1. Update the LDAP schema.
    1. Sign on to the PingDirectory administrative console.
    2. Go to LDAP Schema > Schema Utilities.
    3. Click Import Schema Element.
    4. Copy the schema changes from the authentication-session-attributes-ldap-pingdirectory.ldif file and paste them into the text area.
      The file is located in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.

      Replace the placeholder values with relevant information from your directory server.

    5. Click Import.
  2. Create the following indexes.
    Attribute name Index type
    pf-authn-session-group-hashed-session-id equality
    pf-authn-session-group-user-ids equality
    pf-authn-session-group-expiry-time ordering
    pf-authn-session-group-last-activity-time ordering

    Create these indexes with PingDirectory's dsconfig utility. The dsconfig utility is interactive. You can also provide inputs as command arguments. The following examples create the indexes.

    $ bin/dsconfig create-local-db-index \
      --backend-name userRoot \
      --index-name pf-authn-session-group-hashed-session-id \
      --set index-type:equality
    $ bin/dsconfig create-local-db-index \
      --backend-name userRoot \
      --index-name pf-authn-session-group-user-ids \
      --set index-type:equality
    $ bin/dsconfig create-local-db-index \
      --backend-name userRoot \
      --index-name pf-authn-session-group-expiry-time \
      --set index-type:ordering
    $ bin/dsconfig create-local-db-index \
      --backend-name userRoot \
      --index-name pf-authn-session-group-last-activity-time \
      --set index-type:ordering

    After adding the indexes, use the rebuild-index utility to build the indexes. The following example builds the required indexes.

    $ bin/rebuild-index \
      --baseDN "dc=example,dc=com" \
      --index pf-authn-session-group-hashed-session-id \
      --index pf-authn-session-group-user-ids \
      --index pf-authn-session-group-expiry-time \
      --index pf-authn-session-group-last-activity-time

    For more information, see Working with Indexes in the PingDirectory Administration Guide .

  3. If you have not already done so, create an LDAP data store for your directory server on System > Data & Credential Stores > Data Stores.
  4. Copy the system ID of the applicable LDAP data store from the Data Stores window.
  5. Edit the /pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl.xml file.

    For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System > Server > Cluster Management as explained in later steps.

    1. Replace the <c:item name="PingFederateDSJNDIName"/> element value with the system ID of your data store connection.

      For example, if the system ID is LDAP-123456789ABCDEF123456789ABCDEF123456A0AC, update the configuration file as follows.

      <!-- Data store id -->
      <c:item name="PingFederateDSJNDIName">LDAP-123456789ABCDEF123456789ABCDEF123456A0AC</c:item>
    2. Enter a value for the <c:item name="SearchBase"/> element.

      This is the distinguished name (DN) that points to the client location. For more information, see the inline comment and the LDIF scripts in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.

    3. Update the attribute names only if you have changed attribute names in the LDIF scripts located in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.
    4. Save the file.
  6. Edit the <pf_install>/pingfederate/server/default/conf/META-INF/hivemodule.xml file.
    1. Locate the SessionStorageManager service point.
      <!-- Service for storing Authentication Sessions. -->
      <service-point id="SessionStorageManager" interface="org.sourceid.saml20.service.session.data.SessionStorageManager">
              Supported classes are
              org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation.
              org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation.
              <construct class="org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl"/>
    2. Set the value of the class attribute to org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl.
    3. Save the file.

    For a clustered environment, you must edit the hivemodule.xml file on each node manually as cluster replication can't replicate this change to other nodes.

  7. Start or restart the PingFederate service.

    For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to activate the change.


    When storing persistent authentication sessions on a PingDirectory server, you must also configure a cleanup plugin in PingDirectory to remove expired authentication sessions from your directory server. For more information, see Managing authentication sessions stored in PingDirectory.