The OpenToken (OTK) is used within a PingFederate environment to carry data securely from an Identity Provider (IdP) application to PingFederate or from PingFederate to a Service Provider (SP) application.
It is basically a string of characters that has been URL encoded (also referred to as "percent encoding"). But how do you move that string of characters from the originator to the receiver? There are three options, each with its own strengths and weaknesses, and its own use cases.
The simplest is query string. The originator puts the OTK into the query string of a URL which takes the browser to the OTK recipient.
It is clean and straight forward but exposes the OTK in the address bar of the browser. It is also limited in length by the browser's maximum URL. For Internet Explorer (IE) this can be fewer than 2000 characters.
The OTK will be sent only once and it is the responsibility of the first page the browser hits to either save or use the OTK. An HTTP 302 redirect operation can preserve the query string data, but it must be done deliberately.
The final option is cookie. By setting a cookie (usually a session cookie) in the browser, the sender can cause the OTK to stay available on successive browser Requests and the length is almost unlimited -- most modern browsers support cookies up to 4K in size, more than ample for the OTK cookie. However, some proxies and other intermediary devices may have issues when the total header size, of which all cookies are a part, exceeds 5K, just be aware of that!
But the sender and the receiver must share a common DNS domain. The sender might be federation.foo.com and the recipient app.foo.com. As long as the cookie is set with the ".foo.com" domain, the browser will present it. Note: Some browsers may also apply cross-site restrictions to cookies, depending on their security settings.
If the two domains are federation.foo.com and application.foo-services.com, cookie transport will not work.
In more complex cases, such as our Internet Information Services (IIS) or Apache Integration Kits, there may be a combination of transport methods with intermediate server pages, but each hop must follow the restrictions described above.
Dave Uggla is a Product Support Engineer at Ping Identity.