The SSO product PingFederate produces a "Page Expired" when it cannot find the request in its table of recent requests. They state, in a manner reminiscent of "640K ought to be enough for anybody.", that
This is unlikely since PingFederate's state table handles up to 10000 requests by default.
Well, guess what, this PingFederate server is kind of busy (producing 10MB of logs per minute), so if the user should wait for, say, an hour, 10K requests have been produced and that state table no longer contains the lookup key (of cookie+nonce).
So, apart from trying to keep the user from staying on the logon screen, is there a way I can instruct PF to "redirect user back to logon screen in case of Pag Expired"?
Logout requests has exactly this feature, through the InErrorResource
parameter, so the opposite seems likely to exist.
PingFederate does support an InErrorResource parameter for both the IdP-init SSO as well as SP-init SSO endpoints. This being said, I doubt that the InErrorResource value will be kept when the state is dropped, PingFederate might end up with no knowledge of the user and request, resulting in the same error.
If the environment is busy as you stated it would make more sense to adjust the size limits to avoid the state being lost. The documentation explains here how these can be configured, and what each limit controls. It's worth noting that increasing these limits will have an impact on memory usage, handle with care.