Configuring IdP discovery using a persistent cookie - PingFederate - 11.1

PingFederate Server

PingFederate Server
PingFederate 11.1

PingFederate's proprietary identity provider (IdP)-discovery method makes use of an IdP persistent reference cookie (IPRC) to track the identity provider with whom a user last authenticated.

There are three significant differences between standard IdP discovery and the IPRC method:

  • Standard IdP discovery can be used only with SAML 2.0, but the IPRC can be used with any federation protocol.
  • The common domain cookie (CDC) can be configured as a temporary, session-based cookie. The IPRC always persists for a configurable period of time.
  • The CDC is set by the IdP and is readable by both federation partners. The IPRC is set by the service provider (SP), using information in the SAML assertion, and cannot be accessed by the IdP.

The deployed connection configuration between SP and IdP partners must include SP-initiated single sign-on (SSO).

  1. Edit the org.sourceid.websso.profiles.sp.IdpIdCookieSupport.xml file located in the <pf_install>/pingfederate/server/default/data/config-store directory.
  2. Set the value of EnableIdpIdCookie to true.
  3. Optional: Modify the remaining elements in the configuration, as described in the following table.
    Field Description
    IdpIdCookieName The name of the IPRC set by the SP installation. The default is IdPId. The cookie name cannot contain any of the following characters: &, >, <, ; , a comma, or a space.
    IdpIdCookieLifeTimeInDays The lifetime for the cookie. The default is 365 days and a maximum of 24855 days. The browser will delete the cookie when the period is expired.
    ShowIdpSelectionList If set to true, the default, the SP displays a list of IdPs that can be used to initiate the SSO event if the cookie is not set. If set to false, the SP installation generates an error page.
  4. Start or restart PingFederate.

    After an IPRC cookie is set, the only way to change the IdP to whom the SP will send Authentication Requests for the user is to do one of the following: wait for the cookie to expire, delete the cookie, or perform IdP-initiated SSO using the new IdP.