PingFederate 11.3.1 (August 2023)

Improved PF-33667

We introduced new settings in the cluster-config-replication.conf file to improve configuration retrieval reliability during engine startup. By setting publish.replication.data.on.startup to true, the administrative console automatically publishes the last replicated configuration upon startup, eliminating the need to initiate replication through the administrative UI or API after a console restart. Additionally, you can configure engines to fail startup if they cannot retrieve configuration data by setting require.replication.data.on.startup to true. This setting proves beneficial in DevOps deployments, where fresh engine nodes are frequently created without any initial configuration. For more information, see the publish.replication.data.on.startup and require.replication.data.on.startup property descriptions in Cluster management.

Fixed PF-31865

We upgraded the Jetty library, resolving CVE-2022-2047 and CVE-2022-2048.

Fixed PF-33056

Using submit and onSubmit as OAuth scope names in the administrative UI drop-down no longer causes front-end JavaScript errors.

Fixed PF-33156

Policy fragments with valid authentication sources no longer fail with an Invalid Configuration error during runtime.

Fixed PF-33441

PingFederate, when configured with PingDirectory as an outbound provisioning data source, no longer sends redundant group updates in each provisioning cycle when the entry remains unchanged.

Fixed PF-33449

We’ve resolved a potential security vulnerability that is described in security advisory SECADV037.

Fixed PF-33450

We fixed an issue so that PingFederate as a Windows service now runs on Java 17. When updating to the latest maintenance release using an in-place update method (for example, from 11.3.0 to 11.3.x), in addition to the steps in Updating to the latest maintenance release, you must remove the existing PingFederate Windows service. After removal, re-install the PingFederate Windows Service to apply this fix.

Fixed PF-33519

When an OIDC identity provider (IdP) connection fails in an authentication policy, PingFederate now continues on to the fail path of the authentication policy.

Fixed PF-33722

We resolved an issue that incorrectly produced an administrative API validation error when the fragment mapping references context.RequestedUser as the mapping source.

Fixed PF-33863

PingFederate now processes authorization details within a rich authorization request (RAR) as a JSON Array in a JWT request. Additionally, PingFederate no longer supports authorization details sent as stringified JSON arrays.

Fixed PF-33881

Resolved a replication issue that, in rare cases, caused an engine node in a cluster to start without replication data from other nodes.

Fixed PF-33920

Resolved an issue that prevented user sessions from being revoked through the session management API when using persistent sessions.

Fixed PF-33935

We’ve resolved a potential security vulnerability that is described in security advisory SECADV037.

Fixed PF-33957

When utilizing the PingFederate administrative API to create or update a fragment that includes another fragment, the API will no longer produce a validation error when fragment mapping involves an input source type.

Fixed PF-34016

The message-template-end-user-password-change.html template now contains the USERNAME variable.

Fixed PF-34017

We’ve resolved a potential security vulnerability that is described in security advisory SECADV037.

Fixed PF-34051

We fixed a policy evaluation issue that occurred when ui_locales was present in an authentication request.

Fixed PF-34074

We updated the administrative UI to include certification serial number in the drop-down, thus preventing import errors for certifications sharing the same Subject DN and expiration date combination.

Fixed PF-34099

We fixed an attribute lookup error that occurred when different DynamoDB attributes shared an overlapping path.