PingFederate 8 and the JCE

TL;DR It’s a good idea to install JCE.

Installing the Java Cryptography Extension JCE is highly recommended if your countries laws permit it’s importation and use, for two reasons: adherence with standards & interoperability. There’s some pretty cool stuff being developed by those who don’t care too much for interoperability, but for those of us in the Enterprise Identity Management space, it’s essential.

Java 8 gives you basic crypto, but includes limits on Maximum Keysizes. The following table provides a quick summary.

PingFederate and Active Directory Kerberos Tokens

An old AD issue that pops up from time to time is Kerberos Token Bloat. In a nutshell, the AD groups you’re a member of, the bigger your Kerberos Token. Eventually your token gets too big and stuff breaks.

In the most common use case, when you attempt to access a web site, the Kerberos token is encoded and placed in the Authorization header of the Internet Explorer HTTP request.

Servers receiving the HTTP request have a MaxTokenSize configured. Historically the MaxTokenSize was 12k. With Server 2012, this was bumped up to 48k - the maximum possible - constrained by HTTP Protocol. Some older documentation refers to a 65535 bytes, but this advice didn’t take into account that the kerberos token is Base64 encoded, which adds to the length of the token.

PingFederate is configured to have a header size 8K. When integrating with a Kerberos Forest, We’re typically upping this to 48K, in line with Windows 2012+ .