Web sessions define the policy for web application session creation, lifetime, timeouts, and their scope.
You can configure any number of web sessions to scope the session to meet the needs of a target set of applications. This improves the security model of the session by preventing unrelated applications from impersonating the end user. Use the tasks within this section to configure secure web sessions for use with specific applications and to configure global web session settings.
Application scoped web sessions
PingAccess tokens can be configured to have their web sessions scoped to a specific application. This improves the security model of the session by preventing unrelated applications from impersonating the end user.
Several controls exist to scope the PingAccess token to an application:
- Audience Attribute
- The audience attribute defines who the token is applicable to and is represented as a short, unique identifier. Requests are rejected that contain a PingAccess token with an audience that differs from what is configured in the web session associated with the target resource.
- Audience Suffix
- The audience attribute is also used as a suffix of the cookie name to ensure uniqueness. For example, PA.businessAppAudience.
- Cookie Domain
- The cookie domain can also optionally be set to limit where the PingAccess token is sent.
In addition to these controls, parameters such as session timeout can be adjusted to match the policy requirements of each application.
Corresponding OAuth clients must be defined in PingFederate for each web session. Redirect URL whitelists defined in PingFederate dictate from which servers and domains the session can originate. Controlling this within PingFederate enables flexibility of the attribute contract, and its fulfillment, for that particular application. This ensures that each application and its associated policies only deal with attributes related to it.