How to Enforce HSTS for websites protected by PingFederate

This post goes over enforcing HSTS for websites and how to do with PingFederate. 
PingFederate is a Federation server from PingIdentity tools that provides authentication and federation services. Typically PingFederate server is configured to host or provide Single Sign on for web applications where authentication is done by PingFederate. During the authentication process, the protected website redirects the web request to the PingFederate hosted URL where user request is validated by the Federation server (PingFederate in this case). However always ensure that this redirected URL hosted at PingFederate or the Federation server is https (for example https://sso.yourdomain.com) is enabled and not the plain http for obvious reason that the http traffic data is fully visible on the network. Hence always ensure that this URL/site be always https enforced so that the site traffic data is protected by encryption. This can be enforced by making sure that the PingFederate config file "response-header-admin-config.xml" is set to enforce HSTS. More about HSTS here. (HSTS stands for HTTP Strict Transport Security)

Out of the box, you may need to edit the PingFederate config file to enforce HSTS. The config file is response-header-admin-config.xml.

The line below needs to be uncommented to allow HSTS in the both response-header-admin-config.xml file and  the response-header-runtime-config.xml file.


Save your changes and restart PingFederate.

For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on the System → Cluster Management screen.
Above steps will ensure that the PingFederate URL is HSTS enforced.


See note from PingFederate about enforcing HSTS and here is PingFederate version 10 link
Add custom HTTP response headers
The PingFederate administrative console and runtime server are capable of returning custom HTTP response headers, such as HTTP Strict-Transport-Security (HSTS) to enforce HTTPS based access and P3P for Microsoft Internet Explorer interoperability.

  1. Edit the response-header-admin-config.xml file or the response-header-runtime-config.xml file (or both) in the /pingfederate/server/default/data/config-store directory.
  2. Save the changes.
  3. Restart PingFederate.

Comments

  1. Thank you for this information, Looking forward to reading more stuff like this. Skill center is an online learning platform offering many IT courses that will help students level up their IT skills and land their dream jobs.Skill Centre offers a comprehensive PingFederate course that covers the basics of configuring and deploying PingFederate. Enroll to this incredible PingFederate course by the skill centre.Also check Ping identity Course in India

    ReplyDelete

Post a Comment

Popular posts from this blog

VMware fix for Invalid manifest and ova file import failed errors

SOAPUI - import certificate

Session Timeout in Oracle Access Manager