The default administrative console and runtime behavior of PingFederate is controlled in part by configuration properties set in the run.properties file, located in the <pf_install>/pingfederate/bin directory.
The most common properties are documented in the following table. For the rest of the properties, including various cookie-encoding options, see the run.properties file.
The clustering configuration options are also maintained in the run.properties file. For more information, see Deploying cluster servers.
Property | Description |
---|---|
pf.admin.https.port |
Defines the port on which the PingFederate administrative console runs. The default value is
|
pf.admin.baseurl |
Defines the URL that PingFederate's administrative node uses to populate resource references in Administrative API responses. The administrative node also uses it for the redirect URL it sends to an OpenID Provider (OP) for administrator OpenID Connect (OIDC) (for example, https://pingfederate-admin.example.com or, if the load balancer uses a custom port, https://pingfederate-admin.example.com:8443). The default value is blank. Use pf.admin.baseurl instead of pf.admin.hostname, which has been deprecated. If run.properties defines both, PingFederate ignores pf.admin.hostname. But if run.properties defines only pf.admin.hostname, PingFederate constructs the URL the same way it does in versions of PingFederate before 10.3. |
pf.console.bind.address |
Defines the IP address over which the PingFederate administrative console communicates. Use for deployments where multiple network interfaces are installed on the machine running PingFederate. |
pf.console.title |
Defines the browser window or tab title for the administrative console. It makes separate instances easily identifiable. |
pf.console.environment |
Defines the name of the PingFederate environment that will be displayed in the administrative console. It makes separate environments easily identifiable. |
pf.console.show.background.images |
Enables or disables the background images on the dashboard of the administrative console. The images are enabled by default. |
pf.console.session.timeout |
Defines the length of time in minutes until an inactive administrative
console times out. The minimum setting is 1 minute, and maximum is 8
hours (480 minutes). Default is |
pf.log.eventdetail |
Enables or disables (the default) detailed event logging for actions performed by administrative console users. |
pf.console.login.mode |
Indicates whether more than one administrative user may access the
administrative console at one time. Supported values: Single | Multiple.
The default value is |
pf.console.authentication |
Indicates whether administrators sign on to PingFederate using credentials managed internally by PingFederate or externally by other systems. |
pf.admin.api.authentication |
Defines the authentication method of the PingFederate administrative API. Valid values are:
The default value is You can also configure PingFederate to
support both Note:
When configuring support for two authentication methods, consider the following:
CAUTION:
You should only allow multiple authentication sources while migrating
from one source to another because using multiple authentication
sources simultaneously increases security risks. For administrative
API authentication, after migration, you should use
|
pf.pingone.admin.url.region |
These properties set the URL of the PingOne unified admin icon in the PingFederate administrative console. This property should be set based on the region of your PingOne organization. Choose one of the following region-specific values for your environment.
|
pf.pingone.admin.url.environment.id |
Defines the ID of your PingOne organization's environment. |
ldap.properties.file |
When LDAP administrative console authentication is enabled, indicates the name of the file containing configuration properties. |
cert.properties.file |
When certificate-based console authentication is enabled, indicates the name of the file containing configuration properties. |
radius.properties.file |
When RADIUS-based console authentication is enabled, indicates the name of the file containing configuration properties. |
oidc.properties.file |
When OIDC administrative-console authentication is enabled, indicates the name of the file containing configuration properties. |
pf.http.port |
Defines the port on which PingFederate listens for unencrypted HTTP traffic at runtime. For security reasons, this port is turned off by default. CAUTION:
This port should remain disabled in production if your deployment configuration directly exposes the PingFederate server to the Internet. |
pf.https.port |
Defines the port on which PingFederate
listens for encrypted HTTPS (SSL/TLS) traffic. The default value is
|
pf.secondary.https.port |
Defines a secondary HTTPS port that can be used for mutual SSL/TLS
(client X.509 certificate) authentication for both end users and protocol
requests (SAML, WS-Trust, and OAuth).
