Release Notes

Fixed

We fixed an error that prevented API documentation from loading when using OIDC single sign-on (SSO) with PingCentral.

New

PingCentral administrators can now disable referenced PingFederate environments for any reason, such as PingFederate being unavailable due to maintenance tasks. Additionally, we added a new environment status bar that indicates if an environment is offline. In such cases, application owners will receive a notification indicating that the environment is disabled or offline rather than encountering a UI error. For more information, see step 1 of the Updating environments tab in Managing environments.

New

All attributes defined in a SAML SP connection are now integrated into the PingCentral application. This enhancement eliminates a limitation and is expected to enhance usability significantly. For more information, see step 3 in Using SAML 2.0 templates.

New

We added the ability to effortlessly initiate an application synchronization in PingCentral. Now, when you make external modifications to an application configuration, you can seamlessly update the application information within PingCentral. This removes the need to manually update application information and introduces a more streamlined and efficient process. For more information, see step 2 in Updating applications.

New

Fixed

We resolved an issue where H2 database migration fails during an upgrade if there are spaces in the installation path for the existing or new instance.

Fixed

We fixed an issue where utilizing single sign-on (SSO) to access the PingCentral console incorrectly triggered a timeout based on an ID token’s lifetime.

Issue

Previously, PingCentral was unable to handle a service provider (SP) connection with multiple Authentication Policy Contracts (APC) mapped within it. The PingCentral 1.14 release enables users to select from multiple mapped contracts when adding an application as a managed application or a template.

However, due to a known synchronization limitation, if you update an existing single APC SP connection already managed by PingCentral to include a second APC and subsequently synchronize the application, you won’t find an option to specify your preferred APC.

To simplify your workflow and mitigate potential challenges, we recommend refraining from using synchronization to modify multi-APC connections. Instead, consider creating a new SP connection that aligns with your desired APC configuration. This approach grants you control over APC selection, ensuring a smoother and more efficient process.

Issue PingFederate

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Issue PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue PingAccess

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

New

Previously, PingCentral did not allow an administrator to require approval for a non-administrator to promote an application to an environment. As of now, administrators can use Spring Expression Language (SpEL) based rules to trigger an approval requirement if an expression is or isn’t met. Administrators will find a bell icon indicating active approval requests, and developers are informed when their requests are approved. For more information, see Managing approvals (administrators).

Improved

Administrators can now enforce a strong client secret for applications by requiring that PingCentral generate the client secret. With this feature enabled, when developers promote an application, they won’t be able to create a client secret manually. This avoids the usage of weak client secrets. For more information, see Managing environments.

New

When promoting SAML applications, developers can adjust and configure single logout (SLO) URLs. This adds flexibility and removes the need to manage multiple SAML applications only because different SLO URLs are required. For more information, see Promoting SAML applications.

New

We added support for Java Development Kit (JDK) 17.

Fixed

To set up a service provider (SP) connection, PingCentral now accepts SAML metadata files exported from other SP connections. These files are used to extract the following information: entity IDs, ACS URLs, SLO service URLs, certificates, and attributes.

Issue PingFederate

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Issue PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue PingAccess

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

New

When creating a new client, PingCentral now generates OAuth client secrets compatible with PingFederate. For more information, see Promoting OAuth and OIDC applications.

New

You can now configure multiple Assertion Consumer Service (ACS) URLs during SAML application creation. This new feature simplifies application development since the same application can use different URLs simultaneously. For more information, see Using SAML 2.0 templates.

New

When promoting an application between environments, you can now configure an application name for OAuth and OpenID Connect (OIDC) clients, SAML connections, and PingAccess applications. For more information, see Promoting applications.

Improved

You can now choose to delete applications from PingFederate or PingAccess in addition to PingCentral. This feature is flexible because you can select which environments to delete the application from. For more information, see Managing applications.

Improved

Instead of using administrator credentials for basic authentication, you can now configure PingCentral to use OAuth client credentials to connect to PingFederate or PingAccess. PingCentral will request an access_token to use whenever it connects to PingFederate or PingAccess. For more information, see Configuring PingFederate and PingAccess for SSO.

Security

Along with other dependencies (libraries), we’ve upgraded the H2 database from v1 to v2. For more information, see Upgrading PingCentral.

Issue PingFederate

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Issue PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue PingAccess

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

Environment’staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

Issue

If the installation path has any spaces in the existing or new instance, the H2 database is not migrated during upgrade. Upon removing the spaces from the file path, the migration is successful.

New

If you are an administrator, you can now update the grant types, scopes, and policy contracts in OAuth and OpenID Connect (OIDC) templates to further customize them to meet your needs.The history of these templates is also available to review and compare with previous versions. You can see which administrator modified the template configuration or policy contract, when it was modified, and details regarding these modifications. You can also revert templates to previous versions, if necessary. See OAuth and OIDC templates for details.

New

If an application is based on an outdated template, an Outdated Template icon now displays next to its name in the applications list. Edit the template and click the Update Template button. See Updating applications for details.

New

You can now use SSO to access PingFederate and PingAccess from PingCentral. For details, see Configuring PingFederate and PingAccess for SSO.

Improved

Account lockout mechanisms that prevent users from accessing the application or API after a specified number of failed sign-on attempts were added to this release. Specify the number of failed attempts that are allowed before users are locked out and the lockout period in the application.yaml file.

Issue

Templates created in version 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

Security

Resolved a potential security vulnerability that is described in security bulletin SECBL022 (requires sign-on).

Issue PingFederate

PingCentralpromotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.To resolve these issues, configure the APC mappings within PingFederate.

Issue PingFederate

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:Environment’staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral, but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue

After upgrading to 1.8, 1.9, or 1.10, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue

If you attempt to add a SAML application to PingCentral from an existing application through the API, and the connection JSON contains identity attribute names and placeholders, you receive an error message advising you to nullify the Names field. However, even if you nullify this field, you still receive an error message because the JSON contains placeholders. Remove these placeholders before you proceed.

Issue

When creating, updating, or validating an environment through the API, you receive a server error message if the environment Name or Password fields are null or missing. API requests cannot be processed without this information, so ensure that these fields contain valid values.You will also receive a misleading error message if the PingAccess Password field is null. Rather than informing you that the information in this field is invalid, it informs you that you cannot connect to the PingFederateadministrative console, which is misleading.Requests to connect PingAccess to a PingCentral environment cannot be processed without this information, so ensure that this field contains a valid value.