Table of Contents

PingFederate 8.4 - June 2017


Configuration at scale

We have set a new bar for the number of IdP connections, SP connections, and OAuth clients that our customers can configure. We looked at the number of connections and OAuth clients that some of our largest customers were using and made improvements so that their investment could grow at least tenfold. This enhancement includes updates to paging, sorting, filtering, and searching in the administrative console to make it easier to find connections and OAuth clients. Configuration replication is also optimized to only replicate the connections that have changed, greatly reducing the amount of data that needs to be distributed and processed throughout a cluster when configuration changes.

Additionally, a new option is available to schedule the creation of backup configuration archives as an alternative to the generation of archives at sign-on to the administrative console. This option improves the responsiveness of the administrative-console sign-on experience for customers with many connections and OAuth clients because the backup process could take more than a few seconds.

The SDK support for custom storage of OAuth clients has been extended with a new interface, ClientStorageManagerV2. This interface includes a search() method, allowing customers to provide efficient implementations of the pagination and search functions exposed in the administrative console.

OpenID Connect signed requests

OpenID Connect defines a method to sign authentication requests sent from Relying Parties (RPs) so that the OpenID Provider (OP) can ensure that the request has not been tampered with in transit (see We’ve added support for this in PingFederate, and this will open up new use cases. With signed requests, RPs can convey contextual information about the specific transaction the user is attempting. Authorization servers can then use that information to drive different interactions with the user, such as prompting the user for fine-grained consent. Customers can either implement a custom adapter to gain access to the data in the request parameter or look forward to future adapters shipped by Ping Identity that will expose this data. Further, we added support for both requiring signed requests from RPs and sending signed requests to OPs.

JWT OAuth 2.0 authorization grants

We have implemented support of the JWT profile for OAuth 2.0 authorization grants (see The primary use case for this grant type is for cross-domain API transactions where the transaction is within the context of a user’s consent but the user is not directly present. To use this grant type an OAuth client submits a signed JWT to an authorization server and receives an access token. This feature aligns with our existing support for the SAML assertion profile for OAuth 2.0 authorization grants.

To further support this use case we added a related feature to help customers that have OAuth clients that make cross-domain API calls and need to use this grant type with a remote AS. Clients that make calls to partner APIs that need to use a JWT authorization grant can exchange a local token for the necessary JWT using WS-Trust. This again aligns with our support of the equivalent SAML assertion profile.

JWT OAuth 2.0 client authentication

Another OAuth profile that is related to the JWT authorization grant, which is defined in the same specification, is OAuth 2.0 client authentication (see We have also added support for this, and it allows OAuth clients to authenticate to an authorization server using a signed JWT. This provides a better security model than client ID and secret authentication as the private key used to sign the JWT remains secret to the client and does not need to be shared with an outside system. This support has been added for when PingFederate is the authorization server or when PingFederate is the OpenID Connect Relying Party.

Dynamic discovery of cluster nodes using AWS Roles

We’ve expanded our support for dynamic discovery (to support elastic scaling) of cluster nodes in AWS by leveraging the permissions of an AWS Role that’s been assigned to an AMI. You can now use this option as an alternative to the existing option of setting an AWS IAM access key and secret for dynamic discovery. This new feature also adds the ability for PingFederate to discover nodes based on static and dynamic AWS AMI metadata through configuration of tags and filters.

Self-service account unlock

Adding to the existing self-service password reset feature of the HTML Form Adapter, we introduce a new feature to allow users to unlock accounts that have been locked due to password policy at the underlying LDAP directory. This optional feature can help in situations when users realize that they have mistyped their passwords several times and simply want to unlock their accounts, preserving their existing passwords.

Cluster-aware account lockout protection

Account lockout protection prevents user accounts from becoming locked at the underlying user repository based on too many failed authentication attempts. This protection, which is available in many areas of PingFederate® (for example, the HTML Form Adapter, the Username Token Processor, the OAuth Resource Owner Password Credentials grant type, and the administrative console native authentication scheme), is now shared across nodes in a cluster. This enhancement helps in situations where PingFederate is deployed behind a load balancing infrastructure without sticky sessions.

Message customization and localization for password reset and account unlock

Administrators now have new options for customizing and localizing messages sent to users for self-service password reset and account unlock. Similar to the existing support that we already have for customizing email messages, SMS messages can also be customized. Furthermore, these messages can be localized based on the user’s preferred language, captured when the user initiates self-service password reset or account unlock.

