Several SP adapters can be configured to pass security tokens or other user credentials from the PingFederate SP server to the target resource via HTTP query parameters, cookies, or POST transmittal. In all cases, these transport methods open the possibility that a third party (with specific knowledge of the IdP, the SP, or both; PingFederate endpoints; and PingFederate configuration) might be able to obtain and use valid security tokens to gain improper access to the target resource.
This potential security threat would involve using a well-formed SSO or SLO link to start an SSO or SLO request for a resource at the SP site. However, the target resource designated in the link would be intended to intercept the security token by a redirection to a malicious website. This same threat also applies to self-service user account management endpoints when such requests include the TargetResource parameter.
To prevent such an attack, PingFederate provides a means of validating SSO, SLO, and self-service user account management transactions to ensure that the designated target resource exists through a list of configurable URLs. At minimum, an expected resource requires a domain name (or an IP address) and the selection of one or more applicable request types.
The following default target URLs are always allowed:
- The default target URL for any IdP connections (see Configuring default target URLs)
- The default target URL for any adapter-to-adapter mappings (see Configuring a default target URL (optional))
- The SP default URL for successful SSO (see Configuring default URLs)
- The IdP default URL for successful SLO (see Configuring a default URL and error message)
They do not need to be entered into the list manually.
Furthermore, PingFederate is also capable of validating the error resource parameter. For more information about the InErrorResource parameter, see IdP endpoints, SP endpoints and System-services endpoints.
PingFederate enables both target resource validation and error resource validation by default in new installations.
For backward compatibility, PingFederate upgrade tools do not enable these options if they were not selected in the previous PingFederate installation. Although optional, it is strongly recommended to enable validation for both target and error resources and to enter all expected resources (including the HTTPS option) to prevent unauthorized access.