PingCentral 1.11 (March 2023)
For the best possible experience, review these notes before using PingCentral 1.11.
Updated client secret generation to produce client secrets compatible with PingFederate
New
When creating a new client, PingCentral now generates OAuth client secrets compatible with PingFederate. For more information, see Promoting OAuth and OIDC applications.
Multiple ACS URLs
New
You can now configure multiple Assertion Consumer Service (ACS) URLs during SAML application creation. This new feature simplifies application development since the same application can use different URLs simultaneously. For more information, see Using SAML 2.0 templates.
Set application name
New
When promoting an application between environments, you can now configure an application name for OAuth and OpenID Connect (OIDC) clients, SAML connections, and PingAccess applications. For more information, see Promoting applications.
Deleting an application in PingCentral also deletes it in other environments
Improved
You can now choose to delete applications from PingFederate or PingAccess in addition to PingCentral. This feature is flexible because you can select which environments to delete the application from. For more information, see Managing applications.
Configure OAuth credentials for use instead of username and password to connect to PingFederate or PingAccess
Improved
Instead of using administrator credentials for basic authentication, you can now configure PingCentral to use OAuth client credentials to connect to PingFederate or PingAccess. PingCentral will request an access_token
to use whenever it connects to PingFederate or PingAccess. For more information, see Configuring PingFederate and PingAccess for SSO.
Upgraded from v1 H2 database to v2
Security
Along with other dependencies (libraries), we’ve upgraded the H2 database from v1 to v2. For more information, see Upgrading PingCentral.
Configure APC mappings for OIDC applications in PingFederate
Issue PingFederate
PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.
When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.
To resolve these issues, configure the APC mappings within PingFederate.
Promoting applications with authentication challenge policies
Issue PingAccess
Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.
SP certificates and assertion encryption certificates must be different
Issue PingAccess
When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:
Environment’staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.
To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.
Update truststore path if PingCentral fails to start
Issue
After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home}
is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.