PingFederate requires specific schema objects in order to store grants, the associated attributes, and their values (if any) on your directory server. LDIF scripts are provided for supported directory servers.
- Review the LDIF scripts for your directory server provided in the <pf_install>/pingfederate/server/default/conf/access-grant/ldif-scripts directory.
- Replace placeholder values with relevant information from your directory server.
-
Run the LDIF scripts to update your LDAP schema.
Note:
For Active Directory, run the script to create the attributes, then run the script to create the object class.
- If you have not already done so, create an LDAP datastore for your directory server on System > Data & Credential Stores > Data Stores.
- Copy the system ID of the applicable LDAP datastore from System > Data & Credential Stores > Data Stores.
-
Edit the configuration file relevant to your directory server.
Note: This configuration file is located in the <pf_install>/pingfederate/server/default/data/config-store directory, as described in the following table.
Directory server Configuration file PingDirectory org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDirectoryImpl.xml Microsoft Active Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPADImpl.xml Oracle Directory Server Enterprise Edition or Oracle Unified Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPOracleImpl.xml -
Replace the
<c:item name="PingFederateDSJNDIName"/>
element value with the system ID of your datastore connection.If the system ID is
LDAP-123456789ABCDEF123456789ABCDEF123456A0A6
, update the configuration file as follows.... <!-- Data store id --> <c:item name="PingFederateDSJNDIName">LDAP-123456789ABCDEF123456789ABCDEF123456A0A6</c:item> ...
-
Enter a value for the
<c:item name="SearchBase"/>
element.Tip:This is the distinguished name (DN) that points to the access grants location. For more information, see the inline comment and the LDIF scripts in the <pf_install>/pingfederate/server/default/conf/access-grant/ldif-scripts directory.
- Update the attribute names only if you have changed attribute names in the LDIF scripts located in the <pf_install>/pingfederate/server/default/conf/access-grant/ldif-scripts directory.
- Save the file.
-
Replace the
-
Edit the
<pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml
file.
-
Locate the
AccessGrantManager
service point.<!-- Service for storage of access grants --> <service-point id="AccessGrantManager" interface="com.pingidentity.sdk.accessgrant.AccessGrantManager"> <create-instance class="org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl"/> </service-point>
-
Update the
class
attribute value to one of the following values.Directory server Class value PingDirectory org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDirectoryImpl
Microsoft Active Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPADImpl
Oracle Directory Server Enterprise Edition or Oracle Unified Directory org.sourceid.oauth20.token.AccessGrantManagerLDAPOracleImpl
- Save the file.
Note:For a clustered PingFederate environment, you must edit the hivemodule.xml file on each node manually as cluster replication cannot replicate this change to other nodes.
-
Locate the
-
Start or restart PingFederate.
Note:
For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to activate the change.
-
In the directory, create indexes for the following OAuth grant attributes. If you
are using PingDirectory, see Indexing grant attributes in PingDirectory for more
information.
Attribute name Index type accessGrantGuid
equality accessGrantUniqueUserIdentifier
equality accessGrantHashedRefreshTokenValue
equality accessGrantClientId
equality accessGrantExpires
ordering
PingFederate provides two cleanup tasks for persistent grants. One task manages expired grants, while another task caps the number of grants based on a combination of user, client, grant type, and authentication context. For more information, see OAuth persistent grants cleanup.