This feature provides flexibility in how you protect your web applications. For example, it allows you to define how users authenticate or even what attributes should be provided in the web session for the application.
Say you have two applications protected by PingAccess and you want to have the applications authenticate using the same adapter such as the HTML form adapter. Each application requires a different set of attributes. Instead of creating one web session with all attributes required by all applications, you can define two Web Sessions that use different OpenID Connect clients linked to different OpenID Connect policies in PingFederate.
Each policy defines a different attribute contract. You still have single sign-on because the adapter would maintain a session for the user.
Another requirement that often comes up is the need to have different session timeouts for different applications. Say you have an application that provides sensitive information. You might want to require a shorter session time that forces users to authenticate more often for one app, or require certain user attributes to be updated more often. You can do that with application scoped Web Sessions.
PingAccess 2.1 also supports encryption or signing of the Web Session cookie that contains the identity token. You can provide an encrypted session token for those applications that require sensitive user identity attributes.
The application scoped Web Session features are all about having the flexibility to meet the needs of the various applications you support.
Another example of where you could use this feature: You have two applications but for one application you want to use a second authentication factor and different attribute contracts. You could combine this feature with the another new feature in version 2.1, authentication rules, to support a multi-factor authentication.
Take a look at PingAccess 2.1 and try out the PingAccess QuickStart application to quickly get a test environment up in running. You have to see it in action!
Hope you found this article helpful, if you have ideas for future topics or any questions please post them in the comments. Follow me on Twitter.
John DaSilva develops solutions and training for Ping Identity.