Back-Channel Session Revocation Service
PingFederate uses the Back-Channel Session Revocation Service to provide OAuth clients the capabilities to add sessions to the revocation list and to query the revocation status.
When PingFederate is in clustered mode, the service proxy uses a group remote procedure call (RPC)-based implementation. When adding a session to its revocation list, the processing node always propagates the information to all engine nodes in the cluster. This allows you to choose whether queries are processed locally or after collecting information from other engine nodes.
Processing queries locally results in faster response times for engine nodes in well-connected networks. Requiring data from other engine nodes adds a layer of protection against inconsistency among engine nodes revocation lists due to network outages.
You can configure the RPC timeout and other settings in the <pf_install>/pingfederate/server/default/conf/cluster-session-revocation.conf
file.
The service proxy uses the class org.sourceid.saml20.service.impl.grouprpc.SessionRevocationServiceGroupRpcImpl
.
FIFO memory management scheme
To ensure the revocation list does not result in excessive memory usage, the Back-Channel Session Revocation Service employs a First-In, First-Out (FIFO) algorithm to purge old data. When the maximum size is reached, the oldest entries are automatically removed.
The maximum number of sessions is configurable by the SessionRevocationServiceMapImpl.max.revoked.sris
setting in the <pf_install>/pingfederate/server/default/conf/size-limits.conf
file. The default value is 50000
.
The FIFO memory manager operates in addition to the Session Revocation Lifetime setting, which is globally configured in the Authentication > Sessions menu.