When an SP is configured to use account linking for an IdP connection, PingFederate uses an embedded HSQLDB database as the account-link repository. This default implementation does not require any changes to PingFederate to support account linking in a standalone environment. You can also configure PingFederate to store account links on a database server or a directory server. An external storage may also address performance or scalability requirements that exceed the HSQLDB database's capabilities. It can also address the scenario where you and your federation partner previously established a different system for creating and mapping opaque pseudonyms, and PingFederate needs access to the system.
For server clustering, an external grant storage is required because the internal HSQLDB database cannot be shared across other PingFederate engine nodes.
For production standalone deployments, consider maintaining account links securely on an external storage medium.
Changing the default storage involves two tasks.
- Create the required data structure on the external storage medium.
- Modify two PingFederate configuration XML files.