Identity Gateway 2023.11

Access

The following sections describe how to prevent unwanted access to your deployment, and reduce the amount of non-essential information that it provides.

Use an IG service account

Install and run IG from a dedicated service account. This is optional when evaluating IG, but essential in production installations. For more information, refer to Create an IG service account.

Remove non-essential access

Make sure only authorized people can access your servers and applications through the appropriate network, using the appropriate ports, and by presenting strong-enough credentials.

Apply the principle of least privilege to IG logs and configuration directories. For more information, refer to Configuration location.

Make sure that users connect to systems through the latest versions of TLS, and audit system access periodically.

Restrict access to your monitoring data by protecting the Prometheus Scrape Endpoint and Common REST Monitoring Endpoint. For information, refer to Protecting the monitoring endpoints.

Prevent IG from scanning for changes to routes. For information, see scanInterval in Router.

Disable administration endpoints and Studio by setting the IG run mode to production. For information, refer to Operating modes.

Remove non-essential features

The more features you have turned on, the greater the attack surface. If something isn’t used, uninstall it, disable it, or protect access to it.

Update patches

Prevent the exploitation of security vulnerabilities by using up-to-date versions of IG and third-party software.

Review and follow the Ping Identity security advisories.

Follow similar lists from all of your vendors.

Manage sessions

Expire Identity Cloud and AM sessions

To minimize the time an attacker can attack an active session, set expiration timeouts for every Identity Cloud and AM session. Set timeouts according to context of the deployment, balancing security and usability so that the user can complete operations without the session frequently expiring.

For more information, refer to OWASP’s Session Management Cheat Sheet.

Set a maximum session lifetime and idle time in Identity Cloud:
  • In the Identity Cloud admin UI, select open_in_new Native Consoles > Access Management.

  • In the AM admin UI, select Services > Add a Service and add a Session service.

  • Specify the following properties in minutes:

    • Maximum Session Time

    • Maximum Idle Time

Set a maximum session lifetime and idle time in Access Management:
  • In the AM admin UI, select Services > Add a Service and add a Session service.

  • Specify the following properties in minutes:

    • Maximum Session Time

    • Maximum Idle Time

Validate the signature of Identity Cloud and AM session cookies

Always configure verificationSecretId in the CrossDomainSingleSignOnFilter.

When verificationSecretId is not configured, IG does not verify the signature of AM session tokens, increasing the risk of CDSSO token tampering.

Manage cookies

Increase the security of cookies genrated by IG or the protected application in the following ways:

  • Change the default name of cookies to prevent them from being easily associated with an application.

  • Create cookies with the secure flag to ensure that browsers cannot transmit the cookie over non-SSL.

    When cookies have the secure flag, the first hop of the connection between the user agent and protected application must be secure (over HTTPs); subsequent hops do not have to be secure. In this example, the first hop from the user agent to NGINX is secure, the subsequent hop to IG is not secure:

    User agent -> NGINX (https://acme.com) -> IG (http://gateway:8080)-> protected application (https://internal.app:8081)
  • Create cookies with the httpOnly flag, to ensure that the cookie cannot be accessed through client-side scripts, and to mitigate any cross-site scripting attacks.

    Cookies are httpOnly by default in admin.json, JwtSession, CrossDomainSingleSignOnFilter, and FragmentFilter.

  • Set the samesite attribute of cookies to STRICT or LAX. For more information, refer to SameSite cookies.

  • Set a timeout for cookies, to strike a good compromise between security and usability.

Harden an IG configuration by configuring the following objects:

  • For stateful sessions, configure the session.cookie property in admin.json.

  • For stateless sessions, configure the cookie property of JwtSession.

  • For authentication results, configure the authCookie property of CrossDomainSingleSignOnFilter.

  • For the fragment part of a URI when a request triggers a login redirect, configure the cookie property of FragmentFilter.

Copyright © 2010-2024 ForgeRock, all rights reserved.