Managing authentication sessions stored in PingDirectory
When storing persistent authentication sessions on a PingDirectory server, you must also configure a cleanup plugin in PingDirectory to remove expired authentication sessions from your directory server.
Steps
-
Disable the PingFederate cleanup task.
For a clustered PingFederate environment, make these changes on the console node. None of the engine nodes require any changes.
-
Edit the
<pf_install>/pingfederate/server/default/data/config-store/timer-intervals.xml
file. -
Update the
StoredSessionCleanerInterval
value to0
. -
Save your changes.
-
Restart PingFederate.
-
-
Sign on to the PingDirectory administrative console.
-
Go to Configuration → Plugin Root.
-
On the Plugin Root window, click New Plugin, and then select Purge Expired Data Plugin.
-
Configure a new instance of the Purge Expired Data Plugin.
See the following table for information about each required field.
Field Description Name
The name of this plugin instance.
Enabled
The status of this plugin instance.
Select the check box to enable this plugin instance. Clear the check box to disable this plugin instance.
This check box is not selected by default.
Datetime Attribute
The attribute value determines whether an authentication session has expired in the context of this plugin instance. Valid options are
pf-authn-session-group-expiry-time
andpf-authn-session-group-last-activity-time
.pf-authn-session-group-expiry-time
-
Set to
pf-authn-session-group-expiry-time
if this plugin instance should only remove persistent authentication sessions that have expired.This plugin instance determines if a session can be removed by looking at the session’s expiration timestamp and the current time. If the expiration timestamp is older than the current time by the number of minutes specified by the Expiration Offset field, the session is subject to removal. pf-authn-session-group-last-activity-time
-
Set to
pf-authn-session-group-last-activity-time
if the clean task should remove persistent authentication sessions that have been left idle.This plugin instance determines if a session can be removed by looking at the session’s last activity timestamp and the current time. If the last activity timestamp is older than the current time by the number of minutes specified by the Expiration Offset field, the session is subject to removal.For example, if PingFederate should remove persistent authentication sessions for which the last activity time is more than three weeks ago, set the Datetime Attribute value topf-authn-session-group-last-activity-time
and the Expiration Offset value to3 w
.
Datetime Format
The format of the attribute specified in the Datetime Attribute field.
Select generalized-time from the list.
The default selection is generalized-time.
Expiration Offset
The offset relative to the current time.
Enter an integer to indicate the time value, followed by its unit of measurement.
This field has no default value.
Purge Behavior
The method how this plugin instance removes expired data.
Select subtree-delete-entries from the list.
This field has no default selection.
Polling Interval
The frequency of which this plugin instance should be run.
Enter an integer to indicate the time value, followed by its unit of measurement.
This field has no default value.
Max Updates Per Second
This setting smooths out the performance impact on the server by throttling the purging to the specified maximum number of updates per second. To avoid a large backlog, this value should be set comfortably above the average rate that expired data is generated.
When you select subtree-delete-entries from the Purge Behavior list, deletion of the entire subtree is considered a single update for the purposes of throttling.
This field has no default value.
-
Click Save.