PingFederate Bridge enables you to validate a parameter for single logout (SLO) in order to prevent unauthorized access.
Some of the parameters used to perform redirection represent locations at a partner siteāfor example, the wreply parameter in WS-Federation. To protect against session token hijacking through open redirections, PingFederate Bridge provides an option to validate wreply for single logout (SLO). Once enabled, the parameter value is managed within the connection on a per-partner basis. PingFederate Bridge amalgamates the entries from all active WS-Federation connections and validates wreply against the consolidated list.
PingFederate Bridge enables wreply validation for SLO by default in new installations.
For backward compatibility, PingFederate Bridge upgrade tools do not enable this option if it was not selected in the previous PingFederate Bridge installation. Although optional, enabling wreply validation for SLO and specifying the allowed domains and paths for each WS-Federation connection can prevent unauthorized access.