Managing authentication sessions stored in PingDirectory - PingFederate - 11.0

PingFederate Server

bundle
pingfederate-110
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.0
category
Product
pf-110
pingfederate
ContentType_ce

When storing persistent authentication sessions on a PingDirectory server, you must also configure a cleanup plugin in PingDirectory to remove expired authentication sessions from your directory server.

  1. Disable the PingFederate cleanup task.
    Important:

    For a clustered PingFederate environment, make these changes on the console node. None of the engine nodes require any changes.

    1. Edit the <pf_install>/pingfederate/server/default/data/config-store/timer-intervals.xml file.
    2. Update the StoredSessionCleanerInterval value to 0.
    3. Save your changes.
    4. Restart PingFederate.
  2. Sign on to the PingDirectory administrative console.
  3. Go to Configuration > Plugin Root.
  4. On the Plugin Root window, click New Plugin, and then select Purge Expired Data Plugin.
  5. Configure a new instance of the Purge Expired Data Plugin.

    See the following table for information about each required field.

    Field Description
    Name The name of this plugin instance.
    Enabled The status of this plugin instance.

    Select the check box to enable this plugin instance. Clear the check box to disable this plugin instance.

    This check box is not selected by default.

    Datetime Attribute The attribute value determines whether an authentication session has expired in the context of this plugin instance. Valid options are pf-authn-session-group-expiry-time and pf-authn-session-group-last-activity-time.
    pf-authn-session-group-expiry-time
    Set to pf-authn-session-group-expiry-time if this plugin instance should only remove persistent authentication sessions that have expired.
    This plugin instance determines if a session can be removed by looking at the session's expiration timestamp and the current time. If the expiration timestamp is older than the current time by the number of minutes specified by the Expiration Offset field, the session is subject to removal.
    pf-authn-session-group-last-activity-time
    Set to pf-authn-session-group-last-activity-time if the clean task should remove persistent authentication sessions that have been left idle.
    This plugin instance determines if a session can be removed by looking at the session's last activity timestamp and the current time. If the last activity timestamp is older than the current time by the number of minutes specified by the Expiration Offset field, the session is subject to removal.
    For example, if PingFederate should remove persistent authentication sessions for which the last activity time is more than three weeks ago, set the Datetime Attribute value to pf-authn-session-group-last-activity-time and the Expiration Offset value to 3 w.
    Datetime Format The format of the attribute specified in the Datetime Attribute field.

    Select generalized-time from the list.

    The default selection is generalized-time.

    Expiration Offset The offset relative to the current time.

    Enter an integer to indicate the time value, followed by its unit of measurement.

    This field has no default value.

    Purge Behavior The method how this plugin instance removes expired data.

    Select subtree-delete-entries from the list.

    This field has no default selection.

    Polling Interval The frequency of which this plugin instance should be run.

    Enter an integer to indicate the time value, followed by its unit of measurement.

    This field has no default value.

    Max Updates Per Second This setting smooths out the performance impact on the server by throttling the purging to the specified maximum number of updates per second. To avoid a large backlog, this value should be set comfortably above the average rate that expired data is generated.

    When you select subtree-delete-entries from the Purge Behavior list, deletion of the entire subtree is considered a single update for the purposes of throttling.

    This field has no default value.

  6. Click Save.