Ensure that your PingFederate server is configured to access DynamoDB. For more information, see Configuring an AWS DynamoDB datastore.

PingFederate requires a specific table to store account-link records on your DynamoDB server. A table-setup script is provided for this purpose.

  1. To create a table in DynamoDB to contain OAuth clients, run the commands in the <pf_install>/pingfederate/server/default/conf/account-linking/nosql-scripts/account-linking-dynamodb.txt file.
  2. Edit the <pf_install>/pingfederate/server/default/conf/service-points.conf file:
    1. Locate the service point for account-linking storage:
      # Service/adapter for storage of account linking
      # Supported classes:
      #     org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl
      #     org.sourceid.saml20.service.impl.AccountLinkingServiceLDAPImpl
      #     org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl
      account.linking.service=org.sourceid.saml20.service.impl.AccountLinkingServiceDBImpl
    2. Set the value of the account.linking.service attribute to org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl.
    3. Save the file.
    Note:

    For a clustered PingFederate environment, you must edit the service-points.conf file on each node manually because cluster replication can't replicate this change to other nodes.

  3. Optional: Edit the values in the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.service.impl.AccountLinkingServiceDynamoDBImpl.xml file.
    <?xml version="1.0" encoding="UTF-8"?>
    <c:config xmlns:c="http://www.sourceid.org/2004/05/config">
    
      <!-- Table names -->
      <c:item name="AccountLinkingTableName">PingFederateAccountLink</c:item>
    
      <!-- 
          The endpoint override is for testing with a local DynamoDB instance.
          Provide the local DynamoDB endpoint here. This configuration should not 
          be set for production environment.
    
          Example configuration:
          <c:item name="EndpointOverride">http://localhost:8000</c:item>
      -->
      <c:item name="EndpointOverride"/>
    
      <!--
          Configure the amount of time(in milliseconds) to allow the client to 
          complete the execution of an API call.
    
          Default configuration:
          <c:item name="ApiCallTimeout">10000</c:item>
      -->
      <c:item name="ApiCallTimeout">10000</c:item>
    
      <!--
          Configure the amount of time (in milliseconds) to wait for the http
          request to complete before giving up and timing out.
    
          Default configuration:
          <c:item name="ApiCallAttemptTimeout">1000</c:item>
      -->
      <c:item name="ApiCallAttemptTimeout">1000</c:item>
    
    </c:config>
  4. Start or restart the PingFederate service.
    Note:

    For a clustered PingFederate, replicate this new configuration to other engine nodes on System > Server > Cluster Management. Start or restart the PingFederate service on each engine node to active the change.