PingFederate Server

Configuring directories for client storage

Specific schema objects are required in order for PingFederate to store OAuth client records on your directory server. LDIF scripts are provided for supported directory servers.

About this task

PingFederate does not migrate client records from one storage medium to another. You must recreate your clients after updating the client storage configuration. If you need only a few clients, you can recreate them using the administrative console.

If you need a large number of clients, use the administrative API to retrieve your client records before updating the client storage. Update the client storage configuration and recreate your clients using the administrative API based on the retrieved records. For more information, see PingFederate administrative API.

Steps

  1. Review the LDIF scripts for your directory server provided in the <pf_install>/pingfederate/server/default/conf/oauth-client-management/ldif-scripts directory.

  2. Replace placeholder values with relevant information from your directory server.

  3. Run the LDIF scripts to update your LDAP schema.

    For Active Directory, run the script to create the attributes, then run the script to create the object class.

    For PingDirectory, run the ldapmodify command. For example:

    ldapmodify --defaultAdd --filename "<path to ldif file>\oauth-client-management-pingdirectory.ldif" -h <hostname> -p <port> -D "<adminDN>" -w <adminPassword>

  4. If you have not already done so, create an LDAP datastore for your directory server on System → Data & Credential Stores → Data Stores.

  5. Copy the system ID of the applicable LDAP datastore from System → Data & Credential Stores → Data Stores.

  6. Edit the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.domain.ClientManagerLdapImpl.xml file.

    For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System → Server → Cluster Management as explained in later steps.

    1. Replace the <c:item name="PingFederateDSJNDIName"/> element value with the system ID of your datastore connection.

      Example:

      If the system ID is LDAP-123456789ABCDEF123456789ABCDEF123456A0AC, update the configuration file as follows.

      ...
      <!-- Data store id -->
      <c:item name="PingFederateDSJNDIName">LDAP-123456789ABCDEF123456789ABCDEF123456A0AC</c:item>
      ...
    2. Enter a value for the <c:item name="SearchBase"/> element.

      This is the distinguished name (DN) that points to the client location. For more information, see the inline comment and the LDIF scripts in the <pf_install>/pingfederate/server/default/conf/oauth-client-management/ldif-scripts directory.

    3. Update the attribute names only if you have changed attribute names in the LDIF scripts located in the <pf_install>/pingfederate/server/default/conf/oauth-client-management/ldif-scripts directory.

    4. Save the file.

  7. Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file.

    1. Go to the # Service for storing OAuth client configuration section.

      # Service for storing OAuth client configuration.
      # Supported classes are
      #   org.sourceid.oauth20.domain.ClientManagerXmlFileImpl  : Use this service-point for an XML implementation.
      #   org.sourceid.oauth20.domain.ClientManagerJdbcImpl     : Use this service-point for a Jdbc implementation.
      #   org.sourceid.oauth20.domain.ClientManagerLdapImpl     : Use this service-point for an LDAP implementation.
      #   org.sourceid.oauth20.domain.ClientManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation
      #   org.sourceid.oauth20.domain.ClientManagerGenericImpl  : Use this service-point if you have specified a custom ClientStorageManager implementation above.
      client.manager=org.sourceid.oauth20.domain.ClientManagerXmlFileImpl
    2. Change the value of the client.manager service to org.sourceid.oauth20.domain.ClientManagerLdapImpl.

    For a clustered PingFederate environment, you must edit the service-points.conf file on each node manually because cluster replication can’t replicate this change to other nodes.

  8. Start or restart PingFederate.

    For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System → Server → Cluster Management.

    Start or restart the PingFederate service on each engine node to activate the change.

  9. In the directory, create indexes for the following OAuth client attributes. If you are using Active Directory, skip this step because the script for Active Directory creates these indexes. If you are using PingDirectory, see Indexing client attributes in PingDirectory for more information.

    Attribute name Index type

    pf-oauth-client-id

    equality

    pf-oauth-client-id

    ordering

    pf-oauth-client-id

    substring

    pf-oauth-client-name

    equality

    pf-oauth-client-name

    ordering

    pf-oauth-client-name

    substring

    pf-oauth-client-last-modified

    ordering