PingFederate Server

Managing expired persistent grants

PingFederate removes expired persistent grants once a day. The cleanup task removes 500 expired grants at a time until all expired grants are removed.

About this task

If expired grants are growing rapidly, you can optionally increase the frequency of the cleanup task.

Increasing the frequency of the cleanup task or the number of expired sessions to be removed per batch adds more workload to your storage server. Make gradual changes, if any, to observe the impact.

In a clustered PingFederate environment, the cleanup task runs only on the console node. If adjustments are required, make them on the console node. No changes are required on any of the engine nodes.

When storing persistent grants on a PingDirectory server that is version 7.0 or later, you can use the PingFederate cleanup task or configure a cleanup plugin in PingDirectory instead. The plugin allows fine-grained control over various aspects of the cleanup task, which might improve the performance impact. For more information and configuration steps, see Managing expired persistent grants in PingDirectory.

Steps

  1. Optional: Adjust the frequency of the cleanup task.

    1. Edit the timer-intervals.xml<pf_install>/pingfederate/server/default/data/config-store directory.

    2. Update the AccessGrantCleanerInterval value, in milliseconds.

    The default value is 86400000, which is 24 hours.

    1. Save your changes.

  2. Optional: Adjust the number of expired grants to be removed per batch.

    1. Edit the configuration file relevant to your storage platform.

      This configuration file is located in the <pf_install>/pingfederate/server/default/data/config-store directory, as described in the following table.

      Storage platform Configuration file

      Database server

      org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl.xml

      PingDirectory

      org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDirectoryImpl.xml

      Microsoft Active Directory

      org.sourceid.oauth20.token.AccessGrantManagerLDAPADImpl.xml

      Oracle Unified Directory

      org.sourceid.oauth20.token.AccessGrantManagerLDAPOracleImpl.xml

    2. Update the ExpiredGrantBatchSize value.

      The following example shows an updated value of 400. (The default value is 500.)

       file, located in the<?xml version="1.0" encoding="UTF-8"?>
      <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
          ...
          <c:item name="ExpiredGrantBatchSize">400</c:item>
          ...
      </c:config>
    3. Save your changes.

  3. After you have made changes, restart PingFederate.

    In a clustered PingFederate environment, you do not have to change or restart PingFederate on any of the engine nodes.