Indexing grant attributes in PingDirectory - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

If you use PingDirectory, or another directory, to store OAuth persistent grants for PingFederate, you must index the grant attributes.

Index these OAuth grant attributes using the procedure below.

Attribute name Index type
accessGrantGuid equality
accessGrantUniqueUserIdentifier equality
accessGrantHashedRefreshTokenValue equality
accessGrantClientId equality
accessGrantExpires ordering
  1. Create the indexes using the PingDirectory dsconfig utility.
    The dsconfig utility is interactive, letting you enter command arguments. The following examples create the required indexes.
    $ bin/dsconfig create-local-db-index \
                      --backend-name userRoot \
                      --index-name accessGrantGuid \
                      --set index-type:equality
    $ bin/dsconfig create-local-db-index \
                      --backend-name userRoot \
                      --index-name accessGrantUniqueUserIdentifier \
                      --set index-type:equality
    $ bin/dsconfig create-local-db-index \
                      --backend-name userRoot \
                      --index-name accessGrantHashedRefreshTokenValue \
                      --set index-type:equality
    $ bin/dsconfig create-local-db-index \
                      --backend-name userRoot \
                      --index-name accessGrantClientId \
                      --set index-type:equality
    $ bin/dsconfig create-local-db-index \
                      --backend-name userRoot \
                      --index-name accessGrantExpires \
                      --set index-type:ordering
  2. After adding the indexes, build the indexes using the rebuild-index utility.
    The following example builds the required indexes.
    $ bin/rebuild-index \
                      --baseDN "dc=example,dc=com" \
                      --index accessGrantGuid \
                      --index accessGrantUniqueUserIdentifier \
                      --index accessGrantHashedRefreshTokenValue \
                      --index accessGrantClientId \
                      --index accessGrantExpires
    Note: You can configure a PingDirectory plugin to handle the cleanup of expired persistent grants and the associated attributes. The plugin allows fine-grained control over various aspects of the cleanup task, which can smooth out the performance impact. For more information, see Managing expired persistent grants in PingDirectory.