If you use PingDirectory , or another directory, to store OAuth persistent grants for PingFederate, the following attributes must be indexed to ensure that access grant queries perform efficiently.
Attribute name | Index type |
---|---|
accessGrantGuid | equality |
accessGrantUniqueUserIdentifier | equality |
accessGrantHashedRefreshTokenValue | equality |
accessGrantClientId | equality |
accessGrantExpires | ordering |
Use PingDirectory's dsconfig utility to create these indexes. The dsconfig utility is interactive. You can also provide inputs as command arguments. The following examples create the required indexes:
$ bin/dsconfig create-local-db-index \
--backend-name userRoot \
--index-name accessGrantGuid \
--set index-type:equality
$ bin/dsconfig create-local-db-index \
--backend-name userRoot \
--index-name accessGrantUniqueUserIdentifier \
--set index-type:equality
$ bin/dsconfig create-local-db-index \
--backend-name userRoot \
--index-name accessGrantHashedRefreshTokenValue \
--set index-type:equality
$ bin/dsconfig create-local-db-index \
--backend-name userRoot \
--index-name accessGrantClientId \
--set index-type:equality
$ bin/dsconfig create-local-db-index \
--backend-name userRoot \
--index-name accessGrantExpires \
--set index-type:ordering
After adding the indexes, use the rebuild-index utility to build the indexes. For instance, the following example builds the required indexes.
$ bin/rebuild-index \
--baseDN "dc=example,dc=com" \
--index accessGrantGuid \
--index accessGrantUniqueUserIdentifier \
--index accessGrantHashedRefreshTokenValue \
--index accessGrantClientId \
--index accessGrantExpires
For more information, see Working with Indexes in the PingDirectory Administration Guide .
Furthermore, you may configure a PingDirectory plugin to handle the cleanup of expired persistent grants and the associated attributes. The plugin allows fine-grained control over various aspects of the cleanup task, which could smooth out the performance impact. For more information, see Managing expired persistent grants in PingDirectory.