Configuring PingDirectory for authentication sessions
Use specific schema objects to enable PingFederate to store authentication sessions on your directory server. For PingDirectory, LDIF scripts are provided for this purpose.
Steps
-
Update the LDAP schema.
-
Sign on to the PingDirectory administrative console.
-
Go to LDAP Schema → Schema Utilities.
-
Click Import Schema Element.
-
Copy the schema changes from the
authentication-session-attributes-ldap-pingdirectory.ldif
file and paste them into the text area.The file is located in the
<pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts
directory.Replace the placeholder values with relevant information from your directory server.
-
Click Import.
-
-
Create the following indexes.
Attribute name Index type pf-authn-session-group-hashed-session-id
equality
pf-authn-session-group-user-ids
equality
pf-authn-session-group-expiry-time
ordering
pf-authn-session-group-last-activity-time
ordering
Create these indexes with PingDirectory’s
dsconfig
utility. Thedsconfig
utility is interactive. You can also provide inputs as command arguments. The following examples create the indexes.$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name
pf-authn-session-group-hashed-session-id
\ --set index-type:equality$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name
pf-authn-session-group-user-ids
\ --set index-type:equality$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name
pf-authn-session-group-expiry-time
\ --set index-type:ordering$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name
pf-authn-session-group-last-activity-time
\ --set index-type:orderingAfter adding the indexes, use the
rebuild-index
utility to build the indexes. The following example builds the required indexes.$ bin/rebuild-index \ --baseDN "dc=example,dc=com" \ --index pf-authn-session-group-hashed-session-id \ --index pf-authn-session-group-user-ids \ --index pf-authn-session-group-expiry-time \ --index pf-authn-session-group-last-activity-time
For more information see Working with indexes in the PingDirectory Administration Guide.
-
If you have not already done so, create an LDAP data store for your directory server on System → Data & Credential Stores → Data Stores.
-
Copy the system ID of the applicable LDAP data store from the Data Stores window.
-
Edit the
/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl.xml
file.For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System → Server → Cluster Management as explained in later steps.
-
Replace the
<c:item name="PingFederateDSJNDIName"/>
element value with the system ID of your data store connection.Example:
For example, if the system ID is
LDAP-123456789ABCDEF123456789ABCDEF123456A0AC
, update the configuration file as follows.... <!-- Data store id --> <c:item name="PingFederateDSJNDIName">LDAP-123456789ABCDEF123456789ABCDEF123456A0AC</c:item> ...
-
Enter a value for the
<c:item name="SearchBase"/>
element.This is the distinguished name (DN) that points to the client location. For more information, see the inline comment and the LDIF scripts in the
<pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts
directory. -
Update the attribute names only if you have changed attribute names in the LDIF scripts located in the
<pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts
directory. -
Save the file.
-
-
Edit the
<pf_install>/pingfederate/server/default/conf/hivemodule.xml
file.-
Locate the
SessionStorageManager
service point.<!-- Service for storing Authentication Sessions. --> <service-point id="SessionStorageManager" interface="org.sourceid.saml20.service.session.data.SessionStorageManager"> <invoke-factory> <!-- Supported classes are org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation. org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation. --> <construct class="org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl"/> </invoke-factory> </service-point>
-
Set the value of the
class
attribute toorg.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl
. -
Save the file.
For a clustered PingFederate environment, you must edit the
hivemodule.xml
file on each node manually as cluster replication can’t replicate this change to other nodes.
-
-
Start or restart the PingFederate service.
For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to activate the change.
When storing persistent authentication sessions on a PingDirectory server, you must also configure a cleanup plugin in PingDirectory to remove expired authentication sessions from your directory server. For more information, see Managing authentication sessions stored in PingDirectory.