Configuring the behavior of searching multiple datastores with one mapping - PingFederate - 11.2

PingFederate Server

bundle
pingfederate-112
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.2
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-112
pingfederate
ContentType_ce
Guide
Guide > Administrator Guide
Product documentation

If a datastore uses results from previous queries as input, and if the previous queries return no result, PingFederate records a warning message in the server log and continues with the request by querying the next datastore in the attribute source setup.

This default behavior applies to all lookup configurations using multiple datastores in one mapping. For more information, see Attribute mapping with multiple data sources.

If you prefer PingFederate to abort the request immediately, which is the default behavior of many earlier versions of PingFederate, you can override the behavior by modifying a configuration file. Like the default behavior, this override also applies to all lookup configurations using multiple datastores in one mapping.

  1. Edit the org.sourceid.saml20.domain.AttributeMapping.xml file, located in the <pf_install>/pingfederate/server/default/data/config-store directory.
    Note:

    If this file does not exist, you must create it.

  2. To override the default behavior, change the value of the AbortOnAttrLookupFailure element from false, the default value, to true.

    The following is an example of a modified org.sourceid.saml20.domain.AttributeMapping.xml file.

    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
        <c:item name="AbortOnAttrLookupFailure">true</c:item>
    </c:config>
    Note:

    Removing the org.sourceid.saml20.domain.AttributeMapping.xml file from the <pf_install>/pingfederate/server/default/data/config-store directory also has the same effect as setting the value of the AbortOnAttrLookupFailure element to true.

    For a clustered PingFederate environment, perform these steps on the console node, and then click Replicate Configuration on System > Server > Cluster Management.

Expected result when this override is set

If a datastore uses results from previous queries as input, and if the previous queries return no result, PingFederate records an error message in the server log, aborts the request immediately, and returns an error message to the user, the application, or the partner.