Skip to content

mod_pf and integration with PF SP

February 11, 2016

mod_pf setup is straightforward – module so and mod_pf conf file in along with agent_config (These 2 config files taken from SP).

However there were few issues that came up.

  1. There is token renew timeout (5 minutes by default) which is re-created based on active session. This timeout – for xhr calls was not followed for redirection, as XHR calls do not follow until the response header from the server says Access-Control-Allow-Origin: * or the domains where xhr originated from.

To resolve this the PF SP should update the file

pingfederate\server\default\data\config-store\response-header-runtime-config.xml

set header value for Access-Control-Allow-Origin : include domain here.

similarly for X-Frame-Options you can set as sameorigin.

Without these headers the xhr request will not get followed up.

2. Session timeout : Now renew-util is maximum time for which session can be active. Not the max inactive time. Note the difference, so if you say renew-until 2 hours,after 2 hours even if user is active, he will be pushed out 🙂 or to rephrase it PF does not have a way to track inactive session period.  Concept of SLO does exist in PF , however for our env it was not enabled, so we had to rely on app session timeout variance.

3. Logout – url needs to have a post action to push to apache level logout that pushes to PF logout page where all cookies are cleared up and individually calls sub app’s logout url.

4. Since its a header based auth – for security reason no app should be accessible directly without the proxy.

 

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: