--- title: Manage externally stored authentication sessions description: Authentication sessions control when previously authenticated users are redirected back to the authentication sources on subsequent requests for browser-based single sign-on (SSO) and PingFederate user-facing applications. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_managing_externally_stored_authentication_sessions canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_managing_externally_stored_authentication_sessions.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: January 6, 2026 section_ids: related-links: Related links managing_authentication_sessions_stored_in_database: Managing authentication sessions stored in the database about-this-task: About this task steps: Steps related-links-2: Related links managing_authentication_sessions_stored_in_pd: Managing authentication sessions stored in PingDirectory configuring-the-clean-up-expired-pingfederate-persistent-sessions-plugin: Configuring the Clean Up Expired PingFederate Persistent Sessions Plugin steps-2: Steps configuring-the-clean-up-inactive-pingfederate-persistent-sessions-plugin: Configuring the Clean Up Inactive PingFederate Persistent Sessions Plugin steps-3: Steps related-links-3: Related links managing_authentication_sessions_stored_in_ds: Managing authentication sessions stored in PingDS steps-4: Steps example: Example: example-2: Example: related-links-4: Related links --- # Manage externally stored authentication sessions Authentication sessions control when previously authenticated users are redirected back to the authentication sources on subsequent requests for browser-based single sign-on (SSO) and PingFederate user-facing applications. When you enable authentication sessions, PingFederate maintains session data in memory. PingFederate also supports maintaining session data both in memory and on an external storage. This optional capability allows your organization to support use cases where a longer session duration or a greater resilience against restarts of PingFederate and browsers is desired. PingFederate supports storing persistent authentication sessions on a database server or a PingDirectory server. When stored on a database server, the default cleanup task removes expired authentication sessions once a day. If stored on a PingDirectory server, configure a cleanup plugin in PingDirectory to suit the needs of your organization. ## Related links * [Sessions](pf_sessions.html) * [Defining a datastore for persistent authentication sessions](pf_defining_datastore_persis_auth_sess.html) ## Managing authentication sessions stored in the database PingFederate uses a cleanup task to remove expired authentication sessions from the configured database once a day. The cleanup task determines whether a session can be removed by looking at the session's expiration timestamp and the current time. ## About this task Any session that has an expiration timestamp older than the current time by a configurable offset is subject to removal. As needed, the cleanup task can look at the session's last activity timestamp instead. The cleanup task removes 500 expired sessions at a time until all expired sessions are removed. If expired sessions are growing rapidly, you can optionally increase the frequency of the cleanup task. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | Increasing the frequency of the cleanup task or the number of expired sessions to be removed per batch (or both) adds more workload to your storage server. Make changes gradually to observe the impact. | | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | In a clustered PingFederate environment, the cleanup task runs only on the console node. If adjustments are required, make them on the console node. No changes are required on any of the engine nodes. | ## Steps 1. (Optional) Adjust the frequency of the cleanup task. 1. Edit the `/pingfederate/server/default/data/config-store/timer-intervals.xml` file. 2. Update the `StoredSessionCleanerInterval` value, in milliseconds. The default value is `86400000`, which is 24 hours. 3. Save your changes. 2. (Optional) Configure other cleanup options. 1. Edit the `/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl.xml` file. See the following table for more information about each field. | Field | Description | | ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `ExpiredSessionGroupBatchSize` | The number of expired authentication sessions to be removed per batch.The default value is `500`. | | `ExpirationTimeColumnName` | The column of which its value determines whether an authentication session has expired in the context of the cleanup task. Valid options are `expiry_time` and `last_activity_time`.