Configuring PingFederate properties - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3 (Latest)
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Guide > Administrator Guide
Product documentation
Guide

The default administrative console and runtime behavior of PingFederate is controlled in part by configuration properties set in the run.properties file, located in the <pf_install>/pingfederate/bin directory.

The most common properties are documented in the following table. For the rest of the properties, including various cookie-encoding options, see the run.properties file.

Tip:

The clustering configuration options are also maintained in the run.properties file. For more information, see Deploying cluster servers.

Property Description
pf.admin.https.port

Defines the port on which the PingFederate administrative console runs. The default value is 9999.

pf.admin.baseurl

Defines the URL that PingFederate's administrative node uses to populate resource references in Administrative APIapplication programming interface (API) A specification of interactions available for building software to access an application or service. responses. The administrative node also uses it for the redirect URL it sends to an OpenID Provider (OP)OpenID Provider (OP)OP In OAuth terms, an authorization server (AS). The OP/AS issues access tokens to protected resources for approved clients (relying parties). The clients use the access token to access the protected resources hosted by the OAuth resource server. for administrator OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management. (for example, https://pingfederate-admin.example.com or, if the load balancer uses a custom port, https://pingfederate-admin.example.com:8443). The default value is blank.

Use pf.admin.baseurl instead of pf.admin.hostname, which has been deprecated. If run.properties defines both, PingFederate ignores pf.admin.hostname. But if run.properties defines only pf.admin.hostname, PingFederate constructs the URL the same way it does in versions of PingFederate before 10.3.

pf.console.bind.address

Defines the IP address over which the PingFederate administrative console communicates. Use for deployments where multiple network interfaces are installed on the machine running PingFederate.

pf.console.title

Defines the browser window or tab title for the administrative console. It makes separate instances easily identifiable.

pf.console.environment

Defines the name of the PingFederate environment that will be displayed in the administrative console. It makes separate environments easily identifiable.

pf.console.show.background.images

Enables or disables the background images on the dashboard of the administrative console. The images are enabled by default.

pf.console.session.timeout

Defines the length of time in minutes until an inactive administrative console times out. The minimum setting is 1 minute, and maximum is 8 hours (480 minutes). Default is 30 minutes.

pf.log.eventdetail

Enables or disables (the default) detailed event logging for actions performed by administrative console users.

pf.console.login.mode

Indicates whether more than one administrative user may access the administrative console at one time. Supported values: Single | Multiple. The default value is Multiple.

pf.console.authentication

Indicates whether administrators sign on to PingFederate using credentials managed internally by PingFederate or externally by other systems.

pf.admin.api.authentication

Defines the authentication method of the PingFederate administrative API. Valid values are:

  • none - No direct login method is available.
  • native - Internal password file authentication.
  • LDAP - External LDAP authentication.
  • cert - X509 certificate-based authentication.
  • RADIUS - External RADIUS authentication.
  • OAuth2 - External or internal OAuth2 authorization.

The default value is native. The values are case-insensitive.

You can also configure PingFederate to support both OAuth2 authorization and a basic authentication method by specifying two values separated with a comma. For example, specify pf.admin.api.authentication=OAuth2,LDAP. The basic authentication methods are native, LDAP, and RADIUS. Supporting two authentication methods is helpful when you want to change applications from one method to another.

Note:

When configuring support for two authentication methods, consider the following:

  • The order of the values is not important. PingFederate uses the HTTP Authorization request header to determine the authorization scheme. A request can contain only one Authorization header.
  • You cannot combine the none and cert values with other values.
  • If you specify an invalid value or more than two values, PingFederate will fail on startup.
CAUTION:

You should only allow multiple authentication sources while migrating from one source to another because using multiple authentication sources simultaneously increases security risks. For administrative API authentication, after migration, you should use OAuth2 for the authentication source.

pf.pingone.admin.url.region

These properties set the URL of the PingOne unified admin icon in the PingFederate administrative console. This property should be set based on the region of your PingOne organization.

