PingFederate Server

Configuring an Amazon DynamoDB for account-link storage

Set up an Amazon DynamoDB so that PingFederate can store account-link records in the DynamoDB NoSQL database.

Before you begin

Ensure that your PingFederate server is configured to access DynamoDB. For more information, see Configuring an AWS DynamoDB datastore.

About this task

PingFederate requires a specific table to store account-link records on your DynamoDB server. A table-setup script is provided for this purpose.

Steps

  1. To create a table in DynamoDB to contain OAuth clients, run the commands in the <pf_install>/pingfederate/server/default/conf/account-linking/nosql-scripts/account-linking-dynamodb.txt file.

  2. Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file:

    1. Locate the service point for account-linking storage:

      # Service/adapter for storage of account linking
      # Supported classes:
      #     org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl
      #     org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl
      #     org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl
      account.linking.service=org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl
    2. Set the value of the account.linking.service attribute to org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl.

    3. Save the file.

      For a clustered PingFederate environment, you must edit the service-points.conf file on each node manually because cluster replication can’t replicate this change to other nodes.

  3. Optional: Edit the values in the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl.xml file.

    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
    
      <!-- Table names -->
      <c:item name="AccountLinkingTableName">PingFederateAccountLink</c:item>
    
      <!--
          The endpoint override is for testing with a local DynamoDB instance.
          Provide the local DynamoDB endpoint here. This configuration should not
          be set for production environment.
    
          Example configuration:
          <c:item name="EndpointOverride">http://localhost:8000</c:item>
      -->
      <c:item name="EndpointOverride"/>
    
      <!--
          Configure the amount of time(in milliseconds) to allow the client to
          complete the execution of an API call.
    
          Default configuration:
          <c:item name="ApiCallTimeout">10000</c:item>
      -->
      <c:item name="ApiCallTimeout">10000</c:item>
    
      <!--
          Configure the amount of time (in milliseconds) to wait for the http
          request to complete before giving up and timing out.
    
          Default configuration:
          <c:item name="ApiCallAttemptTimeout">1000</c:item>
      -->
      <c:item name="ApiCallAttemptTimeout">1000</c:item>
    
    </c:config>
  4. Start or restart the PingFederate service.

    For a clustered PingFederate, replicate this new configuration to other engine nodes on System → Server → Cluster Management. Start or restart the PingFederate service on each engine node to active the change.