1. Click Access and then go to Web Sessions > Web Session Management.
  2. In the Web Session Management section, select Key Roll Enabled to enable key rolling using the interval specified below.
  3. Enter the Key Roll Interval, in hours, to specify how often you want to roll the keys (the default is 24 hours).

    Key rollover updates keys at regular intervals to ensure the security of signed and encrypted PingAccess tokens.

  4. In the Issuer field, enter the published, unique identifier to be used with the web session (the default is PingAccess).
    Set the issuer to a value that more closely represents your company. PingAccess inserts this value as the iss claim within the PingAccess token
  5. Select the Signing Algorithm used to protect the integrity of the PingAccess token (the default is ECDSA using P-256 Curve).

    PingAccess uses the algorithm when creating signed PingAccess tokens and when verifying signed tokens in a request from a user’s browser. The algorithm is also used for signing tokens in token mediation use cases when PingAccess tokens are encrypted

  6. Select the Encryption Algorithm used to encrypt and protect the integrity of the PingAccess Token (the default is AES 128 with CBC and HMAC SHA 256).

    PingAccess uses the algorithm when creating encrypted PingAccess tokens and when verifying them from a user’s browser.

    Higher encryption levels are available if the administrative console supports it. To enable higher encryption levels, update the administrative console Java Runtime Environment (JRE) to support unlimited strength security policy.

    In a clustered environment, add the security policy changes to the engines as well as the administrative console for the cluster.

  7. Enter the browser Cookie Name that contains the PingAccess token (the default is PA).
  8. In the Session State Cookie Name field, enter a name for the browser cookie to contain session state attributes.
  9. In the Update Token Window (s) field, enter the number of seconds before the idle timeout is updated in the PingAccess token.

    When this time window expires, PingAccess will reissue a new PingAccess cookie.

  10. In the Nonce Cookie Time to Live (m) field, enter the number of minutes for which the nonce cookie is valid.

    The default value is 5. PingAccess deletes cookies that are older than this threshold.

  11. Click Save.