Specific schema objects are required in order for PingFederate to store grants, the associated attributes and their values (if any), on your directory server. LDIF scripts are provided for supported directory servers.

  1. Review the LDIF scripts for your directory server provided in the <pf_install>/pingfederate/server/default/conf/access-grant/ldif-scripts directory.
  2. Replace placeholder values with relevant information from your directory server.
  3. Run the LDIF scripts to update your LDAP schema.

    For Active Directory, run the script to create the attributes; then run the script to create the object class.

  4. If you have not already done so, create an LDAP datastore for your directory server on the System > Data Stores screen.
  5. Copy the system ID of the applicable LDAP datastore from the System > Data Stores screen.
  6. Edit the configuration file relevant to your directory server.

    This configuration file is located in the <pf_install>/pingfederate/server/default/data/config-store directory, as described in the following table.

    Directory server Configuration file
    PingDirectory org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDirectoryImpl.xml
    Microsoft Active Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPADImpl.xml
    Oracle Directory Server Enterprise Edition or Oracle Unified Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPOracleImpl.xml

    For a clustered environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System > Server > Cluster Management as explained in later steps.

    1. Replace the <c:item name="PingFederateDSJNDIName"/> element value with the system ID of your datastore connection.

      For example, if the system ID is LDAP-123456789ABCDEF123456789ABCDEF123456A0A6, update the configuration file as follows:

      <!-- Data store id -->
      <c:item name="PingFederateDSJNDIName">LDAP-123456789ABCDEF123456789ABCDEF123456A0A6</c:item>
    2. Enter a value for the <c:item name="SearchBase"/> element.

      This is the distinguished name (DN) that points to the access grants location. For more information, see the inline comment and the LDIF scripts in the <pf_install>/pingfederate/server/default/conf/access-grant/ldif-scripts directory.

    3. Update the attribute names only if you have changed attribute names in the LDIF scripts located in the <pf_install>/pingfederate/server/default/conf/access-grant/ldif-scripts directory.
    4. Save the file.
  7. Edit the <pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml file.
    1. Locate the AccessGrantManager service point:
      <!-- Service for storage of access grants -->
      <service-point id="AccessGrantManager" interface="com.pingidentity.sdk.accessgrant.AccessGrantManager">
           <create-instance class="org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl"/>
    2. Update the class attribute value to one of the following values:
      Directory server Class value
      PingDirectory org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDirectoryImpl
      Microsoft Active Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPADImpl
      Oracle Directory Server Enterprise Edition or Oracle Unified Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPOracleImpl
    3. Save the file.

    For a clustered environment, you must edit the hivemodule.xml file on each node manually as cluster replication cannot replicate this change to other nodes.

  8. Start or restart the PingFederate service.

    For a clustered PingFederate environment, replicate this new configuration to other engine nodes on the System > Cluster Management screen; then start or restart the PingFederate service on each engine node to activate the change.

  9. In the directory, create indexes for the following OAuth grant attributes. If you are using PingDirectory, see Granting storage performance considerations for more information.
    Attribute name Index type
    accessGrantGuid equality
    accessGrantUniqueUserIdentifier equality
    accessGrantHashedRefreshTokenValue equality
    accessGrantClientId equality
    accessGrantExpires ordering

PingFederate provides two cleanup tasks for persistent grants. One task manages expired grants, while another task caps the number of grants based on a combination of user, client, grant type, and authentication context. For more information, see OAuth persistent grants cleanup.