Configuring an Amazon DynamoDB for client storage
Set up an Amazon DynamoDB so that PingFederate can store OAuth client records in the DynamoDB NoSQL database.
Before you begin
Ensure that your server is configured to access DynamoDB.
About this task
PingFederate requires specific tables to store OAuth client records on your DynamoDB server. Table-setup scripts are provided for this purpose.
Steps
-
To create a table in DynamoDB to contain OAuth clients, run the commands in the
<pf_install>/pingfederate/server/default/conf/oauth-client-management/nosql-scripts/oauth-client-management-dynamodb.txt
file.-
Optional: To rename the table and index names, edit the
table-name
and\"IndexName\"
values in the table script in theoauth-client-management-dynamodb.txt
file.
-
-
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file:-
Locate the
ClientManager
service point:# Service for storing OAuth client configuration. # Supported classes are # org.sourceid.oauth20.domain.ClientManagerXmlFileImpl : Use this service-point for an XML implementation. # org.sourceid.oauth20.domain.ClientManagerJdbcImpl : Use this service-point for a Jdbc implementation. # org.sourceid.oauth20.domain.ClientManagerLdapImpl : Use this service-point for an LDAP implementation. # org.sourceid.oauth20.domain.ClientManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation # org.sourceid.oauth20.domain.ClientManagerGenericImpl : Use this service-point if you have specified a custom ClientStorageManager implementation above. client.manager=org.sourceid.oauth20.domain.ClientManagerXmlFileImpl
-
Update the value of the
class
attribute toorg.sourceid.oauth20.domain.ClientManagerDynamoDBImpl
. -
Save the file.
For a clustered PingFederate environment, you must edit the
service-points.conf
file on each node manually because cluster replication can’t replicate this change to other nodes.
-
-
Optional: If you modified the default table and index names in the
oauth-client-management-dynamodb.txt
file in step 1, edit the<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.domain.ClientManagerDynamoDBImpl.xml
file to match your customized configuration.If you ran the script commands from the
oauth-client-management-dynamodb.txt
as is and did not change the default names in the commands, you do not need to edit the<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.domain.ClientManagerDynamoDBImpl.xml
file.-
Replace the
<c:item name="ClientsTableName"/>
,<c:item name="ClientIdIndex"/>
,<c:item name="ClientNameIndex"/>
,<c:item name="LastModifiedIndex"/>
, and<c:item name="CreationTimeIndex"/>
element values with the customized names created during your initial DynamoDB setup. -
Save the file.
The following table describes the preconfigured PingFederate variables in the
<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.oauth20.domain.ClientManagerDynamoDBImpl.xml
file.
DynamoDB Client Manager Variables Variable Description PingFederateSortedOAuthClientId-index
The name of the OAuth client ID index. This index is used to support sorting by Client ID on the Client Management Admin UI page.
This is the default value.
PingFederateSortedOAuthClientName-index
The name of the OAuth client name index. This index is used to support sorting by Client Name on the Client Management Admin UI page.
This is the default value.
PingFederateSortedOAuthClientLastModified-index
The name of the OAuth client last modified index. This index is used to support sorting by Last Modified Time on the Client Management Admin UI page.
This is the default value.
PingFederateSortedOAuthCreationTime-index
The name of the OAuth client creation time index. This index is used to support sorting by Creation Time on the Client Management Admin UI page.
This is the default value.
EndpointOverride
An optional endpoint URL which should not be used in production but allows for testing with a local development DynamoDB instance.
By default, this value is empty. To test DynamoDB running locally, specify
EndpointOverride
to point to a local endpoint. For example,<c:item name="EndpointOverride">http://localhost:8000</c:item>
. For more information, see DynamoDB local usage notes in the Amazon DynamoDB documentation.dynamoDbBatchSize
Number of records to request when performing batch operations against DynamoDB. The minimum allowed value is one, the maximum allowed value is 100, and the default value is 50.
ApiCallTimeout
The amount of time in milliseconds to allow the client to complete the execution of the API call.
The default value is 10000.
ApiCallAttemptTimeout
The amount of time in milliseconds to wait for the HTTP request to complete before giving up and timing out.
The default value is 1000.
query-client-count
The number of OAuth clients returned on search operations for ‘Check Usage’ pop-ups of resources referenced by clients. Negative values signify the retrieval of all clients.
The default value is 2000.
-
-
Start or restart the PingFederate service.
For a clustered PingFederate, replicate this new configuration to other engine nodes on System → Server → Cluster Management. Start or restart the PingFederate service on each engine node to active the change.
Frequent use of certain Admin UI operations, such as searching the OAuth Client list or detecting usage on various pages (Access Token Management, OpenID Connect Policy Management, Token Exchange Processor Policies, CIBA Request Policies, and Trusted CAs), may result in full table scans. This can impact the table’s required Read Capacity.