Ensure that your server is configured to access DynamoDB.

PingFederate requires specific tables to store persistent authentication sessions on your DynamoDB server. Table-setup scripts are provided for this purpose.

  1. To create a table in DynamoDB to contain authentication sessions, run the commands in the <pf_install>/pingfederate/server/default/conf/authentication-session/nosql-scripts/authentication-session-dynamodb.txt file.

    This file contains basic commands to create the table, with sample values for read and write throughput, as well as the command to enable ExpiryTime as the Time-to-Live (TTL) attribute.

    1. Optional: To rename the table and index names, edit the table-name and \"IndexName\" values in the table script in the authentication-session-dynamodb.txt file.
  2. Optional: If authentication sessions are not already enabled in PingFederate, go to Authentication > Policies > Sessions to configure them. For more information, see Configuring authentication sessions.
  3. Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file:
    1. Add org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl to the available Session Storage managers.
    2. Locate the SessionStorageManager service point:
      <!-- Service for storing Authentication Sessions. -->
      <service-point id="SessionStorageManager" interface="org.sourceid.saml20.service.session.data.SessionStorageManager">
        <invoke-factory>
            ...
            <construct class="org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl"/>
         </invoke-factory>
      </service-point>
    3. Update the value of the class attribute to org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl.
    4. Save the file.
    Note:

    For a clustered PingFederate environment, you must edit the hivemodule.xml file on each node manually because cluster replication can't replicate this change to other nodes.

  4. Optional: If you modified the default table and index names in the authentication-session-dynamodb.txt file in step 1, edit the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl.xml file to match your customized configuration.
    Note:

    If you ran the script commands from the authentication-session-dynamodb.txt as is and did not change the default names in the commands, you do not need to edit the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl.xml file.

    1. Replace the <c:item name="SessionGroupTableName"/>, <c:item name="UserIdTableName"/>, <c:item name="HashedSessionIdIndexName"/>, <c:item name="SessionUserIdGroupIdIndexName"/> element values with the customized names created during your initial DynamoDB setup.
    2. Save the file.
    The following table describes the preconfigured PingFederate variables in the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl.xml file.
    DynamoDB Session Storage Manager Variables
    Variable Description
    PingFederateAuthenticationSessionHashedSessionId-index

    The name of the hashed session ID index.

    This is the default value.

    PingFederateAuthenticationSessionUserIdGroupId-index

    The name of the user ID and group ID index.

    This is the default value.

    EndpointOverride

    An optional endpoint URL which should not be used in production but allows for testing with a local development DynamoDB instance.

    By default, this value is empty. To test DynamoDB running locally, specify EndpointOverride to point to a local endpoint. For example, <c:item name="EndpointOverride">http://localhost:8000</c:item>. For more information, see DynamoDB local usage notes in the Amazon DynamoDB documentation.

    dynamoDbBatchSize

    Number of records to request when performing batch operations against DynamoDB. The minimum allowed value is one, the maximum allowed value is 100, and the default value is 50.

    ApiCallTimeout

    The amount of time in milliseconds to allow the client to complete the execution of the API call. The default value is 10000.

    ApiCallAttemptTimeout

    The amount of time in milliseconds to wait for the HTTP request to complete before giving up and timing out. The default value is 1000.

  5. Start or restart the PingFederate service.
    Note:

    For a clustered PingFederate, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to active the change.

PingFederate relies on the DynamoDB TTL attribute to remove expired authentication sessions from the database. For more information on TTL, see Expiring items by using DynamoDB Time to Live (TTL) in the Amazon DynamoDB documentation.