Defining a datastore for persistent authentication sessions
When enabling PingFederate authentication sessions, you can select the persistent option so that PingFederate can leverage previous sessions as users request protected resources after restarting their browsers.
About this task
This optional persistent configuration requires external storage of session-state data, as opposed to in-memory alone. By default, PingFederate uses its internal HSQLDB database to maintain persistent authentications. You can configure PingFederate to maintain persistent authentication sessions externally on a database server or a PingDirectory server. Also, the PingFederate SDK lets you use custom solutions for persistent session storage.
Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment. Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by Ping Identity. |
Steps
-
Create the required data structure on the external storage medium.
-
Modify two PingFederate configuration XML files.
Related links
Configuring an external database for authentication sessions
Set up various tables so that PingFederate can store authentication sessions on corresponding database servers.
About this task
Specific tables are required in order for PingFederate to store authentication sessions on your database server. Table-setup scripts are provided for supported database servers.
Steps
-
Run the table-setup scripts, provided in the
<pf_install>/pingfederate/server/default/conf/authentication-session/sql-scripts
directory, for your database server. -
If you have not already done so, go to System → Data & Credential Stores. In the Data Stores window, create a Java Database Connection (JDBC) datastore for your database server.
-
Copy the system ID of the applicable JDBC datastore from the Data Stores window.
-
Edit the
org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl.xml
file, located in the<pf_install>/pingfederate/server/default/data/config-store
directory.For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System → Server → Cluster Management as explained in later steps.
Replace the
<c:item name="PingFederateDSJNDIName"/>
element value with the system ID of your data store connection and save the file.Example:
For example, if the system ID is
JDBC-123456789ABCDEF123456789ABCDEF123456A0A6
, update theorg.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl.xml
file as follows.<?xml version="1.0" encoding="UTF-8"?> <c:config xmlns:c="http://www.sourceid.org/2004/05/config"> <c:item name="PingFederateDSJNDIName">JDBC-123456789ABCDEF123456789ABCDEF123456A0A6</c:item> </c:config>
-
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file.For example, if the system ID is
SessionStorageManager
:-
Go to the
# Service for storing Authentication Sessions
section.# Service for storing Authentication Sessions. # Supported classes: # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation. session.storage.manager=org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl
-
Change the value of the
session.storage.manager
service tocom.org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl
, the default value.In clustered PingFederate environments, you must manually edit the
service-points.conf
file on each node because cluster replication can’t replicate this change to other nodes.
-
-
Start or restart the PingFederate service.
For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System → Server → Cluster Management.
Start or restart the PingFederate service on each engine node to activate the change.
Result
PingFederate removes expired authentication sessions from the database once a day. To fine-tune the frequency and the number of expired authentication sessions to remove, see Managing authentication sessions stored in the database.
Related links
Configuring PingDirectory for authentication sessions
Use specific schema objects to enable PingFederate to store authentication sessions on your directory server. For PingDirectory, LDIF scripts are provided for this purpose.
Steps
-
Update the LDAP schema.
-
Sign on to the PingDirectory administrative console.
-
Go to LDAP Schema → Schema Utilities.
-
Click Import Schema Element.
-
Copy the schema changes from the
authentication-session-attributes-ldap-pingdirectory.ldif
file and paste them into the text area.The file is located in the
<pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts
directory.
Replace the placeholder values with relevant information from your directory server.
-
Click Import.
-
-
Create the following indexes.
Attribute name Index type pf-authn-session-group-hashed-session-id
equality
pf-authn-session-group-user-ids
equality
pf-authn-session-group-expiry-time
ordering
pf-authn-session-group-last-activity-time
ordering
Create these indexes with PingDirectory’s
dsconfig
utility. Thedsconfig
utility is interactive. You can also provide inputs as command arguments. The following examples create the indexes.$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name
pf-authn-session-group-hashed-session-id
\ --set index-type:equality$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name
pf-authn-session-group-user-ids
\ --set index-type:equality$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name
pf-authn-session-group-expiry-time
\ --set index-type:ordering$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name
pf-authn-session-group-last-activity-time
\ --set index-type:orderingAfter adding the indexes, use the
rebuild-index
utility to build the indexes. The following example builds the required indexes.$ bin/rebuild-index \ --baseDN "dc=example,dc=com" \ --index pf-authn-session-group-hashed-session-id \ --index pf-authn-session-group-user-ids \ --index pf-authn-session-group-expiry-time \ --index pf-authn-session-group-last-activity-time
For more information, see Working with Indexes in the PingDirectory Administration Guide
.
-
If you have not already done so, create an LDAP data store for your directory server on System → Data & Credential Stores → Data Stores.
-
Copy the system ID of the applicable LDAP data store from the Data Stores window.
-
Edit the
/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl.xml
file.For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System → Server → Cluster Management as explained in later steps.
-
Replace the
<c:item name="PingFederateDSJNDIName"/>
element value with the system ID of your data store connection.Example:
For example, if the system ID is
LDAP-123456789ABCDEF123456789ABCDEF123456A0AC
, update the configuration file as follows.+
... <!-- Data store id --> <c:item name="PingFederateDSJNDIName">LDAP-123456789ABCDEF123456789ABCDEF123456A0AC</c:item> ...
-
Enter a value for the
<c:item name="SearchBase"/>
element.This is the distinguished name (DN) that points to the client location. For more information, see the inline comment and the LDIF scripts in the
<pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts
directory. -
Update the attribute names only if you have changed attribute names in the LDIF scripts located in the
<pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts
directory. -
Save the file.