Choose one of the following region-specific values for your environment.

com
console.pingone.com
eu
console.pingone.eu
asia
console.pingone.asia
ca
console.pingone.ca
pf.pingone.admin.url.environment.id

Defines the ID of your PingOne organization's environment.

ldap.properties.file

When LDAPLDAP (Lightweight Directory Access Protocol) An open, cross platform protocol used for interacting with directory services. administrative console authentication is enabled, indicates the name of the file containing configuration properties.

cert.properties.file

When certificate-based console authentication is enabled, indicates the name of the file containing configuration properties.

radius.properties.file

When RADIUS-based console authentication is enabled, indicates the name of the file containing configuration properties.

oidc.properties.file

When OIDC administrative-console authentication is enabled, indicates the name of the file containing configuration properties.

pf.http.port

Defines the port on which PingFederate listens for unencrypted HTTP traffic at runtime. For security reasons, this port is turned off by default.

CAUTION:

This port should remain disabled in production if your deployment configuration directly exposes the PingFederate server to the Internet.

pf.https.port

Defines the port on which PingFederate listens for encrypted HTTPS (SSL/TLS) traffic. The default value is 9031.

pf.secondary.https.port

Defines a secondary HTTPS port that can be used for mutual SSL/TLS (client X.509 certificate) authentication for both end users and protocol requests (SAMLSAML (Security Assertion Markup Language) A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains., WS-Trust, and OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server.). Set its value to the desired inbound listening TCP port. A value of -1 disables this feature.

Important:

If you are using client X.509 certificates for either WS-Trust Security Token Service (STS)Security Token Service (STS)STS An entity responsible for responding to WS-Trust requests for validation and issuance of security tokens used for SSO authentication to web services. authentication or for SAML back-channel authentication, you must use this port, or a similarly configured new listener, with either the WantClientAuth or NeedClientAuth parameter set to true in the jetty-runtime.xml file.

For more information, see the note at the end of this table.

pf.engine.bind.address

Defines the IP address over which the PingFederate server communicates with partner federation gateways. Use for deployments where multiple network interfaces are installed on the machine running PingFederate.

pf.monitor.bind.address

Defines the IP address over which Java Management Extensions (JMX)Java Management Extensions (JMX)JMX Java technology that provides tools for managing and monitoring applications, devices, system objects, and service-oriented networks. communicate with PingFederate. Use for deployments where multiple network interfaces are installed on the machine running PingFederate.

pf.engine.prefer_ipv4

Defines the protocol to be used by PingFederate. True, the default, enables use of IPv4 only. False enables use of both IPv4 and IPv6.

http.proxyHost and http.proxyPort

Specifies the hostname, or the IP address, and the port number of the forward proxy server that HTTP traffic originating from PingFederate must go through.

https.proxyHost and https.proxyPort

Specifies the hostname, or the IP address, and the port number of the forward proxy server that HTTPS traffic originating from PingFederate must go through.

http.nonProxyHosts

Specifies one or more destinations where PingFederate is not required to proxy its HTTP and HTTPS traffic through the forward proxy server configured by the http[s].proxyHost and http[s].proxyPort properties. This property supports multiple values separated by the pipe character (|) and the wildcard character (*) for pattern matching. See the example below.

*.example.com|localhost

pf.runtime.context.path

Allows customization of the server path for PingFederate endpoints.

Note:

If this property is changed, the path must also be added to the base URL for your PingFederate environment. Base URL is defined on System > Server > Protocol Settings > Federation Info .

The pf.runtime.context.path property is also compatible with virtual host names. Unlike the base URL configuration, the virtual host names configuration does not require any context path. Virtual host names are defined on System > Server > Virtual Host Names.

