In a cluster, there are two types of nodes: engine nodes and an administrative console node. Engine nodes service end user traffic, and multiple nodes are recommended to ensure high availability for your deployment. Only one administrative console node can be running in a given cluster. This node hosts the user interface and API that you use to configure the cluster. Additionally, the administrative console node manages the following runtime functions:

  • Performing periodic configuration archive backup
  • Cleaning expired persistent authentication sessions
  • Cleaning expired access grants
  • Updating connections from metadata URLs, including PingOne SP connections if configured, and sends email notifications
  • Performing automatic rotation of signing certificates if enabled

Additional steps are required to set up failover for provisioning. If you are grouping servers exclusively to provide for provisioning failover, skip these steps and see Deploy provisioning failover.

These steps describe how to configure and deploy clustered PingFederate servers by editing each node in the <pf_install>/pingfederate/bin/

  1. Install PingFederate on each node in a cluster.
  2. Edit the clustering properties of each node in the <pf_install>/pingfederate/bin/ file. See the following table for information about each property.




    Controls the operational mode of the PingFederate server. PingFederate supports the following modes:

    STANDALONE (default)
    This server is a standalone instance that runs both the administrative console and runtime engine.

    The value STANDALONE should only be used in a cluster where session-state management is not needed for any reason and configuration-archive deployment is used as the configuration synchronization method.

    This server is part of a cluster and runs only the administration console.

    Only one node in a cluster can run the administrative console.

    This server is part of a cluster and runs only the runtime engine.

    Defines a unique index number for the server in a cluster. The index number is used to identify peers and optimize inter-node communication. The allowed range is 0 to 65535.

    If no value is set for the node index, the system assigns an auto-generated value in the range of 0 to 2147483647.

    This property has no default value. If you specify an index number, you can configure instances of the Cluster Node Authentication Selector and place them in authentication policies to customize authentication requirements based on the runtime node servicing a request.


    Sets the password that each node in the cluster must use to authenticate when joining the cluster. This prevents unauthorized nodes from joining a cluster. The value can be any string, or blank.


    Consider using a randomly-generated password with 22 or more alphanumeric characters. A strong, obfuscated, Jgroups cluster password can be generated with the clusterkey utility (clusterkey.bat for Windows and for Linux), located in the <pf_install>/pingfederate/bin directory.

    All nodes in a cluster must share the same value, blank or otherwise.


    Indicates whether to encrypt network traffic sent between nodes in a cluster. The possible values are true or false (default).

    When set to true, communication within the cluster is encrypted with a symmetric key derived from the value of the pf.cluster.auth.pwd property.


    When the pf.cluster.encrypt property is set to true, you must provide a value for the pf.cluster.auth.pwd property. Otherwise PingFederate aborts during its startup process.

    All nodes in a cluster must have the same value for this property.


    The length of the key that PingFederate takes into consideration when deriving the symmetric key from the value of the pf.cluster.auth.pwd property for the purpose of encrypting network traffic sent between nodes in a cluster. Required only when the pf.cluster.encrypt is set to true.

    All nodes in a cluster must have the same value set for this property.

    The default value is 128.


    Defaults to NON_LOOPBACK, which leaves the system to choose an available non-loopback IP address. Alternatively, enter an IP address of the network interface to which the cluster communication should bind. For machines with more than one network interface, provide a specific IP address.

    You can use this property to increase performance (particularly with UDP) and improve security by segmenting cluster-communication traffic onto a private network or VLAN.


    Besides NON_LOOPBACK or an IP address, you can also use other values supported by JGroups. For more information, see the bind_addr special values in JGroups documentation.


    This field does not support DNS name. Use the default value NON_LOOPBACK or replace it with an IP address.


    Specifies the port associated with the pf.cluster.bind.address property or with the default network interface used.

    This is the port used by other cluster members during their discovery process, usually via the pf.cluster.tcp.discovery.initial.hosts property.

    The default value is 7600.


    Indicates the bind port of a server socket that is opened on the given node and used by other nodes as part of the cluster's failure-detection mechanisms. If set to 0 or unspecified, a random available port is used. The default value is 7700.


    Indicates the transport protocol used for cluster communication. Values are udp or tcp. The default value is tcp. All nodes in a cluster must have the same value set for this property.

    Use UDP when IP multicasting is enabled in the network environment and the majority of cluster traffic is point-to-full-group. You must also configure both the and properties.

    Use TCP for geographically dispersed servers or when multicast is not available or disabled for some other reason. For example, when using routers that do not support multicast messaging. TCP may also be appropriate if your cluster configuration employs more point-to-point or point-to-few messaging than point-to-group.You must also configure the pf.cluster.tcp.discovery.inital.hosts property.


    This property is a reference to a protocol-stack XML configuration file located in the <pf_install>/pingfederate/server/default/conf/ directory. Two stacks are provided: one for UDP multicast and one for TCP. You can customize either stack or add to it as needed by modifying the associated configuration file.

    Defines the IP address shared among nodes in the same cluster for UDP multicast communication; required when UDP is set as the transport protocol. The valid range is to Some addresses in this range are reserved for other purposes. This property is not used for TCP.

    All nodes in a cluster must have the same value set for this property.

    The default value is

    Defines the port in conjunction with the property value. This property is not used for TCP configurations.

    All nodes in a cluster must have the same value set for this property.

    The default value is 7601.


    Designates a static list of PingFederate servers to be contacted for cluster membership information when discovering, joining, and rejoining the cluster. This value is required when TCP is set as the transport protocol. The value is a comma-separated list of host names (or IP addresses) and their cluster bind ports, for example, host1[7600],[7600],host7[1033],[2231].

    When using static discovery, add at least one node for the cluster to know in advance. This property should contain all nodes in the cluster (including itself) to increase the likelihood of new members finding and joining the cluster.

    When using dynamic discovery, leave this property blank and enable dynamic discovery in the <pf_install>/pingfederate/server/default/conf/tcp.xml file. For more information, see Enabling dynamic discovery for clustering.


    Indicates whether runtime state-management services should use the adaptive clustering architecture.

    The default value is true for new installations and false for upgrades.


    false turns off JGroups diagnostics. true turns it on.

    The default value is false.

    pf.cluster.diagnostics.addr and pf.cluster.diagnostics.port

    The multicast address and port this node listens on for diagnostic messages.

    The default values are and 7500, respectively. Do not change the default values.


    Defines the tags associated with this node.

    Configuration is optional. When configured, PingFederate considers this property when processing requests. For example, you can use tags to determine the datastore location that this PingFederate node communicates with. You can also use tags in conjunction with authentication selectors and policies to define authentication requirements.

    You can specify one tag.
    You can also specify a list of prioritized, space-separated tags.
    node.tags=1 123 234

    Tags cannot contain spaces.

  3. Optional: Edit configuration files in each node that control the cluster protocol and runtime state-management service. For more information, see Runtime state-management architectures and Runtime state-management services.
  4. Optional: If outbound provisioning is configured for your site and you want to provide failover capabilities, identify and configure the provisioning failover nodes. For more information, see Deploy provisioning failover.
  5. Start or restart PingFederate on all nodes.
  6. Sign on to the administrative console.
  7. If you have not done so, import your PingFederate license. For more information, see License management.
  8. On the System > Server > Cluster Management window, click Replicate Configuration to push the license information from the console node to all engine nodes.

After the clustered environment is set up, you can start configuring PingFederate through the administrative console. When PingFederate detects a change, it prompts you to replicate the configuration to all engine nodes.