Set its value to the desired inbound listening TCP port. A value of
Important:
If you are using client X.509 certificates for either WS-Trust
Security Token Service (STS) authentication or for SAML
back-channel authentication, you must use this port, or a similarly
configured new listener, with either the
WantClientAuth or
NeedClientAuth parameter set to
For more information, see the note at the end of this table. |
pf.engine.bind.address |
Defines the IP address over which the PingFederate server communicates with partner federation gateways. Use for deployments where multiple network interfaces are installed on the machine running PingFederate. |
pf.monitor.bind.address |
Defines the IP address over which Java Management Extensions (JMX) communicate with PingFederate. Use for deployments where multiple network interfaces are installed on the machine running PingFederate. |
pf.engine.prefer_ipv4 |
Defines the protocol to be used by PingFederate. |
http.proxyHost and
http.proxyPort |
Specifies the hostname, or the IP address, and the port number of the forward proxy server that HTTP traffic originating from PingFederate must go through. |
https.proxyHost and
https.proxyPort |
Specifies the hostname, or the IP address, and the port number of the forward proxy server that HTTPS traffic originating from PingFederate must go through. |
http.nonProxyHosts |
Specifies one or more destinations where PingFederate is not required to proxy its HTTP
and HTTPS traffic through the forward proxy server configured by the
http[s].proxyHost and
http[s].proxyPort properties. This property
supports multiple values separated by the pipe character
(
|
pf.runtime.context.path |
Allows customization of the server path for PingFederate endpoints. Note:
If this property is changed, the path must also be added to the base URL for your PingFederate environment. Base URL is defined on . The pf.runtime.context.path property is also compatible with virtual host names. Unlike the base URL configuration, the virtual host names configuration does not require any context path. Virtual host names are defined on . For example, suppose the base URL is https://www.example.com:9031 and the
virtual host names are www.example.org and www.example.info. To configure
the pf.runtime.context.path property value as
|
pf.runtime.http.maxRequestSize |
Sets the maximum request size in bytes for inbound runtime requests. The
default value is |
pf.log.dir |
Network path to the output location of log files. The default is <pf_install>>/pingfederate/log |
pf.hsm.mode |
Enables or disables (the default) a FIPS-compliance Hardware Security Module (HSM). |
pf.hsm.hybrid |
Enables or disables the HSM hybrid mode. Applicable only when the pf.hsm.mode property is configured to use an HSM. When set to The HSM hybrid mode allows an organization to move the storage of keys and certificates from the local trust store to an HSM over time without deploying a new PingFederate installation and mirroring the setup. For more information, see Transitioning to an HSM. |
org.bouncycastle.fips.approved_only |
When the pf.hsm.hybrid property is set to
If pf.hsm.hybrid is set to In FIPS-approved mode only, the module will provide approved algorithms only. For more information, see https://www.bouncycastle.org/fips-java/. The default setting is |
pf.provisioner.mode |
Enables or disables (the default) outbound provisioning. Also used to enable provisioning failover. |
pf.heartbeat.system.monitoring |
Enables or disables (the default) the heartbeat endpoint, /pf/heartbeat.ping, to return detailed system monitoring information through a customizable Velocity template file . For more information, see Customizing the heartbeat message. When set to false, the /pf/heartbeat.ping endpoint returns OK. When set to true, the /pf/heartbeat.ping endpoint returns all available stats. |
org.apache.xml.security.ignoreLineBreaks |
Determines whether PingFederate omits
line breaks in XML digital signatures. If omitted, this setting defaults
to |
sun.net.client.defaultConnectTimeout |
Determines the default connect timeout for outbound java.net.URL connections in milliseconds. The default setting is 10000. |
sun.net.client.defaultReadTimeout |
Determines the default read timeout for outbound java.net.URL connections in milliseconds. The default setting is 10000. |
pf.admin.threads.min |
The minimum number of threads in HTTP server thread pools for the
administrative console. The default value is |
pf.admin.threads.max |
The maximum number of threads in HTTP server thread pools for the
administrative console. The default value is |
pf.runtime.threads.min |
The minimum number of threads in HTTP server thread pools for the runtime
engine nodes. The default value is |
pf.runtime.threads.max |
The maximum number of threads in HTTP server thread pools for the runtime
engine nodes. The default value is |
pf.admin.acceptQueueSize |
The queue size of the HTTP connector for the administrative console. The
default value is |
pf.runtime.acceptQueueSize |
The queue size of the HTTP connector for the runtime engine nodes. The
default value is |
Additional configuration of the listener ports, including adding new listeners, is
available through the
<pf_install>/pingfederate/etc/jetty-runtime.xml
file. For example, options include the WantClientAuth and
NeedClientAuth flags, which indicate that a client
certificate is either requested or required, respectively, for mutual SSL/TLS. For
the pre-configured SSL secondary port, the WantClientAuth
parameter is set to true
and the NeedClientAuth
parameter is set to false
by default.
You must manually configure the runtime server-related properties on each engine node. The run.properties file is not copied from the console node to the engine nodes automatically. Also, it is not part of the Replicate Configuration process. If running, restart PingFederate.