Docker support

We continue to add features to help customers automate the deployment of PingFederate. With this release we now officially qualify on Docker.

Configurable cluster encryption strength

Cluster encryption strength is now configurable in PingFederate. The encryption strength varies depending on the cryptographic providers available from the Oracle Java SE Runtime Environment (Server JRE).

Security enhancement

The default TLS cipher suites for HTTPS listeners have been updated to follow the latest security best practices.

Other improvements

  • Integration with Microsoft Office 365 has been improved to better support Microsoft Intune and Dynamics 365.
  • PostgreSQL relational database support has been added and can be used for attribute lookup, OAuth persistent grant storage, OAuth client storage, logging, account linking, and outbound provisioning.
  • Improved user provisioning efficiency to reduce execution time when multiple channels are configured.
  • Tracking IDs are now included by default in audit log entries.
  • Header based certificate authentication has been improved to be tolerant of missing PEM headers.
  • The following bundled components and third-party dependencies have been updated:
    • Log4j 2 2.8.2
    • Jackson 2.7.8
    • Jetty 9.3.16
    • jose4j 0.5.5
    • Twilio Java SDK 7.4
    • UnboundID LDAP SDK for Java 3.2

Resolved issues

Ticket IDDescription
PF-15778Fixed an access token validation issue where any claim with a data type other than string or list was not structured properly in the JSON response.
PF-15757Resolved an issue where PingFederate did not update or clear the internal data store after changes had been made in the attribute mapping configuration for outbound provisioning.
PF-15756The Kerberos Adapter now uses the correct Velocity template when a Kerberos Adapter instance is used as one of the checkpoints in an authentication policy and the authentication attempt has failed.
PF-15755Authentication policies can now complete the failover process when an IdP adapter renders a Velocity template while returning a failure response status.
PF-15708EXCEPTION messages from the com.pingidentity.fsm.state.impl.PortalMenuState.getClientCountError class are now categorized as ERROR (log level) in the server log.
PF-15630Fixed an issue where the self-service password reset feature did not use information from the pf-accept-language cookie (if presented) to identify the locale of the user.
PF-15629Resolved an OAuth client configuration issue where changes made to client authentication scheme were not saved occasionally.
PF-15564Addressed an issue where contextual attribute values were not passed to the follow-on IdP connections when SP Authentication Policies were enabled
PF-15327The kerberos.error.template.html template file now supports localization.
PF-15286The html.form.login.template.headerMessage entry has been removed from the file as it is no longer applicable.
PF-15258Resolved an issue where the username field values were always masked in the audit log for SLO requests through any OpenID Connect IdP connections.
PF-15201Improved the validation process for the Hostname(s) field value in the LDAP data store configuration screen.
PF-15009Improved the validation process for signed SAML 2.0 AuthnRequest messages; the AssertionConsumerServiceURL element value must be a full URL.
PF-14946When processing SAML response messages that do not contain the Subject element, PingFederate now handles this error condition accordingly.
PF-14876Updated the log4j2.xml configuration file with a new logger (com.pingidentity.common.util.xml.XmlBeansUtil).
CautionThis new logger is disabled by default. When enabled, PingFederate may write sensitive user information to the server log. Consider enabling this logger for the sole purpose of troubleshooting in non-production environments only (and disabling this logger when it is no longer required).
PF-14602Error conditions between the OAuth /as/token.oauth2 endpoint and the clients are now better captured in the audit and server logs.
PF-14545 and PF-13334When both signature verification and encryption are disabled, PingFederate now removes such partner certificates from the connection.
PF-14411Fixed a dependency error when at least one attribute in an authentication policy contract deployed in an authentication policy was fulfilled by an OGNL expression.
PF-14361Administrators must now select at least one virtual server ID when the Restrict Virtual Server IDs check box is selected on the Virtual Server IDs screen.
PF-14041Improved the outbound provisioning process to handle a scenario where the Timestamp Attribute of an object does not contain any value.
PF-13733Account lockout protection (via the Account Locking Service) has been extended to the Username Token Processor (UTP). PingFederate now rejects authentication attempts for a configurable amount of time after three failures. As needed, administrators may also override the failure threshold value per UTP instance.
PF-13698When updating a SAML 2.0 connection by metadata, if encryption has not been enabled prior to the update, PingFederate now ignores the encryption certificate if any is included in the metadata.

Tags Hosting Environment > On-Premises; Product > PingFederate > PingFederate 8.4; Product > PingFederate; Task Type > Administration; Task Type > Installation; Task Type > Upgrading

Your Rating: