PingFederate 11.2.5 (May 2023)
Binary objectGUID in provisioning
Fixed PF-33160
We fixed an issue where PingFederate wasn’t converting some provisioned users binary objectGUIDs into hex strings.
If your provisioned users GUID is stored in binary format, ensure that it is also set as binary in your source LDAP datastore.
For more information, see Modifying source settings and Setting advanced LDAP options.
Multi-value request parameters for OIDC for console login
Fixed PF-32783
We fixed an issue where multi-value request parameters were not working as expected when using OIDC for console login.
Preservation of changes to certain validation rules
Fixed PF-33093
We fixed an issue where PingFederate did not preserve changes to certain validation rules in the http-request-parameter-validation.xml
file upon upgrade.
SAML login session tracking
Fixed PF-33168
We improved SP-Initiated SAML login session tracking. This security improvement can affect existing SAML SP connections that rely on multiple session states in a single transaction.
For more information about how your configuration can be affected, and the steps to resolve issues, see Solicited SAML Response Validation in the Ping Identity Support Portal.
OTL reset page error messaging
Fixed PF-33307
The one-time link (OTL) reset page now displays an error message when the link is expired.
Access token bug fix
Fixed PF-33342
We resolved an issue where an access token may not include the pi.sri
claim after refresh. This issue only occurs when reuse of existing access grants is enabled.
Attribute retrieval
Fixed PF-33484
In OAuth and OpenID Connect (OIDC) flows, external consent adapters can now retrieve attributes from the chained attributes map.
LDAP bug fix
Fixed PF-33503
We fixed an LDAP issue where new access grant records were not created with new scopes when Reuse Existing Persistent Access Grants for Grant Types was enabled.
ID token ACR claim
Fixed PF-33557
We resolved an issue where an ID token would not include the Authentication Context Class Reference (ACR) claim if an old client secret was used during the retention period.
Redundancies in key algorithm generation
Fixed PF-33607
We fixed an issue that affected cluster replication when PingFederate was deployed with AWS CloudHSM. When replication was initiated, engines generated a number of temporary key pairs, and the increased load on the HSM could trigger SSO errors.