PingCentral

PingCentral 3.0 (November 2025)

PingFederate extended properties are now available in PingCentral

New PASS-7124

PingFederate extended properties are single or multi-value fields that are used to store additional information about connections or OAuth clients. These properties are now displayed in PingCentral templates. Administrators can set these property values when they configure templates, and the applications created from these templates inherit those values. Application owners can also update these values unless the extended property is designated as read-only.

Entire URLs now visible

Improved PASS-7098

Several UI modifications have been made that allow you to see entire URLs within text fields. This new functionality makes it easier for users to verify URLs, and helps prevent copy and paste errors.

Opencsv upgrade

Improved PASS-7099

Opencsv has been upgraded from version 5.8 to 5.11.2 to prevent future false-positive scan alerts. You can find more information about the CVE-2025-48734 vulnerability on the National Vulnerability Database site.

Spring Security upgrade

Improved PASS-7100

Spring Security has been upgraded from version 5.3.39 to 6.2.8 to prevent future false-positive scan alerts. You can find more information in CVE-2024-22243: Spring Framework URL Parsing with Host Validation in the Spring documentation.

Java runtime environment update

Improved PASS-7106

You can now use either Java 17 or Java 21 as the PingCentral runtime environment. Java 11 is no longer supported.

Nimbus JOSE + JWT libraries updated

Improved PASS-7134

The Nimbus JOSE + JWT libraries have been upgraded. You can find more information about the CVE-2025-53864 vulnerability on the National Vulnerability Database site.

Safeguards are now available for overwriting PingFederate entity IDs

Fixed PASS-7105

Previously, it was possible to overwrite a connection in PingFederate if you created a PingCentral application with an entity ID that already exists in PingFederate. This issue has been resolved, and it’s no longer possible to create new applications using an entity ID that is already used by a PingFederate connection.

Strict-Transport-Security (HSTS) header issue resolved

Fixed PASS-7097

Previously, if OIDC single sign-on (SSO) was enabled, PingCentral stopped sending the HSTS header and administrators couldn’t sign on. This issue has been resolved and SSO now works as expected.

CVE issues fixed

Fixed PASS-7101

A number of third-party libraries have been updated to address Common Vulnerabilities and Exposures (CVEs) reported in these libraries. These CVEs weren’t exploitable, but they were updated to avoid unnecessary concerns.

PingCentral now prevents users from creating apps with the same name

Fixed PASS-7133

PingCentral now enforces consistent validation to ensure that new applications cannot have the same name as existing applications.

Client secret size increased

Fixed PASS-7135

Previously, when users attempted to configure a PingCentral environment connection to PingFederate and PingAccess using PingOne OAuth app credentials, the database column wasn’t large enough to store the client secret and an error message displayed. The column limit was increased, which resolved the issue.