-
-
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file.-
Go to the
# Service for storing Authentication Sessions
section.# Service for storing Authentication Sessions. # Supported classes: # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation. session.storage.manager=org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl
-
Change the value of the
session.storage.manager
service toorg.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl
.
For a clustered PingFederate environment, you must edit the
service-points.conf
file on each node manually because cluster replication can’t replicate this change to other nodes. -
-
Start or restart the PingFederate service.
For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System → Server → Cluster Management.
Start or restart the PingFederate service on each engine node to activate the change.
When storing persistent authentication sessions on a PingDirectory server, you must also configure a cleanup plugin in PingDirectory to remove expired authentication sessions from your directory server. For more information, see Managing authentication sessions stored in PingDirectory.
Related links
Configuring an AWS DynamoDB for persistent authentication sessions
Set up an Amazon Web Services (AWS) DynamoDB so that PingFederate can store persistent authentication sessions in the DynamoDB NoSQL database.
Before you begin
Ensure that your server is configured to access DynamoDB.
About this task
PingFederate requires specific tables to store persistent authentication sessions on your DynamoDB server. Table-setup scripts are provided for this purpose.
PingFederate supports the use of global multi-region tables for DynamoDB. However, these tables are managed entirely by AWS. Learn more about configuring global tables in Amazon DynamoDB global tables in the AWS documentation. |
Steps
-
To create a table in DynamoDB to contain authentication sessions, run the commands in the
<pf_install>/pingfederate/server/default/conf/authentication-session/nosql-scripts/authentication-session-dynamodb.txt
file.This file contains basic commands to create the table, with sample values for read and write throughput, as well as the command to enable
ExpiryTime
as the Time-to-Live (TTL) attribute.-
Optional: To rename the table and index names, edit the
table-name
and\"IndexName\"
values in the table script in theauthentication-session-dynamodb.txt
file.
-
-
Optional: If authentication sessions are not already enabled in PingFederate, go to Authentication → Policies → Sessions to configure them. For more information, see Configuring authentication sessions.
-
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file:-
Locate the
SessionStorageManager
service point:# Service for storing Authentication Sessions. # Supported classes: # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation. session.storage.manager=org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl
-
Update the value of the service point to
org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl
. -
Save the file.
For a clustered PingFederate environment, you must edit the
service-points.conf
file on each node manually because cluster replication can’t replicate this change to other nodes.
-
-
Optional: If you modified the default table and index names in the
authentication-session-dynamodb.txt
file in step 1, edit the<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl.xml
file to match your customized configuration.If you ran the script commands from the
authentication-session-dynamodb.txt
as is and did not change the default names in the commands, you do not need to edit the<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl.xml
file.-
Replace the
<c:item name="SessionGroupTableName"/>
,<c:item name="UserIdTableName"/>
,<c:item name="HashedSessionIdIndexName"/>
,<c:item name="SessionUserIdGroupIdIndexName"/>
element values with the customized names created during your initial DynamoDB setup. -
Save the file.
The following table describes the preconfigured PingFederate variables in the
<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl.xml
file.
DynamoDB Session Storage Manager Variables Variable Description PingFederateAuthenticationSessionHashedSessionId-index
The name of the hashed session ID index.
This is the default value.
PingFederateAuthenticationSessionUserIdGroupId-index
The name of the user ID and group ID index.
This is the default value.
EndpointOverride
An optional endpoint URL which should not be used in production but allows for testing with a local development DynamoDB instance.
By default, this value is empty. To test DynamoDB running locally, specify
EndpointOverride
to point to a local endpoint. For example,<c:item name="EndpointOverride">http://localhost:8000</c:item>
. For more information, see DynamoDB local usage notes in the AWS DynamoDB documentation.dynamoDbBatchSize
Number of records to request when performing batch operations against DynamoDB. The minimum allowed value is one, the maximum allowed value is 100, and the default value is 50.
ApiCallTimeout
The amount of time in milliseconds to allow the client to complete the execution of the API call. The default value is 10000.
ApiCallAttemptTimeout
The amount of time in milliseconds to wait for the HTTP request to complete before giving up and timing out. The default value is 1000.
-
-
Start or restart the PingFederate service.
For a clustered PingFederate, replicate this new configuration to other engine nodes on System → Server → Cluster Management. Start or restart the PingFederate service on each engine node to active the change.
Result
PingFederate relies on the DynamoDB TTL attribute to remove expired authentication sessions from the database. For more information on TTL, see Expiring items by using DynamoDB Time to Live (TTL) in the AWS DynamoDB documentation.
Using custom solutions for persistent session storage
The PingFederate SDK supports custom storage for persistent authentication sessions.
Steps
-
Implement the
SessionStorageManager
interface.For more information, see the Javadoc for the
SessionStorageManager
interface. The Javadocs for PingFederate are in the<pf_install>/pingfederate/sdk
directory. -
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file:-
Go to the
# Service for storing Authentication Sessions
section.# Service for storing Authentication Sessions. # Supported classes: # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation. session.storage.manager=org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl
-
Change the value of the
session.storage.manager
service to the name of your class.
For a clustered PingFederate environment, you must edit the
service-points.conf
file on each node manually because cluster replication can’t replicate this change to other nodes. -
-
Deploy the required program files of your custom implementation to all PingFederate servers.
-
Start or restart PingFederate.
For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System → Server → Cluster Management.
Start or restart the PingFederate service on each engine node to activate the change.