Cloud, you can configure CORS to allow browsers from trusted domains to access Advanced Identity Cloud protected resources. You can create as many individual CORS configurations as your applications need. The configurations combine to form the entire set of rules for resource sharing. The CORS service also collects the values of the JavaScript Origins property in each OAuth 2.0 client and adds them to the list of accepted origins.

CSRF attacks

Advanced Identity Cloud includes a filter to harden protection against cross-site request forgery (CSRF) attacks. The filter applies to all REST endpoints under /am/json/. It requires all requests other than GET, HEAD, or OPTIONS to include at least one of the following headers:

X-Requested-With

This header is often sent by Javascript frameworks, and the UI already sends it on all requests.

Accept-API-Version

This header specifies which version of the REST API to use. Use this header in your requests to ensure future changes to the API do not affect your clients.

Failure to include at least one of the headers causes the REST request to fail with a 403 Forbidden error.

Learn more about API versioning in REST API versions.

Identify originating client IP addresses

The X-Forwarded-For HTTP header identifies the originating IP address of a client; however, there are security and privacy concerns associated with its use. Learn more in the MDN Web Docs X-Forwarded-For.

Advanced Identity Cloud includes two alternative HTTP headers:

X-Real-IP

This header contains the IP address of the client making the request.

X-Trusted-Forwarded-For

This header contains three trusted X-Forwarded-For IP addresses as an array. The first IP address in the array is always the real client IP address. The remaining two values in the array are load balancer IP addresses.

Consider using one of these headers as a trusted replacement for the X-Forwarded-For header, especially when making decisions concerning access.

If the client is behind a reverse proxy, the trusted replacement headers contain the real IP address of the reverse proxy, not the client.

Request data size limits

To protect against requests that contain large amounts of data, Advanced Identity Cloud rejects the following:

  • Requests with a body size larger than 1 MiB (1,048,576 bytes).

  • Requests that contain JWTs that expand to a size larger than 32 KiB (32,768 bytes) when decrypted.

Protect applications

Ping Identity provides policy enforcement points (PEPs) to improve application security by enforcing Advanced Identity Cloud authentication and authorization decisions in your applications:

  • Use PingGateway to protect your applications without modifying them or the infrastructure where they run—whether on-premises, in a public cloud, or in a private cloud. PingGateway acts as a reverse proxy, intercepting client requests and server responses to enforce authentication and authorization.

  • Use Ping Identity web or Java policy agents to protect your applications when you have access to the infrastructure where they run. Policy agents natively plug into web or application servers and intercept inbound requests to enforce authentication and authorization. You can manage the policy agent configurations centrally from Advanced Identity Cloud.

Learn more in these guides:

Learn more about applications built using an SDK in Security guide for SDKs.

Sessions

Set expiry time for sessions and JWT tokens

To minimize the time an attacker has to attack an active session, set expiry times for Advanced Identity Cloud sessions and JWT tokens.

Ping Identity recommends setting an expiry time of 15 minutes. However, you should decide your expiry time according to the context of your deployment, balancing security and usability so that your end users can complete operations without their sessions frequently expiring. Learn more in the OWASP Session Management Cheat Sheet.

To update the expiry time for sessions and JWT tokens in Advanced Identity Cloud, learn more in Configure session termination settings.

Authentication session allowlisting

Enable authentication session allowlisting to protect authentication sessions from replay attacks, whereby a malicious user might try to rewind an authentication flow to a previous node.

Session invalidation after password reset

Advanced Identity Cloud has no automatic mechanism to delete existing user sessions when a user changes their password. To implement automatic invalidation of existing sessions on password reset, consider one of the following approaches:

  • Use the logoutByUser action, specifying the username in the request payload.

    This action can be used for server-side and client-side sessions and is described in Invalidate all sessions for a user.

  • Use a query to locate all sessions for a user, then use the logoutByHandle action to invalidate those sessions.

    This action can be used for server-side sessions only and is described in Invalidate specific sessions.

Access

Remove non-essential access

Make sure only authorized people can access Advanced Identity Cloud, and audit system access periodically.

Deactivate non-essential features

The more features you have turned on, the greater the attack surface. If something is not being used, switch it off, or remove its configuration to deactivate it. These are some features to consider turning off:

Harden password policy

Ensure you harden your password policy for each realm. These are some common ways to harden a password policy:

  • Require a minimum of 12 characters

  • Prevent the use of repetitive characters

  • Prevent the use of commonly used passwords

  • Prevent reuse of the last three passwords

Learn more in Password policy.

