When a cluster spans multiple regions, administrators may specify region identifiers for different groups of nodes. When regions are defined, PingFederate adjusts its algorithm such that any node that receives a request and must store session-state information can do so by sending the information to replica sets in both the local region and the remote regions. For requests that require read-only access to session-state information, the operations are performed locally for optimal performance. Furthermore, as individual nodes in different regions join and leave the cluster, adaptive clustering redistributes session-state information within the region where changes in the cluster membership occur. This approach strikes a balance between minimizing the volume of session-state network traffic and improving the accuracy of session-state information across regions.

Cross-region support is enabled automatically when region identifiers are configured (and adaptive clustering is enabled). Specifically, PingFederate provides cross-region support in the following areas:

  • User session-state information maintained by the Inter-Request State-Management Service, the IdP Session Registry Service, and the SP Session Registry Service.
    Note:

    Per-SSO transaction states are not replicated cross-region. If, within the same SSO transaction, the user navigates or is redirected to different nodes in different regions or cluster node groups, the SSO transaction fails with the error Unable to resume processing because saved state was not found for key.

    To properly implement PingFederate adaptive clustering, it is expected that the user's browser would always return to the same region/cluster node group during the entire processing of an authentication policy. This would most commonly be done using a global load balancer that uses DNS to provide an IP appropriate to the user's geographic location. Network-level stickiness is not required within a given region/node group and is normally not recommended, because it can interfere with correct load balancing of application servers interacting with PingFederate.

  • Assertion Replay Prevention Service.
  • Account Locking Service.
  • Replication, validation, and revocation of access tokens using the reference-token data model.

As needed, you can disable cross-region support in individual areas, in which case an engine node only pushes and pulls session-state information to and from the local replica set. To improve the accuracy of session-state information, you may deploy a network traffic management solution to persist, or stick, user sessions so that each subsequent request from the same user is directed to the same set of nodes.

OAuth access token management

When adaptive clustering is enabled, PingFederate shares reference token information with a replica set. If region identifiers are defined, PingFederate shares reference token information among multiple replica sets across regions. Like other services, you can optionally override this default behavior in the configuration file for adaptive clustering.

When you disable cross-region support for access tokens using the reference-token data model, PingFederate does not share reference token information across regions. As a result, PingFederate will not be able to de-reference, validate, or revoke reference-style access tokens that were issued outside of its region. For this reason, we recommended switching to the self-contained token data model prior to disabling cross-region support for the reference-token data model.