Configuring reference token management - PingFederate

Configuring reference token management - PingFederate - 10.2

PingFederate Server

bundle

pingfederate-102

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 10.2

category

Product

pf-102

pingfederate

ContentType_ce

Page created: 15 Jul 2020 |

Page updated: 28 Mar 2023

| 3 min read

Product PingFederate 10.2 Configuration User task OAuth Standards, specifications, and protocols Software Deployment Method Product documentation Content Type Administrator Audience

Access tokens that use the reference token data model provide a reference to a set of attributes. The resource server must de-reference the access tokens for the corresponding identity and security information at the OAuth authorization server that issued them. PingFederate is the authorization server.

The reference token data model supports both adaptive clustering and directed clustering. For adaptive clustering, PingFederate shares token information across a replica set. If region identifiers are defined, PingFederate shares token information across replica sets in multiple regions. You can optionally override this default behavior in the configuration file for adaptive clustering. For directed clustering, PingFederate shares token information among all engine nodes, despite any state server or subcluster setup.

Go to Applications > OAuth > Access Token Management and click Create New Instance.

On the Instance Configuration window, modify the default values as needed.

The following table describes each field.

Field	Description
Token Length (Required)	The number of characters that PingFederate uses to define the token reference. Increasing the length enhances token security. The default value is `28` characters. The minimum and maximum values are 22 and 256, respectively.
Token Lifetime (Required)	The amount of time in minutes that an access token is considered valid. The default value is `120` minutes.
Lifetime Extension Policy	Indicates whether PingFederate should reset the lifetime of an access token each time the token is validated, subject to the values defined in the Maximum Token Lifetime and Lifetime Extension Threshold Percentage fields. The options are: No Extension Tokens Not Backed by Persistent Access Grants (Transient Grants) All Tokens The default selection is No Extension.
Maximum Token Lifetime	Defines an absolute maximum token lifetime for use with the Lifetime Extension Policy setting, in minutes. When configured, the lifetime of access tokens can be extended but not beyond the configured value. Any value, if specified, must be greater than or equal to the value specified in the Token Lifetime field. This optional field has no default value.
Lifetime Extension Threshold Percentage (Required)	When PingFederate is deployed in a cluster and token-lifetime extension is enabled, there must be a cluster-group remote procedure call (RPC) to extend the life of a token. To limit RPC overhead, this setting suspends the calls until the remaining time is less than the chosen value, as a percentage of token lifetime. For example, if the token lifetime is 60 minutes and the Lifetime Extension Threshold Percentage value is `30` percent, the lifetime will not be extended until the remaining time is less than 18 minutes. This option can drastically reduce RPC traffic between nodes, while still supporting a lifetime extension policy. The default value is `30` percent.
Advanced Fields
Mode for Synchronous RPC	Synchronous RPC calls occur when a node receives a verification request for a token it does not recognize, and for token issuance. When Majority of Nodes is selected, the server waits for the majority of recipients to respond. It also eliminates the need for a complete state synchronization at startup. When All Nodes is selected, the server waits for all recipients to respond. The default selection is Majority of Nodes.
RPC Timeout (Required)	The timeout value between cluster nodes during synchronous communication, in milliseconds. The recommended value ranges from 100 milliseconds to 1000, or 1 second. The default value is `500` milliseconds.
Expand Scope Groups	Determines whether to expand scope groups into their corresponding scopes in the access token contents and introspection response. This check box is not selected by default.