Upgrade considerations introduced in PingFederate 9.x
- Gemalto SafeNet Luna HSM 6.3
-
When integrating with Gemalto SafeNet Luna Network HSM 6 (hardware security module), PingFederate 9.2 requires firmware version of 6.3.0 and client driver version of 6.3. See Integrating with Thales Luna Network HSM for setup information.
- Weaker cipher suites disabled
-
Starting with PingFederate 9.1, weaker cipher suites TLS_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA are disabled in new installations and upgrades. As a result, the administrative and runtime servers support only TLS 1.2. If you must re-enable these cipher suites for legacy clients, refer to Managing cipher suites for more information.
- LDAP service accounts on PingDirectory
-
If PingFederate 9.3.1 or newer has an LDAP connection with PingDirectory, then add the config-read privilege to its service account in PingDirectory. Otherwise, users will not receive password expiry notifications. For more information, see Assigning Privileges to Normal Users and Individual Root Users in the PingDirectory documentation.
- Improved validation for
AudienceRestriction
-
If an IdP connection is configured with multiple virtual server IDs, the
AudienceRestriction
value in a SAML response must now match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message. Otherwise the SSO attempt fails. To override this validation on a per-connection basis, see Configuring validation for the AudienceRestriction element. - Custom authentication selector
-
If you have created a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection, you must update the associated descriptor instance. See Updating the custom authentication selector for more information.
- Provisioning datastore reset
-
Upgrading to PingFederate 9.0 or 9.0.1 when using its outbound provisioning capability can result in user records being disabled at SaaS applications. The issue is resolved in version 9.0.2.
If you are upgrading from version 8.4.4 (or earlier) or from version 9.0.2, 9.0.3, and 9.0.4 to version 10.0, the upgrade process automatically resolves this issue. No further action is required.
If you are upgrading from version 9.0 or 9.0.1 to PingFederate 10.0, you must use the
provmgr
command-line tool to reset the provisioning datastore on the upgraded installation. See Reviewing database changes for more information. - Security enhancement in JDBC datastore queries
-
include::partial$pf_rc_secenhjdbcdatastorequeries.adoc[tags=pf_ph_secEnhJdbcDataStoreQueries]For upgrades, see Reviewing database changes.
- Access token validation response
-
Starting with PingFederate 9.2, the access token validation response no longer includes the username and subject elements by default. Responses include them only if they were mapped in the issuing access token management instance.