Hosting Environment
Operating System
Task Type
Draft Beta

PingOne for Enterprise release notes

Updated 220

Add to MyDocs | Hide Show Table of Contents

Table of Contents

October, 2018

Feature Description
Administrative auditing (reports and subscriptions) Administrative auditing is now available PingOne for Enterprise, PingID and PingOne SSO for SaaS Apps. You can utilize the administrative audit events through both the Reports and the Subscriptions facilities. For more information, see Report types .
PKCE support for OpenID Connect (OIDC) We've added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow. For more information, see Integrate an OIDC application, PKCE parameters .
SLO for OIDC identity providers We've added single logout (SLO) support for PingOne for Enterprise OIDC identity providers (IdPs). You can specify the end-session URL through the well-known metadata of the OpenID Connect provider (end_session_endpoint), or when you configure the PingOne connection for the OIDC IdP. When SLO is triggered, PingOne redirects the user logout process to the end-session URL for the OIDC IdP.
Automatic IdP Discovery We've added automatic IdP discovery for all PingOne for Enterprise managed applications (applications managed by your account, rather than a service provider). For these applications, we no longer require that you specify the idpid for SP-initiated (SAML) requests or OIDC authorization requests.
PingOne directory enhancements We've added features to PingOne directory allowing you to:
Workplace by Facebook™ provisioner We've updated the provisioner for Workplace by Facebook applications. This provisioner includes:
  • Improved error handling and reporting when Workplace by Facebook users contain no ID.
  • Improved check connection call by not retrieving a list of users.
See Known Issues and Limitations for important information.

Deprecated features
Feature Description
Basic SSO and the browser extension Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation
Workplace by Facebook provisioner The following limitations apply:
  • Clearing fields on updates is not supported.
  • Due to API limitations with matching a user’s manager using the display name, if multiple matches occur the first match will be used. This could be an issue if multiple employees in the Workplace by Facebook account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the manager attribute to a manager’s email.
  • Due to LDAP limitations, when you update a manager's name it does not update their Distinguished Name (DN). The provisioner uses the distinguished name to match a manager in Workplace by Facebook and may not find the correct match. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.
  • Due to SaaS API limitations, adding a manger may require a search of all Workplace by Facebook users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

Tags Capability > Single Sign On; Product > PingOne