PingFederate 11.1 (June 2022)

New PingOne

We’ve added Kerberos authentication via PingOne and the PingOne LDAP Gateway Data Store. This new capability allows PingFederate in the cloud, without a direct connection to Active Directory, to complete Kerberos authentication for browser-based SSO requests and STS transactions through PingOne.

New

We’re proud to support JWT Secured Authorization Response Mode (JARM) in version 11.1. JARM allows authorization servers to transmit authorization responses in JSON web tokens (JWTs), providing digital signature and encryption, sender authentication, and audience restriction. As JARM becomes a requirement in FAPI 2, you can deploy open banking solutions confidently.

New

We’re also introducing support for JWT Response for OAuth Token Introspection, a draft specification on track to become one of the authorization server requirements in the FAPI 2 Advanced Profile. JWT-secured introspection responses provide stronger assurance to the introspection requesters, most relevant when the requester, such as a resource server, expects to receive verified claims from the authorization server.

New

Seamless client secret rotation no longer requires real-time coordination between PingFederate administrators and the application development teams. You can now configure PingFederate to retain previous secrets for a configurable period, during which the application teams can work on updating the client secrets in their apps. This enhancement drastically lowers the costs of securing applications that use client secrets for authentication. For more information, see "Client Secret Retention Period" in the topic Managing client configuration defaults.

New

In addition to template-driven user experience, the user authorization step from Device Authorization Grant supports API now. You can also decide whether PingFederate should check the device activation code before or after authentication. These new capabilities enable you to build applications with the desired user experience for input-constrained devices, such as smart TVs or telepresence equipment.

New

You can store OAuth persistent grants in Amazon DynamoDB, which allows you to take advantage of a NoSQL database where it matters most: delivering responsive experiences to globally distributed users and offering high availability at ease.

New

You can optionally enable direct revocation for self-contained access tokens (JWT access tokens). This flexibility provides a secure way to invalidate access tokens without revoking the underlying refresh tokens or persistent grants. For more information, see Configuring an access token management instance and its description of the Enable Token Revocation checkbox.

New

PingFederate 11.1 centralizes alerts, such as the reminder to replicate configuration, under the new bell icon in the top menu. You can review important alerts from any configuration window.

New

Previously, if you wanted to update an authentication policy or a reusable policy fragment midstream, they had to reconfigure all downstream paths, which can take some effort. With PingFederate 11.1, you can copy a subtree of policy paths before removing a step (such as an IdP adapter), adding a new step (such as a selector or another IdP adapter), and then pasting the subtree back to the policy. This new capability applies to reusable policy fragments and between authentication policies and reusable policy fragments.

New

You can use the administrative API to move an individual policy to a specific location. This enhancement makes re-organizing policies by API requests easier and safer.

New

PingFederate engine nodes now capture common configuration replication issues in their server logs and send replication status back to the console node. The Cluster Management window provides live updates when you select Replicate Configuration in the Cluster Management window. If an error occurs, you can act on it immediately and recover from potential outages faster.

New

You can now associate authentication sessions with user identities passed through the new Passthrough Identity Provider (IdP) Adapter. By placing the Passthrough IdP Adapter downstream from an IdP connection in a policy tree, you can take advantage of additional capabilities associated with defining a user key. For example, you can use the user key to query or revoke a user’s authentication sessions.

New

The Kerberos Adapter and the Kerberos Token Processor now return the ObjectSID attribute value. Because ObjectSID uniquely identifies the user in Active Directory, leveraging it helps streamline the Attribute Source & Lookup configuration.

New

You can configure the Kerberos Adapter to fail when the service provider asks for re-authentication by including ForceAuthn=true (SAML 2.0) or prompt=login (OpenID Connect) in their authentication requests. For example, suppose user interactions are required when the partners ask for re-authentication. In that case, you can add the HTML Form Adapter to the Fail policy path of the Kerberos Adapter.

New

New

You can now leverage extended properties in Velocity templates when customizing template-driven end-user interactions. You can reference extended properties in the templates instead of creating multiple If/ElseIf/Else directives, significantly reducing the initial effort. New and updated experiences can be inherited from extended property values from the OAuth client records and Browser SSO connections, eliminating most of the maintenance costs. PingFederate also passes extended property values to authentication API applications. As a result, application developers who create and maintain end-user UX for customer identities will benefit from this new enhancement.

New

We’ve also improved inline documentation in our Velocity templates. Moving forward, we will maintain variable names and their definitions consistently to communicate changes, such as introducing new variables.

New

Both Java 11 and 8 environments are supported when integrating with Thales Luna Cloud Hardware Security Module (HSM) Services or Luna Network HSMs. For more information about Thales Luna HSM Client, see the Luna Cloud HSM Service Client Guide and Luna Network HSM Documentation Archive.