For example, suppose the base URL is https://www.example.com:9031 and the virtual host names are www.example.org and www.example.info. To configure the pf.runtime.context.path property value as /sso, you must update the base URL to https://www.example.com:9031/sso but leave the virtual host names as they are. Once configured, you can access the runtime server at the following endpoints:

Base URL
  • https://www.example.com:9031/sso
Virtual host names
  • https://www.example.org:9031/sso
  • https://www.example.info:9031/sso
pf.runtime.http.maxRequestSize

Sets the maximum request size in bytes for inbound runtime requests. The default value is 200000 bytes.

pf.log.dir

Network path to the output location of log files. The default is

<pf_install>>/pingfederate/log

pf.hsm.mode

Enables or disables (the default) a FIPS-compliance Hardware Security Module (HSM).

pf.hsm.hybrid

Enables or disables the HSM hybrid mode. Applicable only when the pf.hsm.mode property is configured to use an HSM.

When set to true, keys and certificates can be stored on either the HSM or the local trust store. When set to false, the default setting, keys and certificates are stored on the HSM when applicable.

The HSM hybrid mode allows an organization to move the storage of keys and certificates from the local trust store to an HSM over time without deploying a new PingFederate installation and mirroring the setup. For more information, see Transitioning to an HSM.

org.bouncycastle.fips.approved_only

When the pf.hsm.hybrid property is set to true, this property can be set to true or false. In this case, the recommended setting is false.

If pf.hsm.hybrid is set to false, this property must be set to true.

In FIPS-approved mode only, the module will provide approved algorithms only. For more information, see https://www.bouncycastle.org/fips-java/.

The default setting is true.

pf.provisioner.mode

Enables or disables (the default) outbound provisioning. Also used to enable provisioning failover.

pf.heartbeat.system.monitoring

Enables or disables (the default) the heartbeat endpoint, /pf/heartbeat.ping, to return detailed system monitoring information through a customizable Velocity template file . For more information, see Customizing the heartbeat message.

When set to false, the /pf/heartbeat.ping endpoint returns OK.

When set to true, the /pf/heartbeat.ping endpoint returns all available stats.
org.apache.xml.security.ignoreLineBreaks

Determines whether PingFederate omits line breaks in XML digital signatures. If omitted, this setting defaults to false. Set this property to true for improved interoperability with Microsoft products.

sun.net.client.defaultConnectTimeout

Determines the default connect timeout for outbound java.net.URL connections in milliseconds.

The default setting is 10000.

sun.net.client.defaultReadTimeout

Determines the default read timeout for outbound java.net.URL connections in milliseconds.

The default setting is 10000.

pf.admin.threads.min

The minimum number of threads in HTTP server thread pools for the administrative console. The default value is 1.

pf.admin.threads.max

The maximum number of threads in HTTP server thread pools for the administrative console. The default value is 10.

pf.runtime.threads.min

The minimum number of threads in HTTP server thread pools for the runtime engine nodes. The default value is 10.

pf.runtime.threads.max

The maximum number of threads in HTTP server thread pools for the runtime engine nodes. The default value is 200.

pf.admin.acceptQueueSize

The queue size of the HTTP connector for the administrative console. The default value is 512.

pf.runtime.acceptQueueSize

The queue size of the HTTP connector for the runtime engine nodes. The default value is 512.

Note:

Additional configuration of the listener ports, including adding new listeners, is available through the <pf_install>/pingfederate/etc/jetty-runtime.xml file. For example, options include the WantClientAuth and NeedClientAuth flags, which indicate that a client certificate is either requested or required, respectively, for mutual SSL/TLS. For the pre-configured SSL secondary port, the WantClientAuth parameter is set to true and the NeedClientAuth parameter is set to false by default.

  1. Edit the <pf_install>/pingfederate/bin/run.properties file.

    You should consider creating a backup copy of the file.

  2. Modify the applicable properties.
  3. Restart PingFederate.
Important:

You must manually configure the runtime server-related properties on each engine node. The run.properties file is not copied from the console node to the engine nodes automatically. Also, it is not part of the Replicate Configuration process. If running, restart PingFederate.