Keep your applications and customer connections secure with the following tips and tools.
SAML applications
Configure the single logout (SLO) endpoints for your SAML-enabled applications so that user sessions can be closed and cleaned up in a timely manner. If your application doesn't support SLO, PingOne SSO for SaaS Apps won't notify the application when a user session ends.
For instructions on configuring SLO endpoints, see PingOne for Enterprise and SLO.
Non-SAML applications
- appurl parameter
-
Disable the appurl parameter or tighten its validation. The purpose of the appurl parameter is to provide a way to override the default application URL.
If your application has only one entry point, leave the Hostname or Domain field empty, which will disable the appurl parameter.
If you must use appurl, a hostname such as
app.example.comcan provide stricter validation thanexample.com. - Binding type
-
When you create a new application, you must choose between Post or Redirect bindings for sending tokens to the application. Post is the default and more secure option because it doesn't expose the token as a query parameter in the URL.
- HTTPS
-
Use HTTPS for the Default Application URL and Error URL. Although HTTP is permitted, HTTPS improves data security in transit.
For more information about configuring non-SAML applications, see Add or update other applications.
Application integration
Processing the PingOne token exchange is the key step in integrating your application with PingOne SSO for SaaS Apps. Based on the user attributes returned from the token exchange, applications need to perform two important validations before accepting a token:
- Does the pingone.saas.id value match the application's SaaS ID
value?
Matching the pingone.saas.id to the application's SaaS ID value prevents attackers from using tokens issued for other applications to access your application.
- Is the pingone.idp.id value used to qualify the
pingone.subject parameter?
Identifying a user with a combination of the pingone.idp.id and pingone.subject parameters prevents other identity providers (IdPs) from using identifiers that resemble credentials from your intended IdP.
For more information, see Process the PingOne SSO for SaaS Apps token exchange.