Use specific schema objects to enable PingFederate to store authentication sessions on your directory server. For PingDirectory, LDIF scripts are provided for this purpose.
-
Update the LDAP schema.
- Sign on to the PingDirectory administrative console.
- Go to LDAP Schema > Schema Utilities.
- Click Import Schema Element.
-
Copy the schema changes from the
authentication-session-attributes-ldap-pingdirectory.ldif
file and paste them into the text area.
The file is located in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.
Replace the placeholder values with relevant information from your directory server.
- Click Import.
-
Create the following indexes.
Attribute name Index type pf-authn-session-group-hashed-session-id
equality
pf-authn-session-group-user-ids
equality
pf-authn-session-group-expiry-time
ordering
pf-authn-session-group-last-activity-time
ordering
Create these indexes with PingDirectory's dsconfig utility. The dsconfig utility is interactive. You can also provide inputs as command arguments. The following examples create the indexes.
$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name pf-authn-session-group-hashed-session-id \ --set index-type:equality
$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name pf-authn-session-group-user-ids \ --set index-type:equality
$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name pf-authn-session-group-expiry-time \ --set index-type:ordering
$ bin/dsconfig create-local-db-index \ --backend-name userRoot \ --index-name pf-authn-session-group-last-activity-time \ --set index-type:ordering
After adding the indexes, use the rebuild-index utility to build the indexes. The following example builds the required indexes.
$ bin/rebuild-index \ --baseDN "dc=example,dc=com" \ --index pf-authn-session-group-hashed-session-id \ --index pf-authn-session-group-user-ids \ --index pf-authn-session-group-expiry-time \ --index pf-authn-session-group-last-activity-time
For more information, see Working with Indexes in the PingDirectory Administration Guide .
- If you have not already done so, create an LDAP data store for your directory server on System > Data & Credential Stores > Data Stores.
- Copy the system ID of the applicable LDAP data store from the Data Stores window.
-
Edit the
/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl.xml
file.
Note:
For a clustered PingFederate environment, edit this file on the administrative console node first, and then replicate to other engine nodes using System > Server > Cluster Management as explained in later steps.
-
Replace the
<c:item name="PingFederateDSJNDIName"/>
element value with the system ID of your data store connection.For example, if the system ID is
LDAP-123456789ABCDEF123456789ABCDEF123456A0AC
, update the configuration file as follows.... <!-- Data store id --> <c:item name="PingFederateDSJNDIName">LDAP-123456789ABCDEF123456789ABCDEF123456A0AC</c:item> ...
-
Enter a value for the
<c:item name="SearchBase"/>
element.Tip:This is the distinguished name (DN) that points to the client location. For more information, see the inline comment and the LDIF scripts in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.
- Update the attribute names only if you have changed attribute names in the LDIF scripts located in the <pf_install>/pingfederate/server/default/conf/authentication-session/ldif-scripts directory.
- Save the file.
-
Replace the
-
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file.
-
Go to the
# Service for storing Authentication Sessions
section.# Service for storing Authentication Sessions. # Supported classes: # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl : Use this service-point for a Jdbc implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl : Use this service-point for an LDAP implementation. # org.sourceid.saml20.service.session.data.impl.SessionStorageManagerDynamoDBImpl : Use this service-point for a DynamoDB implementation. session.storage.manager=org.sourceid.saml20.service.session.data.impl.SessionStorageManagerJdbcImpl
-
Change the value of the
session.storage.manager
service toorg.sourceid.saml20.service.session.data.impl.SessionStorageManagerLdapImpl
.
Note:For a clustered PingFederate environment, you must edit the service-points.conf file on each node manually because cluster replication can't replicate this change to other nodes.
-
Go to the
-
Start or restart the PingFederate service.
Note:
For a clustered PingFederate environment, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to activate the change.
Note:When storing persistent authentication sessions on a PingDirectory server, you must also configure a cleanup plugin in PingDirectory to remove expired authentication sessions from your directory server. For more information, see Managing authentication sessions stored in PingDirectory.