PingFederate Server

Storing PingFederate data with Redis

You can store short-lived PingFederate data in an external Redis cache. This offers fast, constant access to operating data, improving PingFederate resiliency and scalability. External caching also eases upgrading in a clustered environment.

Depending on your configuration, you lose some data such as long-lived tokens and transaction records when you restart a PingFederate cluster. Storing this data in Redis allows you to retain it even in the case of a full cluster reset. Retaining this data also improves scalability by eliminating the need for memory rebalancing after a node startup or shutdown.

Storing data on Redis makes upgrades easier by allowing newer and older versions of PingFederate to run together on a cluster briefly. This allows you to stagger your upgrades and reduce downtime.

PingFederate currently supports storing data from the following services on Redis:

  • Account locking data

  • Authorization artifacts

  • Inter-Request State-Management (IRSM) data

Configuring your Redis connection

  1. Open the <pingfed_install>/pingfederate/server/default/conf/redis-connection.conf file in a text editor.

  2. Configure the parameters for your Redis deployment. Refer to the following table for parameter information.

  3. Save and close the file.

You can also enable the redis-connection.conf settings using environment variables.

Learn more in Overriding configuration settings using environment variables.

Next steps

After configuring your Redis connection, you can configure PingFederate services to store data in your Redis cache. The following sections in this topic have instructions for configuring each Redis-compatible PingFederate service.

Redis connection configurations

The redis-connection.conf file contains the following parameters to allow you to configure your Redis connection:

Parameter Description

redis.mode

The mode of your Redis deployment.

The default off mode indicates no Redis connection.

PingFederate supports the following deployment modes:

  • standalone

  • sentinel

  • cluster

redis.pool.minIdle

The minimum number of idle connections in the pool. The default value is 0.

redis.pool.maxIdle

The maximum number of idle connections in the pool. The default value is 8.

redis.pool.maxTotal

The total number of connections in the pool. The default value is 8.

redis.pool.testonBorrow

Whether to test connections when borrowing from the pool. The default value is true

redis.pool.testOnReturn

Whether to test connections when they return to the pool. The default value is false.

redis.pool.testWhileIdle

Whether to test idle connections. The default value is true.

redis.credential.mode

Whether to use credentials to authenticate into Redis.

A value of off requires no authentication. A value of static authenticates with a username and password.

redis.credential.static.username redis.credential.static.password

If redis.credential.mode value is static, either the username or password must be set. You can set both values.

The password can be in plain text, obfuscated, or stored in an external key store such as CyberArk.

You can obfuscate your password using the obfuscate utility in <pingfed_install>/pingfederate/bin.

redis.standalone.host

The Redis host name when redis.mode is set to standalone.

redis.standalone.port

The Redis port number when redis.mode is set to standalone.

redis.standalone.database

The Redis database ID. The default value is 0.

redis.sentinel.nodes

A comma-separated list of Redis host/port pairs when redis.mode is sentinel. The default port value is 26379. Example value: redis1:26379, redis2:26379.

redis.sentinel.master.id

The ID of the master node when redis.mode is sentinel.

redis.sentinel.database

The Redis database ID. The default value is 0.

Redis resource allocation

You can configure settings like session duration and allowed attribute number for Redis-capable PingFederate services using the <pingfed_install>/pingfederate/server/default/conf/redis-size-limits.conf file.

Parameter Description

Inter Request State Management settings

InterReqStateMgmt.expiry.mins.state.map

The expiry period in minutes for user sessions in the state map stored in Redis. Sessions that are inactive beyond this time are removed. Default value is 30.

InterReqStateMgmt.expiry.mins.attr.map

The expiry period in minutes for user sessions in the attribute map stored in Redis. Sessions that are inactive beyond this period are removed. Default value is 1440. This parameter should be set higher than InterReqStateMgmt.expiry.mins.state.map

InterReqStateMgmt.max.session.attrs

The maximum number of attributes stored in the attribute map for a user session. Default value is 500.

Enabling all Redis services

You can enable all Redis-capable PingFederate services with a global setting in the run.properties file. You can’t enable or disable individual services while this setting is enabled.

Steps

  1. Open the <pingfed_install>/pingfederate/bin/run.properties file in a text editor.

  2. Set the pf.redis.mode parameter to ON.

  3. Save and close the file.

  4. (Optional) Configure Redis resource allocation in the <pingfed_install>/pingfederate/server/default/conf/redis-size-limits.conf file.

  5. If you’re running PingFederate in a clustered environment, repeat these steps for each node in the cluster.

  6. Restart PingFederate.

Configuring account locking with Redis

You can configure PingFederate to store Account Locking Service data in a Redis cache.

  1. Open the <pingfed_install>/pingfederate/server/default/conf/service-points.conf file in a text editor.

  2. Set the account.locking.service parameter to com.pingidentity.integrations.redis.lockingservice.AccountLockingServiceRedisImpl.

  3. Save and close the file.

  4. If you’re running PingFederate in a clustered environment, repeat these steps for each node in the cluster.

  5. Restart PingFederate.

Configuring artifact storage with Redis

You can configure PingFederate to store authorization artifacts in a Redis cache. Supported artifacts are:

Steps

  1. Open the <pf_install>/pingfederate/server/default/conf/service-points.conf file in a text editor.

  2. Set the artifact.store parameter to com.pingidentity.integrations.redis.artifactpersistenceservice.ArtifactPersistenceServiceRedisImpl.

  3. Save and close the file.

  4. If you’re running PingFederate in a clustered environment, repeat these steps for each node in the cluster.

  5. Restart PingFederate.

Configuring IRSM data storage with Redis

You can configure PingFederate to store Inter-Request State-Management (IRSM) Service data in a Redis cache.

Steps

  1. Open the <pf_install>/pingfederate/server/default/conf/service-points.conf file in a text editor.

  2. Set the inter.request.state.mgmt parameter to com.pingidentity.integrations.redis.irsm.InterRequestStateMgmtRedisImpl.

  3. Save and close the file.

  4. If you’re running PingFederate in a clustered environment, repeat these steps for each node in the cluster.

  5. Restart PingFederate.