PingFederate Server

PingFederate 11.2.5 (May 2023)

Binary objectGUID in provisioning

Fixed PF-33160

We fixed an issue where PingFederate wasn’t converting some provisioned users binary objectGUIDs into hex strings.

If your provisioned users GUID is stored in binary format, ensure that it is also set as binary in your source LDAP datastore.

For more information, see Modifying source settings and Setting advanced LDAP options.

Logging validation

Fixed PF-32764

We’ve improved logging validation.

Multi-value request parameters for OIDC for console login

Fixed PF-32783

We fixed an issue where multi-value request parameters were not working as expected when using OIDC for console login.

Preservation of changes to certain validation rules

Fixed PF-33093

We fixed an issue where PingFederate did not preserve changes to certain validation rules in the http-request-parameter-validation.xml file upon upgrade.

SAML login session tracking

Fixed PF-33168

We improved SP-Initiated SAML login session tracking. This security improvement can affect existing SAML SP connections that rely on multiple session states in a single transaction.

For more information about how your configuration can be affected, and the steps to resolve issues, see Solicited SAML Response Validation in the Ping Identity Support Portal.

OTL reset page error messaging

Fixed PF-33307

The one-time link (OTL) reset page now displays an error message when the link is expired.

Access token bug fix

Fixed PF-33342

We resolved an issue where an access token may not include the pi.sri claim after refresh. This issue only occurs when reuse of existing access grants is enabled.

Attribute retrieval

Fixed PF-33484

In OAuth and OpenID Connect (OIDC) flows, external consent adapters can now retrieve attributes from the chained attributes map.

LDAP bug fix

Fixed PF-33503

We fixed an LDAP issue where new access grant records were not created with new scopes when Reuse Existing Persistent Access Grants for Grant Types was enabled.

ID token ACR claim

Fixed PF-33557

We resolved an issue where an ID token would not include the Authentication Context Class Reference (ACR) claim if an old client secret was used during the retention period.

Redundancies in key algorithm generation

Fixed PF-33607

We fixed an issue that affected cluster replication when PingFederate was deployed with AWS CloudHSM. When replication was initiated, engines generated a number of temporary key pairs, and the increased load on the HSM could trigger SSO errors.