PingFederate Server

Managing expired persistent grants

PingFederate removes expired persistent grants once a day. The cleanup task removes 500 expired grants at a time until all expired grants are removed.

About this task

If expired grants are growing rapidly, you can increase the frequency of the cleanup task.

Increasing the frequency of the cleanup task or the number of expired sessions to be removed per batch adds more workload to your storage server. Make gradual changes, if any, to observe the impact.

In a clustered PingFederate environment, the cleanup task runs only on the console node. If adjustments are required, make them on the console node. No changes are required on any of the engine nodes.

When storing persistent grants on a PingDirectory server that is version 7.0 or later, you can use the PingFederate cleanup task or configure a cleanup plugin in PingDirectory instead. The plugin allows fine-grained control over various aspects of the cleanup task, which might improve the performance impact. You can find more information and configuration steps in Managing expired persistent grants in PingDirectory.

When storing persistent grants in DynamoDB, instead of using the PingFederate cleanup task, DynamoDB relies on the DynamoDB Time to Live (TTL) attribute to remove expired persistent grants from the database. You can find more information on TTL in Expiring items by using DynamoDB Time to Live (TTL) in the AWS DynamoDB documentation.

Steps

  1. (Optional) Adjust the frequency of the cleanup task.

    1. Edit the timer-intervals.xml<pf_install>/pingfederate/server/default/data/config-store directory.

    2. Update the AccessGrantCleanerInterval value, in milliseconds.

    The default value is 86400000, which is 24 hours.

    1. Save your changes.

  2. (Optional) Adjust the number of expired grants to be removed per batch.

    1. Edit the configuration file relevant to your storage platform.

      This configuration file is located in the <pf_install>/pingfederate/server/default/data/config-store directory, as described in the following table.

      Storage platform Configuration file

      Database server

      org.sourceid.oauth20.token.AccessGrantManagerJdbcImpl.xml

      PingDirectory

      org.sourceid.oauth20.token.AccessGrantManagerLDAPPingDirectoryImpl.xml

      Microsoft Active Directory

      org.sourceid.oauth20.token.AccessGrantManagerLDAPADImpl.xml

      Oracle Unified Directory

      org.sourceid.oauth20.token.AccessGrantManagerLDAPOracleImpl.xml

    2. Update the ExpiredGrantBatchSize value.

      The following example shows an updated value of 400. (The default value is 500.)

       file, located in the<?xml version="1.0" encoding="UTF-8"?>
<c:config xmlns:c="http://www.sourceid.org/2004/05/config">
    ...
    <c:item name="ExpiredGrantBatchSize">400</c:item>
    ...
</c:config>

    3. Save your changes.

  3. After you have made changes, restart PingFederate.

    In a clustered PingFederate environment, you do not have to change or restart PingFederate on any of the engine nodes.