Configuring an Amazon DynamoDB for account-link storage
Set up an Amazon DynamoDB so that PingFederate can store account-link records in the DynamoDB NoSQL database.
Before you begin
Ensure that your PingFederate server is configured to access DynamoDB. For more information, see Configuring an AWS DynamoDB datastore.
About this task
PingFederate requires a specific table to store account-link records on your DynamoDB server. A table-setup script is provided for this purpose.
Steps
-
To create a table in DynamoDB to contain OAuth clients, run the commands in the
<pf_install>/pingfederate/server/default/conf/account-linking/nosql-scripts/account-linking-dynamodb.txt
file. -
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file:-
Locate the service point for account-linking storage:
# Service/adapter for storage of account linking # Supported classes: # org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl # org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl # org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl account.linking.service=org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl
-
Set the value of the
account.linking.service
attribute toorg.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl
. -
Save the file.
For a clustered PingFederate environment, you must edit the
service-points.conf
file on each node manually because cluster replication can’t replicate this change to other nodes.
-
-
Optional: Edit the values in the
<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl.xml
file.<?xml version="1.0" encoding="UTF-8"?> <c:config xmlns:c="http://www.sourceid.org/2004/05/config"> <!-- Table names --> <c:item name="AccountLinkingTableName">PingFederateAccountLink</c:item> <!-- The endpoint override is for testing with a local DynamoDB instance. Provide the local DynamoDB endpoint here. This configuration should not be set for production environment. Example configuration: <c:item name="EndpointOverride">http://localhost:8000</c:item> --> <c:item name="EndpointOverride"/> <!-- Configure the amount of time(in milliseconds) to allow the client to complete the execution of an API call. Default configuration: <c:item name="ApiCallTimeout">10000</c:item> --> <c:item name="ApiCallTimeout">10000</c:item> <!-- Configure the amount of time (in milliseconds) to wait for the http request to complete before giving up and timing out. Default configuration: <c:item name="ApiCallAttemptTimeout">1000</c:item> --> <c:item name="ApiCallAttemptTimeout">1000</c:item> </c:config>
-
Start or restart the PingFederate service.
For a clustered PingFederate, replicate this new configuration to other engine nodes on System → Server → Cluster Management. Start or restart the PingFederate service on each engine node to active the change.