Ensure that a designated target exists by validating single sign-on (SSO), single logout (SLO) and self-service user account management transactions.
You can configure several service provider (SP) adapters to pass security tokens or other user credentials from the PingFederate Bridge SP server to the target resource via HTTP query parameters, cookies, or POST transmittal. In all cases, these transport methods carry the risk that a third party (with specific knowledge of the identity provider (IdP), the SP, or both, PingFederate Bridge endpoints and PingFederate Bridge configuration) could obtain and use valid security tokens to gain improper access to the target resource.
This potential security threat involves using a well-formed SSO or SLO link to start an SSO or SLO request for a resource at the SP site. However, the target resource designated in the link intercepts the security token by a redirection to a malicious website. This same threat also applies to self-service user account management endpoints when such requests include the TargetResource parameter.
To prevent such an attack, PingFederate Bridge provides a means of validating SSO, SLO, and self-service user account management transactions to ensure that the designated target resource exists through a list of configurable URLs. At minimum, an expected resource requires a domain name (or an IP address) and the selection of one or more applicable request types.
PingFederate Bridge enables both target resource validation and error resource validation by default in new installations.
For backward compatibility, PingFederate Bridge upgrade tools do not enable these options if they aren't selected in the previous PingFederate Bridge installation. Although optional, we strongly recommend enabling validation for both target and error resources and entering all expected resources (including the HTTPS option) to prevent unauthorized access.