PingFederate Server

Upgrade considerations introduced in PingFederate 9.x

Gemalto SafeNet Luna HSM 6.3

When integrating with Gemalto SafeNet Luna Network HSM 6 (hardware security module), PingFederate 9.2 requires firmware version of 6.3.0 and client driver version of 6.3. See Integrating with Thales Luna Network HSM for setup information.

Weaker cipher suites disabled

Starting with PingFederate 9.1, weaker cipher suites TLS_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA are disabled in new installations and upgrades. As a result, the administrative and runtime servers support only TLS 1.2. If you must re-enable these cipher suites for legacy clients, refer to Managing cipher suites for more information.

LDAP service accounts on PingDirectory

If PingFederate 9.3.1 or newer has an LDAP connection with PingDirectory, then add the config-read privilege to its service account in PingDirectory. Otherwise, users will not receive password expiry notifications. For more information, see Assigning Privileges to Normal Users and Individual Root Users in the PingDirectory documentation.

Improved validation for AudienceRestriction

If an IdP connection is configured with multiple virtual server IDs, the AudienceRestriction value in a SAML response must now match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message. Otherwise the SSO attempt fails. To override this validation on a per-connection basis, see Configuring validation for the AudienceRestriction element.

Custom authentication selector

If you have created a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection, you must update the associated descriptor instance. See Updating the custom authentication selector for more information.

Provisioning datastore reset

Upgrading to PingFederate 9.0 or 9.0.1 when using its outbound provisioning capability can result in user records being disabled at SaaS applications. The issue is resolved in version 9.0.2.

If you are upgrading from version 8.4.4 (or earlier) or from version 9.0.2, 9.0.3, and 9.0.4 to version 10.0, the upgrade process automatically resolves this issue. No further action is required.

If you are upgrading from version 9.0 or 9.0.1 to PingFederate 10.0, you must use the provmgr command-line tool to reset the provisioning datastore on the upgraded installation. See Reviewing database changes for more information.

Security enhancement in JDBC datastore queries

A security enhancement was made in PingFederate 9.0 to safeguard JDBC datastore queries against back-end SQL injection attacks. This protection is enabled for all new installations.

For upgrades, see Reviewing database changes.

Access token validation response

Starting with PingFederate 9.2, the access token validation response no longer includes the username and subject elements by default. Responses include them only if they were mapped in the issuing access token management instance.