X.509

Known issues and limitations

The following are known issues or limitations for the X.509 Certificate Integration Kit.

Known issues

  • If PingFederate is sitting behind a proxy and the X.509 certificate is sent encoded by the proxy, PingFederate can’t decode it, resulting in a failure. To prevent this, ensure the proxy sends the certificate in RAW format as a header.

Known limitations

  • The browser, browser version, and platform can affect the adapter’s ability to obtain the X.509 certificate. If you experience issues using this adapter with a browser, contact Ping Identity support.

    • Users may be prompted to select the certificate even when only one certificate matches the configured Issuer CAs. Some browsers provide a setting that determines whether the user is prompted or the certificate is selected automatically.

    • The adapter has been tested with the following desktop browsers:

      • Firefox (tested with 89)

      • Chrome (tested with 91.0.4472.101)

      • Edge (tested with 91.0.864.54)

      • Safari (tested with 12.1.1 [14607.2.6.1.1])

      • Internet Explorer 11

    • Clients using iOS must use Safari. A limitation in iOS prevents Chrome and Firefox from working with this integration kit.

  • Single logout (SLO) isn’t supported because it isn’t possible to force the browser to end the SSL session. The adapter can’t force an authenticated user to select a new certificate or prompt the user to authenticate to a smart card again.

  • The client authentication host name functionality is only supported by PingFederate version 8.2 or later.

  • Only attribute-type keywords specified in RFC2253 will be correctly parsed out of the subject distinguished name (DN): CN, L, ST, O, OU, C, STREET, DC, UID. The rest will be parsed as object identifiers (OIDs) and the corresponding name-value pairs are not human readable.

  • Attribute-type keywords defined in the adapter contract will not work if they are mixed case, such as Cn or sT. Only all upper-case, such as CN or ST, or all lower-case, such as cn or st, will work.

  • The adapter does not support the isPassive or forceAuthn portions of a Security Assertion Markup Language (SAML) authentication policy.