Account lockout

Account lockout is a security mechanism that locks a user account after repeated failed login attempts. You can use it to supplement your password policy to slow down brute-force attacks.

Ping Identity recommends using a persistent lockout. If that’s not compatible with your company’s preferences, Ping Identity recommends using a duration lockout of at least 15 minutes.

Learn how to configure account lockout and implement account lockout in your journeys in Account lockout.

Use service accounts to generate access tokens

Ensure any automated scripts do not rely on a tenant administrator account to generate an access token. Instead, use a service account. Additionally, restrict the scopes that a service account can grant only to those needed by the automated script.

Learn more in Service accounts.

Enforce 2-step verification for tenant administrators

Make sure 2-step verification is mandatory for tenant administrators.

Keys, secrets, and encryption

Update cryptography

Different algorithms and methods are discovered and tested over time, and communities of experts decide which are the most secure for different uses. Use up-to-date cryptographic methods and algorithms to generate keys.

Small keys are easily compromised. Use at least the recommended key size.

Store sensitive data in secrets

Ensure sensitive data such as passwords and encryption keys are stored in ESV secrets, and never embedded directly in configuration or scripts.

Learn more in the Secrets section of ESVs.

Rotate keys

These are some reasons to rotate keys regularly:

  • To limit the amount of data protected by a single key.

  • To reduce dependence on specific keys, making it easier to migrate to stronger algorithms.

  • To prepare for when a key becomes compromised. The first time you try key rotation, it shouldn’t be during a real-time recovery.

  • To conform to internal business compliance requirements.

Encrypt sensitive data

Advanced Identity Cloud supports encryption of data stored in the repository. Data can be encrypted using reversible encryption or one-way encryption.

Ping Identity recommends you encrypt all sensitive data. These are examples of sensitive data:

  • Passwords

  • Authentication questions

  • Credit card numbers

  • Government benefit ID numbers

Learn more in Secure identity data.

Encrypt OIDC ID tokens

OpenID Connect 1.0 (OIDC) ID tokens can contain sensitive data and personally identifiable information (PII). Ping Identity recommends you encrypt all ID tokens.

Journeys

Add account lockout to login journeys

Login journeys are vulnerable to brute force attacks. You can mitigate this risk by adding account lockout to your login journeys.

Add email confirmation to registration journeys

Registration journeys are vulnerable to denial-of-service attacks, where attackers try to create extremely high numbers of new users with the intention of exhausting system resources and creating an outage. You can mitigate this risk by using the Email Suspend node in your registration journeys to prevent new users from being created until an email address is verified.

Learn more in Email Suspend node.

Deactivate unused or insecure journeys

Advanced Identity Cloud is preconfigured with default journeys to get you started. However, Ping Identity recommends you harden these default journeys or implement your own journeys using security best practices; for example, by adding MFA to a login journey to confirm user identity using a device.

Once you have built your journeys, ensure you deactivate any unused journeys, particularly insecure login journeys that only require a username and password.

Learn more in the Deactivate a journey section of Journeys.

Deactivate hosted pages

If you have developed your own end-user journey and account experience using ForgeRock SDKs or APIs, Ping Identity recommends that you deactivate the hosted journey pages and/or the hosted account pages to ensure there is no risk of unauthorized access by a malicious user.

Threats

Misconfiguration

Misconfiguration can arise from bad or mistaken configuration decisions and poor change management. Depending on the configuration error, features can stop working in obvious or subtle ways and potentially introduce security vulnerabilities.

To guard against bad configuration decisions, implement good change management:

  • For all enabled features, document why they are enabled and what your configuration choices mean. This implies a review of configuration settings, including default settings that you accept.

  • Validate configuration decisions with thorough testing.

  • Maintain a record of your configurations and the changes applied.

  • Use version control software for any configuration scripts and to record changes to configuration files.

Compromised passwords

Despite efforts to improve how people manage passwords, users have more passwords than ever before, and many use weak passwords. You are strongly encouraged to use a password manager to generate secure passwords.

Audit logging and monitoring

Advanced Identity Cloud provides an audit logging service that captures key auditing events critical for system security, troubleshooting, and regulatory compliance.

Audit logs gather operational information about events that occur within an Advanced Identity Cloud tenant. They track processes and security data, such as authentication mechanisms, system access, user and administrator activity, error messages, and configuration changes.

You are strongly encouraged to set up systems to monitor your audit logs and alert you to unusual patterns of behavior.

Learn more in Monitor your tenant.