PingFederate removes expired persistent grants once a day. The cleanup task removes 500 expired grants at a time until all expired grants are removed. If expired grants are growing rapidly, you can optionally increase the frequency of the cleanup task.


Increasing the frequency of the cleanup task or the number of expired sessions to be removed per batch (or both) adds more workload to your storage server. We recommend making changes gradually to observe the impact, if any.


In a clustered PingFederate environment, the cleanup task runs only on the console node. If adjustments are required, make them on the console node. No changes are required on any of the engine nodes.

When storing persistent grants on a PingDirectory server (version 7.0 or a more recent version), you have the option to use the PingFederate cleanup task or configure a cleanup plugin in PingDirectory instead. The plugin allows fine-grained control over various aspects of the cleanup task, which could smooth out the performance impact. For more information and configuration steps, see Managing expired persistent grants in PingDirectory.

  1. Optional: Adjust the frequency of the cleanup task.
    1. Edit the timer-intervals.xml<pf_install>/pingfederate/server/default/data/config-store directory.
    2. Update the AccessGrantCleanerInterval value (in milliseconds).

      The default value is 86400000, which is 24 hours.

    3. Save your change.
  2. Optional: Adjust the number of expired grants to be removed per batch.
    1. Edit the configuration file relevant to your storage platform.
      This configuration file is located in the file, located in the <pf_install>/pingfederate/server/default/data/config-store directory, as described in the following table.
      Storage platform Configuration file
      Database server org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl.xml
      PingDirectory org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDirectoryImpl.xml
      Microsoft Active Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPADImpl.xml
      Oracle Directory Server Enterprise Edition or Oracle Unified Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPOracleImpl.xml
    2. Update the ExpiredGrantBatchSize value.

      The following example shows an updated value of 400.

       file, located in the<?xml version="1.0" encoding="UTF-8"?>
      <c:config xmlns:c="">
          <c:item name="ExpiredGrantBatchSize">400</c:item>

      The default value is 500.

    3. Save your change.
  3. If you have made any changes, restart PingFederate.
    In a clustered PingFederate environment, no changes or restart of PingFederate is required on any of the engine nodes.