PingFederate's proprietary IdP-discovery method makes use of an IdP persistent reference cookie (IPRC) to track the identity provider with whom a user last authenticated. There are three significant differences between standard IdP Discovery and the IPRC method:

  • Standard IdP Discovery may be used only with SAML 2.0; the IPRC may be used with any federation protocol.
  • The common domain cookie (CDC) may be configured as a temporary, session-based cookie; the IPRC always persists for a configurable period of time.
  • The CDC is set by the IdP and readable by both federation partners; the IPRC is set by the SP, using information in the SAML assertion, and cannot be accessed by the IdP.

Note that the deployed connection configuration between SP and IdP partners must include SP-initiated SSO.

  1. Edit the org.sourceid.websso.profiles.sp.IdpIdCookieSupport.xml file located in the <pf_install>/pingfederate/server/default/data/config-store directory.
  2. Set the value of EnableIdpIdCookie to true.
  3. Optional: Modify the remaining elements in the configuration, as described in the following table:
    Field Description
    IdpIdCookieName The name of the IPRC set by the SP installation (default: IdPId). Note that the cookie name cannot contain any of the following characters: &, >, <, comma, semicolon, space.
    IdpIdCookieLifeTimeInDays The lifetime for the cookie (default: 365 days, maximum: 24855 days). The browser will delete the cookie when the period is expired.
    ShowIdpSelectionList If set to true (the default), the SP displays a list of IdPs that can be used to initiate the SSO event if the cookie is not set. If set to false, the SP installation generates an error page.
  4. Start or restart PingFederate.

    Once an IPRC cookie is set, the only way to change the IdP to whom the SP will send Authentication Requests for the user is to do one of the following: wait for the cookie to expire, delete the cookie, or perform IdP-initiated SSO using the new IdP.