Configuring PingDirectory for authentication sessions - PingFederate

Configuring PingDirectory for authentication sessions - PingFederate - 11.3

PingFederate Server

bundle

pingfederate-113

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 11.3 (Latest)

category

Administrator

Administratorguide

Audience

Capability

ContentType

DeploymentMethod

Guide

Product

Productdocumentation

SingleSignonSSO

Software

SystemAdministrator

pf-113

pingfederate

ContentType_ce

Guide

Product documentation

Guide > Administrator Guide

Page created: 3 Mar 2023 |

Page updated: 9 Mar 2023

| 3 min read

Guide Administrator Guide Content Type Product documentation 11.3 Capability Single Sign-on (SSO) Deployment Method Software Audience Administrator System Administrator Product PingFederate

Use specific schema objects to enable PingFederate to store authentication sessions on your directory server. For PingDirectory, LDIF scripts are provided for this purpose.

Update the LDAP schema.
1. Sign on to the PingDirectory administrative console.
2. Go to LDAP Schema > Schema Utilities.
3. Click Import Schema Element.
4. Copy the schema changes from the authentication-session-attributes-ldap-pingdirectory.ldif file and paste them into the text area.
  The file is located in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.
  Replace the placeholder values with relevant information from your directory server.
5. Click Import.

Create the following indexes.

Attribute name	Index type
`pf-authn-session-group-hashed-session-id`	equality
`pf-authn-session-group-user-ids`	equality
`pf-authn-session-group-expiry-time`	ordering
`pf-authn-session-group-last-activity-time`	ordering

Create these indexes with PingDirectory's dsconfig utility. The dsconfig utility is interactive. You can also provide inputs as command arguments. The following examples create the indexes.

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name pf-authn-session-group-hashed-session-id \
  --set index-type:equality

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name pf-authn-session-group-user-ids \
  --set index-type:equality

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name pf-authn-session-group-expiry-time \
  --set index-type:ordering

$ bin/dsconfig create-local-db-index \
  --backend-name userRoot \
  --index-name pf-authn-session-group-last-activity-time \
  --set index-type:ordering

After adding the indexes, use the rebuild-index utility to build the indexes. The following example builds the required indexes.

$ bin/rebuild-index \
  --baseDN "dc=example,dc=com" \
  --index pf-authn-session-group-hashed-session-id \
  --index pf-authn-session-group-user-ids \
  --index pf-authn-session-group-expiry-time \
  --index pf-authn-session-group-last-activity-time

For more information, see Working with Indexes in the PingDirectory Administration Guide .

If you have not already done so, create an LDAP data store for your directory server on System > Data & Credential Stores > Data Stores.
Copy the system ID of the applicable LDAP data store from the Data Stores window.
Edit the /pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl.xml file.

Note:
For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System > Server > Cluster Management as explained in later steps.
1. Replace the <c:item name="PingFederateDSJNDIName"/> element value with the system ID of your data store connection.
  For example, if the system ID is LDAP-123456789ABCDEF123456789ABCDEF123456A0AC, update the configuration file as follows.
```
...

<c:item name="PingFederateDSJNDIName">LDAP-123456789ABCDEF123456789ABCDEF123456A0AC</c:item>
...
```
2. Enter a value for the <c:item name="SearchBase"/> element.
  
  Tip:
  This is the distinguished name (DN) that points to the client location. For more information, see the inline comment and the LDIF scripts in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.
3. Update the attribute names only if you have changed attribute names in the LDIF scripts located in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.
4. Save the file.

Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file.

Go to the # Service for storing Authentication Sessions section.

# Service for storing Authentication Sessions.
# Supported classes:
#    org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation.
#    org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation.
#    org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation.
session.storage.manager=org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl

Change the value of the session.storage.manager service to org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl.

Note:

For a clustered PingFederate environment, you must edit the service-points.conf file on each node manually because cluster replication can't replicate this change to other nodes.

Start or restart the PingFederate service.

Note:
For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to activate the change.

Note:
When storing persistent authentication sessions on a PingDirectory server, you must also configure a cleanup plugin in PingDirectory to remove expired authentication sessions from your directory server. For more information, see Managing authentication sessions stored in PingDirectory.