PingFederate Server

Configuring an Amazon Dynamo database for persistent grants

About this task

Maintain access grants in Amazon Web Services (AWS) native DynamoDB.

Global secondary indexes:

  • “AccessGrantsUniqueUserId-index” Hash: UniqueUserID

  • “AccessGrantsHashedRefreshToken-index” Hash: HashedRefreshToken

  • “AccessGrantsClientId-index”: Hash ClientID

  • “AccessGrantsLimitCheck-index” Hash: UniqueUserID, Range: ClientID

Steps

  1. To create a table in the DynamoDB to contain access grants, run the commands located in the access-grant-dynamodb.txt file in the server/default/conf/access-grant/nosql-scripts directory.

    This file contains the create table command, the key, global secondary indexes, and the attributes needed for the key and index, as well as the command to enable the TTL expires attribute.

  2. Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file.

    1. Go to the # Service for storage of access grants section.

    2. Change the access.grant.manager service endpoint to the following:

      ...
access.grant.manager=org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl
...

      In clustered PingFederate environments, you must manually edit the service-points.conf file on each node because cluster replication can’t replicate this change to other nodes.

  3. Edit the server/default/data/config-store/org.sourceid.oauth20.token.AccessGrantManagerDynamoDBImpl.xml file.

    PingFederate Access Grants
    Access Grants Description

    AccessGrantsUniqueUserId-index

    The name of the user ID index.

    This is the default value.

    AccessGrantsHashedRefreshToken-index

    The name of the hashed refresh token index.

    This is the default value.

    AccessGrantsClientId-index

    The name of the client ID index.

    This is the default value.

    AccessGrantsLimitCheck-index

    The name of the limits check index.

    This is the default value.

    EndpointOverride

    An optional endpoint URL which should not be used in production but allows for testing with a local development DynamoDB instance.

    By default, this value is empty. To test DynamoDB running locally, specify EndpointOverride to point to a local endpoint. For example, <c:item name="EndpointOverride">http://localhost:8000</c:item>;. For more information, see DynamoDB local usage notes in the AWS DynamoDB documentation.

  4. Export the AWS region.

    See the following for a sample command export AWS_REGION=us-east-2.

  5. Start or restart PingFederate.