The default administrative-console and runtime behavior of PingFederate is controlled in part by configuration properties set in the run.properties file. This file is located in the <pf_install>/pingfederate/bin directory.
The most common properties are documented in the following table. For the rest of the properties including various cookie-encoding options, refer to the file itself.
The clustering configuration options are also maintained in the run.properties file. For more information, see .
Property | Description |
---|---|
pf.admin.https.port | Defines the port on which the PingFederate administrative console runs.
The default value is 9999 . |
pf.console.bind.address | Defines the IP address over which the PingFederate administrative console communicates. Use for deployments where multiple network interfaces are installed on the machine running PingFederate. |
pf.console.title | Defines the browser window or tab title for the administrative console, used to make separate instances identifiable. |
pf.console.session.timeout | Defines the length of time in minutes until an inactive administrative
console times out. The minimum setting is 1 minute; maximum is 8 hours (480
minutes). Default is 30 minutes. |
pf.log.eventdetail | Enables or disables (the default) detailed event logging for actions performed by administrative-console users. |
pf.console.login.mode | Indicates whether more than one administrative user may access the
administrative console at one time. Supported values: Single | Multiple. The
default value is Multiple . |
pf.console.authentication | Indicates whether administrators log on to PingFederate using credentials managed internally by PingFederate or externally by other systems. |
pf.admin.api.authentication | Defines the authentication method of the PingFederate administrative API. |
ldap.properties.file | When LDAP administrative-console authentication is enabled, indicates the name of the file containing configuration properties. |
cert.properties.file | When certificate-based console authentication is enabled, indicates the name of the file containing configuration properties. |
radius.properties.file | When RADIUS-based console authentication is enabled, indicates the name of the file containing configuration properties. |
pf.http.port | Defines the port on which PingFederate listens for unencrypted HTTP
traffic at runtime. For security reasons, this port is turned off by
default. CAUTION:
This port should remain disabled in production if your deployment configuration directly exposes the PingFederate server to the Internet. |
pf.https.port | Defines the port on which PingFederate listens for encrypted HTTPS
(SSL/TLS) traffic. The default value is 9031 . |
pf.secondary.https.port | Defines a secondary HTTPS port that can be used for mutual SSL/TLS
(client X.509 certificate) authentication for both end users and protocol
requests (SAML, WS-Trust, and OAuth). Set its value to the desired inbound
listening TCP port. A value of -1 disables this feature.
Important:
If you are using client X.509 certificates for either WS-Trust STS
authentication or for SAML back-channel authentication, you must
use this port (or a similarly configured new listener) with
either the WantClientAuth or
NeedClientAuth parameter set to
For more information, see the note at the end of this table. |
pf.engine.bind.address | Defines the IP address over which the PingFederate server communicates with partner federation gateways. Use for deployments where multiple network interfaces are installed on the machine running PingFederate. |
pf.monitor.bind.address | Defines the IP address over which an SNMP agent and JMX communicate with PingFederate. Use for deployments where multiple network interfaces are installed on the machine running PingFederate. |
pf.engine.prefer_ipv4 | Defines the protocol to be used by PingFederate. True
(the default) enables use of IPv4 only. False enables use
of both IPv4 and IPv6. |
http.proxyHost and http.proxyPort | Specifies the hostname (or the IP address) and the port number of the forward proxy server that HTTP traffic originating from PingFederate must go through. |
https.proxyHost and https.proxyPort | Specifies the hostname (or the IP address) and the port number of the forward proxy server that HTTPS traffic originating from PingFederate must go through. |
http.nonProxyHosts | Specifies one or more destinations where PingFederate is not required to
proxy its HTTP and HTTPS traffic through the forward proxy server
configure by the http[s].proxyHost and
http[s].proxyPort properties. This property supports
multiple values separated by the pipe character (| ) and the
wildcard character (* ) for pattern matching; for example:
|
pf.runtime.context.path | Allows customization of the server path for PingFederate endpoints.
Note:
If this property is changed, the path must also be added to the base URL for your PingFederate environment. (Base URL is defined on the screen.)The pf.runtime.context.path property is also compatible with virtual host names. Unlike the base URL configuration, the virtual host names configuration does not require any context path. (Virtual host names are defined on the screen.) For example, suppose the base URL is
https://www.example.com:9031 and the virtual host names are
www.example.org and www.example.info. If you want to configure the
pf.runtime.context.path property value as
|
pf.log.dir | Network path to the output location of log files. The default
is: <pf_install>/pingfederate/log |
pf.hsm.mode | Enables or disables (the default) a FIPS-compliance Hardware Security Module (HSM). |
pf.hsm.hybrid | Enables or disables the HSM hybrid mode. Applicable only when the
pf.hsm.mode property is configured to use an
HSM. When set to The HSM hybrid mode allows an organization move the storage of keys and certificates from the local trust store to an HSM over time without deploying a new PingFederate installation and mirroring the setup. For more information, see Transitioning to an HSM. |
pf.provisioner.mode | Enables or disables (the default) outbound provisioning. Also used to enable provisioning failover. |
pf.heartbeat.system.monitoring | Enables or disables (the default) the heartbeat endpoint
(/pf/heartbeat.ping) to return detailed system
monitoring information through a customizable Velocity template file (see
Customizing the heartbeat message). When set to false, the /pf/heartbeat.ping endpoint returns OK. When set to true, the /pf/heartbeat.ping endpoint returns all available stats. |
org.apache.xml.security.ignoreLineBreaks | Determines whether PingFederate omits line breaks in XML digital
signatures. If omitted, this setting defaults to false . It
is recommended to set this property to true for improved
interoperability with Microsoft products. |
Additional configuration of the listener ports (including adding new listeners) is
available via the
<pf_install>/pingfederate/etc/jetty-runtime.xml
file. For example, options include the WantClientAuth and
NeedClientAuth flags, which indicate that a client
certificate is either requested or required, respectively, for mutual SSL/TLS. (For
the pre-configured SSL secondary port, the WantClientAuth
parameter is set to true
and the NeedClientAuth
parameter is set to false
by default.)
You must manually configure the runtime server-related properties on each engine node. The run.properties file is not copied from the console node to the engine nodes automatically; it is also not part of the Replicate Configuration process. PingFederate must be restarted if running.