Upgrade considerations introduced in PingFederate 7.x
- Hostname verification for LDAPS
-
For LDAP type datastores with LDAPS enabled, hostname verification of the certificate is enabled by default for all new datastores beginning with PingFederate 7.3. When upgrading from a previous version of PingFederate, this option is disabled for existing datastores for compatibility reasons. Administrators should consider activating this new option for greater security.
- Changes in a database table supporting nested group membership
-
Outbound provisioning of groups and nested group membership requires an update in the internal datastore. Follow the instructions in Reviewing database changes to add or update the group_membership table.
- SSLv3 disabled
-
To mitigate the POODLE attack, the SSLv3 protocol is disabled by default starting in PingFederate 7.3. It can be re-enabled by modifying the connector configuration in
jetty-runtime.xml
andjetty-admin.xml
found in the<pf_install>/pingfederate/etc
directory. - New representation for multivalued attributes in WS-Federation assertions
-
Starting with PingFederate 7.3, multivalued attributes in WS-Federation assertions are now represented as multiple
AttributeValue
elements under a singleAttribute
element. Previously, they were represented as a series ofAttribute
elements with the same name. The new behavior was implemented for compatibility with ADFS 2.0. To revert to the previous behavior, a setting is available inwstrust-global-settings.xml
. - A new index (
EXPIRESIDX
) in the database table for OAuth persistent grants -
PingFederate 7.3 added an index (
EXPIRESIDX
) for theexpires
column in thepingfederate_access_grant
database table. For information on adding this index to your existing table, see Reviewing database changes. - A new database table for OAuth persistent grant extended attributes
-
Starting with PingFederate 7.2 R2, a new database table needs to be created to support OAuth’s persistent grant extended attributes. The database scripts to create this table can be found in
<pf_install>/pingfederate/server/default/conf/access-grant/sql-scripts/access-grant-attribute-<databaseServer>.sql
. See Reviewing database changesfor more information. - LDAP filter syntax checking
-
Starting with PingFederate 7.2, LDAP filters only allow spaces in matched-against values.
Examples
(\|(sAMAccountName=${username})(employeeID=ID for ${username}))
is allowed; spaces in the matched-against value of “ID for
${username}
” are valid.
( \| (sAMAccountName=${username}) (employeeID=ID for ${username})
)
is not allowed because this filter contain spaces outside of matched-against values.
Invalid filters cause SSO runtime failures. Error messages logged to server.log include:
Caused by: javax.naming.NamingException: [LDAP: error code 87 - Expected a closing parenthesis...
Caused by: javax.naming.NamingException: [LDAP: error code 87 - Unexpected closing parenthesis found...
We recommend reviewing LDAP filters and removing spaces outside of matched-against values after upgrade.
- HTML Form Adapter enhancement
-
Starting with version 7.1 R3, PingFederate tracks login attempts in the HTML Form Adapter. When the number of login failures reaches the Challenge Retries threshold defined in the adapter, the user is locked out for one minute. See HTML Form Adapter for more information.
- A new index (
CLIENTIDIDX
) in the database table for OAuth persistent grants -
PingFederate 7.1 R3 added an index (
CLIENTIDIDX
) for theclient_id
column in thepingfederate_access_grant
database table. For information on adding this index to your existing table, see Reviewing database changes. - Requested (formerly SAML) AuthN Context authentication selector process order changed
-
In releases prior to 7.1 R2, when the Requested AuthN Context Authentication Selector received a list of authentication contexts, it used the last context that it could match, rather than the first. However, both the SAML and OpenID Connect specifications treat an authentication context list as appearing in order of preference. To align the Requested AuthN Context Authentication Selector with these specifications, the selection order was changed in 7.1 R2. With this release, the selector will use the first authentication context it can match, rather than the last.
- Multivalued LDAP attributes passed to outbound provisioning OGNL expressions
-
In releases before version 7.1, if an OGNL expression was used to populate a SaaS-partner field in outbound provisioning, only the first value of a selected multivalued LDAP attribute was used in the OGNL expression. As of PingFederate 7.1, this behavior was changed to use all values in the expression.
If this new behavior conflicts with existing deployments, it can be reverted via the |
OAuth clients reconfiguration
Neither the Upgrade Utility nor the platform-specific installers migrates OAuth clients that are created from PingFederate 6.5 through 7.0. Use any of the following interfaces to reconfigure your OAuth clients:
-
The Clients window (Applications → OAuth → Clients) in the PingFederate administrative console.
-
The
/oauth/clients
administrative API endpoint. -
The REST-based web service for OAuth client management at the
/pf-ws/rest/oauth/clients
and/pf-ws/rest/oauth/clients/id
endpoints. This web service requires the client records to be stored in a database.
Note that PingFederate has been storing OAuth clients in XML files since version 7.1; these clients are migrated to the new installation. In addition, if you have configured PingFederate 6.8 (or a more recent version) to store OAuth clients in an external database, the new installation retains that configuration as well.