Configuring reference token management - PingFederate

Configuring reference token management - PingFederate - 10.0

PingFederate Server

bundle

pingfederate-100

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 10.0

category

Product

pf-100

pingfederate

ContentType_ce

Access tokens that use the reference token data model provide a reference to some set of attributes. The resource server (RS) must de-reference the access tokens for the corresponding identity and security information at the OAuth authorization server (AS) that issued them. (PingFederate is the AS.)

The reference token data model supports both adaptive clustering and directed clustering. For adaptive clustering, PingFederate shares token information across a replica set. If region identifiers are defined, PingFederate shares token information across replica sets in multiple regions. You can optionally override this default behavior in the configuration file for adaptive clustering. For directed clustering, PingFederate shares token information among all engine nodes despite any state server or subcluster setup.

Modify the default values as needed.

Refer to the following table for detailed information about each field.

Field	Description
Token Length (Required)	The number of characters that PingFederate uses to define the token reference. Increasing the length enhances token security. The default value is `28`. The minimum and maximum values are 22 and 256, respectively.
Token Lifetime (Required)	The amount of time in minutes that an access token is considered valid. The default value is `120` (minutes).
Lifetime Extension Policy	Indicates whether PingFederate should reset the lifetime of an access token each time the token is validated, subject to the values defined in the Maximum Token Lifetime and Lifetime Extension Threshold Percentage fields. The options are: No Extension Tokens Not Backed by Persistent Access Grants (Transient Grants) All Tokens The default selection is No Extension.
Maximum Token Lifetime	Defines an absolute maximum token lifetime in minutes for use with the Lifetime Extension Policy setting. When configured, the lifetime of access tokens can be extended but not beyond the configured value. Any value, if specified, must be greater than or equal to the value specified in the Token Lifetime field. This optional field has no default value.
Lifetime Extension Threshold Percentage (Required)	When PingFederate is deployed in a cluster and token-lifetime extension is enabled, there must be a cluster-group remote procedure call (RPC) to extend the life of a token. This setting limits RPC overhead by suspending the calls until the set threshold is crossed. For example, if the token lifetime is 60 minutes and the threshold is 30%, the lifetime will not be extended until the remaining time is less than 18 minutes. This option could potentially reduce RPC traffic between nodes by orders of magnitude while still supporting a lifetime extension policy. The default value is `30` (percent).
Advanced Fields
Mode for Synchronous RPC	Synchronous RPC calls occur when a node receives a verification request for a token it does not recognize and for token issuance. When Majority of Nodes is selected, the server waits for the majority of recipients to respond. It also eliminates the need for a complete state synchronization at startup. When All Nodes is selected, it waits for all recipients to respond. The default selection is Majority of Nodes.
RPC Timeout (Required)	The timeout value (in milliseconds) between cluster nodes during synchronous communication. The recommended value ranges from 100 milliseconds to 1000 (1 second). The default value is `500` (milliseconds).
Expand Scope Groups	Determines whether to expand scope groups into their corresponding scopes in the access token contents and introspection response. This check box is not selected by default.