- `expiry_time` Set to `expiry_time` if the cleanup task should only remove persistent authentication sessions that have expired.The cleanup task determines if a session can be removed by looking at the session's expiration timestamp and the current time. If the expiration timestamp is older than the current time by the number of minutes specified by the `ExpirationTimeOffsetMins` field, the session is subject to removal. - `last_activity_time` Set to `last_activity_time` if the clean task should remove persistent authentication sessions that have been left idle.The cleanup task determines if a session can be removed by looking at the session's last activity timestamp and the current time. If the last activity timestamp is older than the current time by the number of minutes specified by the `ExpirationTimeOffsetMins` field, the session is subject to removal.For example, if PingFederate should remove persistent authentication sessions for which the last activity time is more than three weeks ago, set the `ExpirationTimeColumnName` value to `last_activity_time` and the `ExpirationTimeOffsetMins` value to `30240`.The default value is `expiry_time`. | | `ExpirationTimeOffsetMins` | The offset, in minutes, relative to the current time.The default value is `10`. | 2. Save your changes. 3. If you have made any changes, restart PingFederate. In a clustered PingFederate environment, you don't have to change or restart PingFederate on any of the engine nodes. ## Related links * [Sessions](pf_sessions.html) * [Defining a datastore for persistent authentication sessions](pf_defining_datastore_persis_auth_sess.html) ## Managing authentication sessions stored in PingDirectory When storing persistent authentication sessions on a PingDirectory server, you must also configure cleanup plugins in PingDirectory to remove unwanted authentication sessions from your directory server. PingDirectory has separate plugins to clean up [expired sessions](https://developer.pingidentity.com/reference/pingdirectory/10.3.0.0/config-guide/clean-up-expired-pingfederate-persistent-sessions-plugin.html) and [inactive sessions](https://developer.pingidentity.com/reference/pingdirectory/10.3.0.0/config-guide/clean-up-inactive-pingfederate-persistent-sessions-plugin.html). You should configure both. ### Configuring the Clean Up Expired PingFederate Persistent Sessions Plugin ## Steps 1. Disable the PingFederate cleanup task. | | | | - | ------------------------------------------------------------------------------------------------------------------------------- | | | For a clustered PingFederate environment, make these changes on the console node. None of the engine nodes require any changes. | 1. Edit the `/pingfederate/server/default/data/config-store/timer-intervals.xml` file. 2. Update the `StoredSessionCleanerInterval` value to `0`. 3. Save your changes. 4. Restart PingFederate. 2. Sign on to the PingDirectory administrative console. 3. Go to **Configuration > Plugin Root**. 4. On the **Plugin Root** window, click **New Plugin**, and then select **Clean Up Expired PingFederate Persistent Sessions Plugin**. 5. Configure a new instance of the **Clean Up Expired PingFederate Persistent Sessions Plugin**. The following table contains information about each required field: | Field | Description | | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Name** | The name of this plugin instance. | | **Enabled** | Select the checkbox to enable this plugin instance. Clear the checkbox to disable this plugin instance.This checkbox is cleared by default. | | **Polling Interval** | The frequency with which to run this plugin.Enter an integer to indicate the time value, followed by its unit of measurement.This field has no default value. | | **Max Updates Per Second** | This setting smooths out the performance impact on the server by throttling the purging to the specified maximum number of updates per second. To avoid a large backlog, set this value well above the average rate at which expired data is generated.This field has no default value. | | (Optional) **Peer Server Priority Index** | In a replicated PingDirectory environment, this parameter determines the order in which peer PingDirectory servers will attempt to purge data. In replicated environments, this plugin should be configured on multiple servers to provide a highly-available configuration.Valid values are integers. Lowest numbers are prioritized. If left blank, server priority is determined automatically. | | **Num Delete Threads** | The number of threads dedicated to deleting stored sessions. The default value is `1`. | You can find more detailed description of these values in the [Clean Up Expired PingFederate Persistent Sessions Plugin](https://developer.pingidentity.com/reference/pingdirectory/10.3.0.0/config-guide/clean-up-expired-pingfederate-persistent-sessions-plugin.html) configuration reference guide. 6. Click **Save**. ### Configuring the Clean Up Inactive PingFederate Persistent Sessions Plugin ## Steps 1. Disable the PingFederate cleanup task. | | | | - | ------------------------------------------------------------------------------------------------------------------------------- | | | For a clustered PingFederate environment, make these changes on the console node. None of the engine nodes require any changes. | 1. Edit the `/pingfederate/server/default/data/config-store/timer-intervals.xml` file. 2. Update the `StoredSessionCleanerInterval` value to `0`. 3. Save your changes. 4. Restart PingFederate. 2. Sign on to the PingDirectory administrative console. 