PingCentral

PingCentral 1.11 (March 2023)

For the best possible experience, review these notes before using PingCentral 1.11.

Updated client secret generation to produce client secrets compatible with PingFederate

New

When creating a new client, PingCentral now generates OAuth client secrets compatible with PingFederate. For more information, see Promoting OAuth and OIDC applications.

Multiple ACS URLs

New

You can now configure multiple Assertion Consumer Service (ACS) URLs during SAML application creation. This new feature simplifies application development since the same application can use different URLs simultaneously. For more information, see Using SAML 2.0 templates.

Set application name

New

When promoting an application between environments, you can now configure an application name for OAuth and OpenID Connect (OIDC) clients, SAML connections, and PingAccess applications. For more information, see Promoting applications.

Deleting an application in PingCentral also deletes it in other environments

Improved

You can now choose to delete applications from PingFederate or PingAccess in addition to PingCentral. This feature is flexible because you can select which environments to delete the application from. For more information, see Managing applications.

Configure OAuth credentials for use instead of username and password to connect to PingFederate or PingAccess

Improved

Instead of using administrator credentials for basic authentication, you can now configure PingCentral to use OAuth client credentials to connect to PingFederate or PingAccess. PingCentral will request an access_token to use whenever it connects to PingFederate or PingAccess. For more information, see Configuring PingFederate and PingAccess for SSO.

Upgraded from v1 H2 database to v2

Security

Along with other dependencies (libraries), we’ve upgraded the H2 database from v1 to v2. For more information, see Upgrading PingCentral.

Configure APC mappings for OIDC applications in PingFederate

Issue PingFederate

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Promoting applications with authentication challenge policies

Issue PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

SP certificates and assertion encryption certificates must be different

Issue PingAccess

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

Environment’staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Update truststore path if PingCentral fails to start

Issue

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Cannot update or revert templates created in 1.2 or earlier

Issue

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

Cannot migrate the H2 database if the installation path has any spaces

Issue

If the installation path has any spaces in the existing or new instance, the H2 database is not migrated during upgrade. Upon removing the spaces from the file path, the migration is successful.