PingFederate Server

Configuring an external database for authentication sessions

Set up various tables so that PingFederate can store authentication sessions on corresponding database servers.

About this task

Specific tables are required in order for PingFederate to store authentication sessions on your database server. Table-setup scripts are provided for supported database servers.

Steps

  1. Run the table-setup scripts, provided in the <pf_install>/pingfederate/server/default/conf/authentication-session/sql-scripts directory, for your database server.

  2. If you have not already done so, go to System → Data & Credential Stores. In the Data Stores window, create a Java Database Connection (JDBC) datastore for your database server.

  3. Copy the system ID of the applicable JDBC datastore from the Data Stores window.

  4. Edit the org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl.xml file, located in the <pf_install>/pingfederate/server/default/data/config-store directory.

    For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System > Server > Cluster Management as explained in later steps.

    Replace the <c:item name="PingFederateDSJNDIName"/> element value with the system ID of your data store connection and save the file.

    Example:

    For example, if the system ID is JDBC-123456789ABCDEF123456789ABCDEF123456A0A6, update the org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl.xml file as follows.

    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
        <c:item name="PingFederateDSJNDIName">JDBC-123456789ABCDEF123456789ABCDEF123456A0A6</c:item>
    </c:config>
  5. Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file.

    For example, if the system ID is SessionStorageManager:

    1. Go to the # Service for storing Authentication Sessions section.

      # Service for storing Authentication Sessions.
      # Supported classes:
      #    org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation.
      #    org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation.
      #    org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation.
      session.storage.manager=org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl
    2. Change the value of the session.storage.manager service to com.org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl, the default value.

      In clustered PingFederate environments, you must manually edit the service-points.conf file on each node because cluster replication can’t replicate this change to other nodes.

  6. Start or restart the PingFederate service.

    include:::partial$pf_rc_notes.adoc[tags=pf_ph_replicateConfiguration] Start or restart the PingFederate service on each engine node to activate the change.

Result

PingFederate removes expired authentication sessions from the database once a day. To fine-tune the frequency and the number of expired authentication sessions to remove, see Managing authentication sessions stored in the database.