--- title: PingOne SSO for SaaS Apps security best practices description: Keep your applications and customer connections secure with the following tips and tools. component: pingoneforenterprise page_id: pingoneforenterprise:pingone_sso_for_saas_apps:p14saas_security_best_practices canonical_url: https://docs.pingidentity.com/pingoneforenterprise/pingone_sso_for_saas_apps/p14saas_security_best_practices.html revdate: December 28, 2021 section_ids: saml-applications: SAML applications non-saml-applications: Non-SAML applications application-integration: Application integration --- # PingOne SSO for SaaS Apps security best practices Keep your applications and customer connections secure with the following tips and tools. ## SAML applications Configure the single logout (SLO) endpoints for your SAML-enabled applications so that user sessions can be closed and cleaned up in a timely manner. If your application doesn't support SLO, PingOne SSO for SaaS Apps won't notify the application when a user session ends. For instructions on configuring SLO endpoints, see [PingOne for Enterprise and SLO](../pingone_for_enterprise/p14e_slo.html). ## Non-SAML applications * `appurl` parameter Disable the `appurl` parameter or tighten its validation. The purpose of the `appurl` parameter is to provide a way to override the default application URL. If your application has only one entry point, leave the **Hostname or Domain** field empty, which will disable the `appurl` parameter. If you must use `appurl`, a hostname such as `app.example.com` can provide stricter validation than `example.com`. * Binding type When you create a new application, you must choose between **Post** or **Redirect** bindings for sending tokens to the application. Post is the default and more secure option because it doesn't expose the token as a query parameter in the URL. * HTTPS Use HTTPS for the **Default Application URL** and **Error URL**. Although HTTP is permitted, HTTPS improves data security in transit. For more information about configuring non-SAML applications, see [Add or update other applications](p14saas_add_update_other_app.html). ## Application integration Processing the PingOne token exchange is the key step in integrating your application with PingOne SSO for SaaS Apps. Based on the user attributes returned from the token exchange, applications need to perform two important validations before accepting a token: 1. Does the `pingone.saas.id` value match the application's SaaS ID value? Matching the `pingone.saas.id` to the application's SaaS ID value prevents attackers from using tokens issued for other applications to access your application. 2. Is the `pingone.idp.id` value used to qualify the `pingone.subject` parameter? Identifying a user with a combination of the `pingone.idp.id` and `pingone.subject` parameters prevents other identity providers (IdPs) from using identifiers that resemble credentials from your intended IdP. For more information, see [Process the PingOne SSO for SaaS Apps token exchange](p14saas_process_p1_token_exchange.html).