PingOne SSO for SaaS Apps security best practices
Keep your applications and customer connections secure with the following tips and tools.
SAML applications
Configure the single logout (SLO) endpoints for your SAML-enabled applications so that user sessions can be closed and cleaned up in a timely manner. If your application doesn’t support SLO, PingOne SSO for SaaS Apps won’t notify the application when a user session ends.
For instructions on configuring SLO endpoints, see PingOne for Enterprise and SLO.
Non-SAML applications
appurl
parameter-
Disable the
appurl
parameter or tighten its validation. The purpose of theappurl
parameter is to provide a way to override the default application URL.
If your application has only one entry point, leave the Hostname or Domain field empty, which will disable the appurl
parameter.
If you must use appurl
, a hostname such as app.example.com
can provide stricter validation than example.com
.
- Binding type
-
When you create a new application, you must choose between Post or Redirect bindings for sending tokens to the application. Post is the default and more secure option because it doesn’t expose the token as a query parameter in the URL.
- HTTPS
-
Use HTTPS for the Default Application URL and Error URL. Although HTTP is permitted, HTTPS improves data security in transit.
For more information about configuring non-SAML applications, see Add or update other applications.
Application integration
Processing the PingOne token exchange is the key step in integrating your application with PingOne SSO for SaaS Apps. Based on the user attributes returned from the token exchange, applications need to perform two important validations before accepting a token:
-
Does the
pingone.saas.id
value match the application’s SaaS ID value?Matching the
pingone.saas.id
to the application’s SaaS ID value prevents attackers from using tokens issued for other applications to access your application. -
Is the
pingone.idp.id
value used to qualify thepingone.subject
parameter?Identifying a user with a combination of the
pingone.idp.id
andpingone.subject
parameters prevents other identity providers (IdPs) from using identifiers that resemble credentials from your intended IdP.
For more information, see Process the PingOne SSO for SaaS Apps token exchange.