Set up an Amazon DynamoDB so that PingFederate can store account-link records in the DynamoDB NoSQL database.
Ensure that your PingFederate server is configured to access DynamoDB. For more information, see Configuring an AWS DynamoDB datastore.
PingFederate requires a specific table to store account-link records on your DynamoDB server. A table-setup script is provided for this purpose.
- To create a table in DynamoDB to contain OAuth clients, run the commands in the <pf_install>/pingfederate/server/default/conf/account-linking/nosql-scripts/account-linking-dynamodb.txt file.
-
Edit the
<pf_install>/pingfederate/server/default/conf/service-points.conf
file:
-
Locate the service point for account-linking storage:
# Service/adapter for storage of account linking # Supported classes: # org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl # org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl # org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl account.linking.service=org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl
-
Set the value of the
account.linking.service
attribute toorg.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl
. - Save the file.
Note:For a clustered PingFederate environment, you must edit the service-points.conf file on each node manually because cluster replication can't replicate this change to other nodes.
-
Locate the service point for account-linking storage:
- Optional:
Edit the values in the
<pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl.xml
file.
<?xml version="1.0" encoding="UTF-8"?> <c:config xmlns:c="http://www.sourceid.org/2004/05/config"> <!-- Table names --> <c:item name="AccountLinkingTableName">PingFederateAccountLink</c:item> <!-- The endpoint override is for testing with a local DynamoDB instance. Provide the local DynamoDB endpoint here. This configuration should not be set for production environment. Example configuration: <c:item name="EndpointOverride">http://localhost:8000</c:item> --> <c:item name="EndpointOverride"/> <!-- Configure the amount of time(in milliseconds) to allow the client to complete the execution of an API call. Default configuration: <c:item name="ApiCallTimeout">10000</c:item> --> <c:item name="ApiCallTimeout">10000</c:item> <!-- Configure the amount of time (in milliseconds) to wait for the http request to complete before giving up and timing out. Default configuration: <c:item name="ApiCallAttemptTimeout">1000</c:item> --> <c:item name="ApiCallAttemptTimeout">1000</c:item> </c:config>
-
Start or restart the PingFederate
service.
Note:
For a clustered PingFederate, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to active the change.