Ensure that a designated target exists by validating single sign-on (SSO), single logout (SLO) and self-service user account management transactions.
You can configure several service provider (SP) adapters to pass security tokens or other user credentials from the PingFederate SP server to the target resource via HTTP query parameters, cookies, or POST transmittal. In all cases, these transport methods carry the risk that a third party (with specific knowledge of the identity provider (IdP), the SP, or both, PingFederate endpoints, and PingFederate configuration) could obtain and use valid security tokens to gain improper access to the target resource.
This potential security threat involves using a well-formed SSO or SLO link to start an SSO or SLO request for a resource at the SP site. However, the target resource designated in the link intercepts the security token by a redirection to a malicious website. This same threat also applies to self-service user account management endpoints when such requests include the TargetResource parameter.
To prevent such an attack, PingFederate provides a means of validating SSO, SLO, and self-service user account management transactions to ensure that the designated target resource exists through a list of configurable URLs. At minimum, an expected resource requires a domain name (or an IP address) and the selection of one or more applicable request types.
The following default target URLs are always allowed, and you don't need to enter them into the list manually:
- The default target URL for any IdP connections (see Configuring default target URLs)
- The default target URL for any adapter-to-adapter mappings (see Configuring a default target URL (optional))
- The SP default URL for successful SSO (see Configuring default URLs)
- The IdP default URL for successful SLO (see Configuring a default URL and error message)
PingFederate can also validate the error resource parameter. For more information about the InErrorResource parameter, see IdP endpoints, SP endpoints and System-services endpoints.
PingFederate enables both target resource validation and error resource validation by default in new installations.
For backward compatibility, PingFederate upgrade tools do not enable these options if they aren't selected in the previous PingFederate installation. Although optional, we strongly recommend enabling validation for both target and error resources and entering all expected resources (including the HTTPS option) to prevent unauthorized access.