PingFederate Server

Configuring external databases for grant storage

Specific tables are required in order for PingFederate to store grants, the associated attributes, and their values (if any), on your database server. Table-setup scripts are provided for supported database servers.

About this task

Edit the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl.xml file and the <pf_install>/pingfederate/server/default/conf/service-points.conf file.

Steps

  1. Run the table-setup scripts for your database server provided in the <pf_install>/pingfederate/server/default/conf/access-grant/sql-scripts directory.

  2. If you have not already done so, create a JDBC data store for your database server on System → Data & Credential Stores → Data Stores.

  3. Copy the System ID of the applicable Java Database Connection (JDBC) data store from the Data Stores window.

  4. Edit the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl.xml file.

    For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System > Server > Cluster Management as explained in later steps.

    1. Replace the <c:item name="PingFederateDSJNDIName"/> element value with the system ID of your data store connection and save the file.

      Example:

      If the system ID is JDBC-123456789ABCDEF123456789ABCDEF123456A0A6, update the org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl.xml file as follows.

      <?xml version="1.0" encoding="UTF-8"?>
      <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
          <c:item name="PingFederateDSJNDIName">JDBC-123456789ABCDEF123456789ABCDEF123456A0A6</c:item>
      </c:config>
  5. Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file.

    1. Go to the # Service for storage of access grants section.

    2. Change the access.grant.manager service endpoint to the following:

      ...
      access.grant.manager=org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl
      ...

      In clustered PingFederate environments, you must manually edit the service-points.conf file on each node because cluster replication can’t replicate this change to other nodes.

  6. Start or restart PingFederate.

    For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System → Server → Cluster Management. Start or restart the PingFederate service on each engine node to activate the change.

Result

PingFederate provides two cleanup tasks for persistent grants. One task manages expired grants, while another task caps the number of grants based on a combination of user, client, grant type, and authentication context.For more information, see OAuth persistent grants cleanup.