Granting storage performance considerations - PingFederate - 10.0

If you use PingDirectory , or another directory, to store OAuth persistent grants for PingFederate, the following attributes must be indexed to ensure that access grant queries perform efficiently.

Use PingDirectory's dsconfig utility to create these indexes. The dsconfig utility is interactive. You can also provide inputs as command arguments. The following examples create the required indexes:

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name accessGrantGuid \
  --set index-type:equality

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name accessGrantUniqueUserIdentifier \
  --set index-type:equality

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name accessGrantHashedRefreshTokenValue \
  --set index-type:equality

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name accessGrantClientId \
  --set index-type:equality

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name accessGrantExpires \
  --set index-type:ordering

After adding the indexes, use the rebuild-index utility to build the indexes. For instance, the following example builds the required indexes.

$ bin/rebuild-index \
  --baseDN "dc=example,dc=com" \
  --index accessGrantGuid \
  --index accessGrantUniqueUserIdentifier \
  --index accessGrantHashedRefreshTokenValue \
  --index accessGrantClientId \
  --index accessGrantExpires

For more information, see Working with Indexes in the PingDirectory Administration Guide .

Furthermore, you may configure a PingDirectory plugin to handle the cleanup of expired persistent grants and the associated attributes. The plugin allows fine-grained control over various aspects of the cleanup task, which could smooth out the performance impact. For more information, see Managing expired persistent grants in PingDirectory.