3. Go to **Configuration > Plugin Root**. 4. On the **Plugin Root** window, click **New Plugin**, and then select **Clean Up Inactive PingFederate Persistent Sessions Plugin**. 5. Configure a new instance of the **Clean Up Inactive PingFederate Persistent Sessions Plugin**. The following table contains information about each required field: | Field | Description | | ----------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Name** | The name of this plugin instance. | | **Enabled** | Select the checkbox to enable this plugin instance. Clear the checkbox to disable this plugin instance.This checkbox is cleared by default. | | **Expiration Offset** | The offset relative to the current time.Enter an integer to indicate the time value, followed by its unit of measurement.This field has no default value. | | **Polling Interval** | The frequency with which to run this plugin.Enter an integer to indicate the time value, followed by its unit of measurement.This field has no default value. | | **Max Updates Per Second** | This setting smooths out the performance impact on the server by throttling the purging to the specified maximum number of updates per second. To avoid a large backlog, set this value well above the average rate at which expired data is generated.This field has no default value. | | (Optional) **Peer Server Priority Index** | In a replicated PingDirectory environment, this parameter determines the order in which peer PingDirectory servers will attempt to purge data. In replicated environments, this plugin should be configured on multiple servers to provide a highly-available configuration.Valid values are integers. Lowest numbers are prioritized. If left blank, server priority is determined automatically. | | **Num Delete Threads** | The number of threads dedicated to deleting stored sessions. The default value is `1`. | You can find more detailed description of these values in the [Clean Up Expired PingFederate Persistent Sessions Plugin](https://developer.pingidentity.com/reference/pingdirectory/10.3.0.0/config-guide/clean-up-inactive-pingfederate-persistent-sessions-plugin.html) configuration reference guide. ## Related links * [Sessions](pf_sessions.html) * [Defining a datastore for persistent authentication sessions](pf_defining_datastore_persis_auth_sess.html) ## Managing authentication sessions stored in PingDS When storing persistent authentication sessions on a PingDS server, you must also configure TTL settings in PingDS to remove expired authentication sessions from your server. ## Steps 1. Disable the PingFederate cleanup task. | | | | - | ------------------------------------------------------------------------------------------------------------------------------- | | | For a clustered PingFederate environment, make these changes on the console node. None of the engine nodes require any changes. | 1. Edit the `/pingfederate/server/default/data/config-store/timer-intervals.xml` file. 2. Update the `StoredSessionCleanerInterval` value to `0`. 3. Save your changes. 4. Restart PingFederate. 2. Connect to the PingDS server. 3. Update the indexes using PingDS's dsconfig utility. The dsconfig utility is interactive. You can also provide inputs as command arguments. The following examples create the indexes. 1. To remove persistent authentication sessions that have expired, update the `pf-authn-session-group-expiry-time` index. PingDS determines whether a session can be removed by comparing the session's timestamp to the current time. If the expiration timestamp by `ttl-age`, the session is subject to removal. ### Example: For example, if you want PingDS to remove persistent authentication sessions for which the expiration timestamp is more than ten seconds ago, set the `ttl-age` value to `10\ s\`. ``` $ dsconfig set-backend-index-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --backend-name dsEvaluation \ --index-name pf-authn-session-group-expiry-time \ --set ttl-enabled:true \ --set ttl-age:10\ s \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` 2. To remove persistent authentication sessions that are idle, update the `pf-auth-session-group-last-activity-time` index. PingDS determines whether a session is idle by comparing the session's last activity timestamp to the current time. If the last activity timestamp is older than the current time by `ttl-age`, the session is subject to removal. ### Example: For example, if you want PingDS to remove persistent authentication sessions that have been idle for more than three weeks, set the `ttl-age` value to `3\ w\`. ``` $ dsconfig set-backend-index-prop \ --hostname localhost \ --port 4444 \ --bindDN uid=admin \ --bindPassword password \ --backend-name dsEvaluation \ --index-name pf-authn-session-group-last-activity-time \ --set ttl-enabled:true \ --set ttl-age:3\ w \ --usePkcs12TrustStore /path/to/opendj/config/keystore \ --trustStorePassword:file /path/to/opendj/config/keystore.pin \ --no-prompt ``` Learn more in [Backend index](https://docs.pingidentity.com/pingds/latest/configref/objects-backend-index.html) in the PingDS documentation. ## Related links * [Sessions](pf_sessions.html)