---
title: Known issues and limitations
description: The following are known issues or limitations for the X.509 Certificate Integration Kit.
component: x509
page_id: x509:x509_certificate_integration_kit:pf_x509_certificate_ik_known_issues_and_limitations
canonical_url: https://docs.pingidentity.com/integrations/x509/x509_certificate_integration_kit/pf_x509_certificate_ik_known_issues_and_limitations.html
revdate: June 17, 2024
section_ids:
  known-issues: Known issues
  known-limitations: Known limitations
---

# Known issues and limitations

The following are known issues or limitations for the X.509 Certificate Integration Kit.

## Known issues

* If PingFederate is sitting behind a proxy and the X.509 certificate is sent encoded by the proxy, PingFederate can't decode it, resulting in a failure. To prevent this, ensure the proxy sends the certificate in RAW format as a header.

## Known limitations

* The browser, browser version, and platform can affect the adapter's ability to obtain the X.509 certificate. If you experience issues using this adapter with a browser, contact Ping Identity support.

  * Users may be prompted to select the certificate even when only one certificate matches the configured Issuer CAs. Some browsers provide a setting that determines whether the user is prompted or the certificate is selected automatically.

  * The adapter has been tested with the following desktop browsers:

    * Firefox (tested with 89)

    * Chrome (tested with 91.0.4472.101)

    * Edge (tested with 91.0.864.54)

    * Safari (tested with 12.1.1 \[14607.2.6.1.1])

    * Internet Explorer 11

  * Clients using iOS must use Safari. A limitation in iOS prevents Chrome and Firefox from working with this integration kit.

* Single logout (SLO) isn't supported because it isn't possible to force the browser to end the SSL session. The adapter can't force an authenticated user to select a new certificate or prompt the user to authenticate to a smart card again.

* Only attribute-type keywords specified in RFC2253 will be correctly parsed out of the subject distinguished name (DN) *(tooltip: \<div class="paragraph">
  \<p>A name uniquely identifying an object within the hierarchy of a directory tree.\</p>
  \</div>)*: `CN`, `L`, `ST`, `O`, `OU`, `C`, `STREET`, `DC`, `UID`. The rest will be parsed as object identifiers (OIDs) and the corresponding name-value pairs are not human readable.

* Attribute-type keywords defined in the adapter contract will not work if they are mixed case, such as `Cn` or `sT`. Only all upper-case, such as `CN` or `ST`, or all lower-case, such as `cn` or `st`, will work.

* The adapter does not support the `isPassive` or `forceAuthn` portions of a Security Assertion Markup Language (SAML) *(tooltip: \<div class="paragraph">
  \<p>A standard, XML-based, message-exchange framework enabling the secure transmittal of authentication tokens and other user attributes across domains.\</p>
  \</div>)* authentication policy.