PingFederate Server

Configuring an Amazon Dynamo database for persistent grants

About this task

Maintain access grants in Amazon Web Services (AWS) native DynamoDB.

Global secondary indexes:

  • “AccessGrantsUniqueUserId-index” Hash: UniqueUserID

  • “AccessGrantsHashedRefreshToken-index” Hash: HashedRefreshToken

  • “AccessGrantsClientId-index”: Hash ClientID

  • “AccessGrantsLimitCheck-index” Hash: UniqueUserID, Range: ClientID

Steps

  1. To create a table in the DynamoDB to contain access grants, run the commands located in the access-grant-dynamodb.txt file in the server/default/conf/access-grant/nosql-scripts directory.

    This file contains the create table command, the key, global secondary indexes, and the attributes needed for the key and index, as well as the command to enable the TTL expires attribute.

  2. Edit the <pf_install>/pingfederate/server/default/conf/hivemodule.xml file:

    1. Add org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl to the available Access Grant managers in server/default/conf/hivemodule.xml.

    2. Locate the AccessGrantManager service point.

      <!-- Service for storage of access grants -->
      <service-point id="AccessGrantManager"
      interface="com.pingidentity.sdk.accessgrant.AccessGrantManager">
      <create-instance class="org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl"/>
      </service-point>
    3. Update the class attribute value to one of the following values.

      Directory server Class value

      AWS Dynamodb

      org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl

    4. Save the file.

      For a clustered PingFederate environment, you must edit the hivemodule.xml file on each node manually as cluster replication can’t replicate this change to other nodes.

  3. Edit the server/default/data/config-store/org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl.xml file.

    PingFederate Access Grants
    Access Grants Description

    AccessGrantsUniqueUserId-index

    The name of the user ID index.

    This is the default value.

    AccessGrantsHashedRefreshToken-index

    The name of the hashed refresh token index.

    This is the default value.

    AccessGrantsClientId-index

    The name of the client ID index.

    This is the default value.

    AccessGrantsLimitCheck-index

    The name of the limits check index.

    This is the default value.

    EndpointOverride

    An optional endpoint URL which should not be used in production but allows for testing with a local development DynamoDB instance.

    By default, this value is empty. To test DynamoDB running locally, specify EndpointOverride to point to a local endpoint. For example, <c:item name="EndpointOverride">http://localhost:8000</c:item>. For more information, see DynamoDB local usage notes in the AWS DynamoDB documentation.

  4. Export the AWS region.

    See the following for a sample command export AWS_REGION=us-east-2.

  5. Start or restart PingFederate.