Managing partner redirect validation - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Guide > Administrator Guide
Product documentation
Guide

PingFederate enables you to validate a parameter for single logout (SLO) to prevent unauthorized access.

Some of the parameters used to perform redirection represent locations at a partner site—for example, the wreply parameter in WS-Federation. To protect against session token hijacking through open redirections, PingFederate provides an option to validate wreply for single logout (SLO). Once enabled, the parameter value is managed within the connection on a per-partner basis. PingFederate amalgamates the entries from all active WS-Federation connections and validates wreply against the consolidated list.

Important:

PingFederate enables wreply validation for SLO by default in new installations.

For backward compatibility, PingFederate upgrade tools do not enable this option if it was not selected in the previous PingFederate installation. Although optional, enabling wreply validation for SLO and specifying the allowed domains and paths for each WS-Federation connection can prevent unauthorized access.

  1. Go to Security > Redirect Validation > Partner Redirect Validation.
  2. Select the Enable wreply Validation For SLO check box to enable this feature.
    Note:

    This check box is selected by default in new installations. Clear the check box to disable the feature.

  3. Click Save.