Specific tables are required in order for PingFederate to store grants, the associated attributes and their values (if any), on your database server. Table-setup scripts are provided for supported database servers.

  1. Run the table-setup scripts for your database server provided in the <pf_install>/pingfederate/server/default/conf/access-grant/sql-scripts directory.
  2. If you have not already done so, create a JDBC datastore for your database server on the System > Data Stores screen.
  3. Copy the system ID of the applicable JDBC datastore from the System > Data Stores screen.
  4. Edit the org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl.xml file, located in the <pf_install>/pingfederate/server/default/data/config-store directory.

    For a clustered environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System > Server > Cluster Management as explained in later steps.

    Replace the <c:item name="PingFederateDSJNDIName"/> element value with the system ID of your datastore connection and save the file.

    For example, if the system ID is JDBC-123456789ABCDEF123456789ABCDEF123456A0A6, update the org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl.xml file as follows:

    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
        <c:item name="PingFederateDSJNDIName">JDBC-123456789ABCDEF123456789ABCDEF123456A0A6</c:item>
  5. Edit the <pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml file.
    1. Locate the AccessGrantManager service point:
      <!-- Service for storage of access grants -->
      <service-point id="AccessGrantManager" interface="com.pingidentity.sdk.accessgrant.AccessGrantManager">
          <create-instance class="org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl"/>
    2. Set the value of the class attribute to org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl (the default value).
    3. Save the file.

    For a clustered environment, you must edit the hivemodule.xml file on each node manually as cluster replication cannot replicate this change to other nodes.

  6. Start or restart the PingFederate service.

    For a clustered PingFederate environment, replicate this new configuration to other engine nodes on the System > Cluster Management screen; then start or restart the PingFederate service on each engine node to activate the change.

PingFederate provides two cleanup tasks for persistent grants. One task manages expired grants, while another task caps the number of grants based on a combination of user, client, grant type, and authentication context. For more information, see OAuth persistent grants cleanup.