You can configure PingAccess for server-side session management using PingFederate through web session settings.
Web sessions define the policy for web application session creation, lifetime, timeouts, and their scope. You can configure multiple web sessions to scope the session to meet the needs of a target set of applications. This improves the security model of the session by preventing unrelated applications from impersonating the end user. Use the following tasks to configure secure web sessions for use with specific applications and to configure global web session settings.
Application scoped Web Sessions
Several controls exist to scope the PingAccess (PA) token to an application:
- Audience Attribute
- The audience attribute defines who the token is applicable to and is represented as a short, unique identifier. Requests are rejected that contain a PA token with an audience that differs from what is configured in the web session associated with the target resource.
- Audience Suffix
- The audience attribute is also used as a suffix of the cookie name to ensure uniqueness. For example, PA.businessAppAudience.
- Cookie Domain
- The cookie domain can also optionally be set to limit where the PingAccess token is sent.
In addition to these controls, you can adjust parameters, such as session timeout, to match the policy requirements of each application.
You must define corresponding OAuth clients in PingFederate for each web session. Redirect URL whitelists defined in PingFederate dictate from which servers and domains the session can originate. Controlling this within PingFederate enables flexibility of the attribute contract, and its fulfillment, for that particular application. This ensures that each application and its associated policies only deal with attributes related to it.