New

You can now add a secondary signing certificate to your connections. If configured, PingFederate includes it in both the metadata exports and the metadata URL responses. This flexibility allows you to notify your partners about upcoming changes more easily through metadata.

New

We improved the PingFederate administrative API to manage the following configurations:

New

Fixed PF-21198

Upgraded the H2 database engine to version 2.1.210.

Fixed PF-24501

The username no longer appears in the URL during change password flows.

Fixed PF-28932

Upgraded the Guava dependency to version 30.1.1.

Fixed PF-29368

If the administrative API was used to create an OAuth client that has the Client Certificate authentication type, and the client’s Issuer DN does not have a normalized DN value, the administrative console’s Client window no longer fails to show the Issuer DN as the default value. This issue didn’t affect runtime behavior.

Fixed PF-29761

When a user record in a datastore mistakenly has a future date for the last update time, PingFederate no longer uses that date as the value of attrib_last_timestamp in the channel_variable table. Instead, PingFederate sets the value to the maximum time stamp that is not in the future.

Fixed PF-29835

The JSON response from REST API data source lookups now retains number and Boolean data types instead of converting them to strings.

Fixed PF-30075

Resolved an issue that caused the NotYetConnectedException warning message to repeatedly appear in the server.log when using AWS_PING for dynamic cluster discovery.

Fixed PF-30146

If the OAuth client’s redirection URI contains a wild card in the authority part of the URI, and the redirect_uri parameter of the token request contains userinfo in the authority part, then PingFederate will no longer consider the redirection URI a match.

Fixed PF-30255

Resolved a potential security vulnerability.

Fixed PF-30495

In a specific case, when PingFederate logs an invalid assertion error, the error message no longer fails to include a remark about why the assertion or response is invalid.

Fixed PF-30558

When an OAuth client is performing a password reset through the authentication API, if PingFederate does not find any session attributes, now PingFederate logs an error state instead of a null pointer exception.

Fixed PF-30770

Resolved an issue that prevented PingFederate from correctly determining the authentication instant for the flow when the initial OIDC authorization request specifies a max_age, the flow falls through to legacy authentication source selection (policies are disabled or no policy applies), and the user chooses an upstream OIDC IdP connection.

Fixed PF-30806 PingOne MFA

PingFederate now includes all the templates for PingOne MFA 1.6.1.

Fixed PF-31054

When saving SAML token processors or generators, PingFederate now correctly handles dependency errors caused by misconfigured settings on the Protocol Settings window’s Federation Info tab.

Fixed PF-31145

Now PingFederate preserves the order of map type configurations under <pf_install>/pingfederate/server/default/data/config-store when performing a bulk export or a GET operation at the /configStore administrative API endpoint.

Fixed PF-31280

Now if you use the PingFederate administrative console in multiple tabs on one browser, it warns you that doing so might cause inconsistent behavior which could corrupt its configuration.

Fixed PF-31304

Resolved an issue that caused PingFederate to overwrite the scope.whitelist in the \data\config-store\org.sourceid.oauth20.domain.AuthzServerManagerImpl.xml file when you save the authorization server settings.

Fixed PF-31561

Now OAuth client MODIFY, CREATE, and DELETE event log entries in the admin.log include the client ID.

Fixed PF-31575

Now PingFederate honors the value of http.maxRequestBodySize in the run.properties file, which specifies the maximum HTTP request body size of any incoming request to PingFederate’s web services and administrative API.

Issue

Issue

For Java versions that don’t support TLSv1.3 (meaning versions earlier than 8u261), PingFederate fails on start up with a NoSuchAlgorithmException exception. To resolve this error, remove TLSv1.3 from the following settings in the run.properties file:

Issue

PingFederate’s TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or a hardware security module (HSM) is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

Issue

Issue

Issue

Issue

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Issue

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

Issue

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it’s possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Issue

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

Issue

Issue

Issue

Issue

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

Info

Ping Identity commits to deliver the best experience for administrators and users. As we continue to improve our products, we encourage you to migrate off of Microsoft Internet Explorer 11. Starting with PingFederate 11.0, Internet Explorer 11 is no longer included in the PingFederate qualification process for administrators or users. For a list of supported browsers, see System requirements.

Info

As of PingFederate 10.2, these features have been deprecated and will be removed in a future release.

Info

As Oracle ended its Premier Support for Oracle Directory Server Enterprise Edition (ODSEE 11g) in December 2019, we no longer include ODSEE as part of the PingFederate qualification process (starting with PingFederate 10.2). We continue to qualify against Oracle Unified Directory and other supported directory servers. For a full list, see System requirements.

Info

Starting with PingFederate 10.2, monitoring and reporting through the Simple Network Management Protocol (SNMP) has been removed.

Info

Starting with PingFederate 10.1, roles and protocols are always enabled and no longer configurable through the administrative console and API.

Info

Starting with PingFederate 10.1, the S3_PING discovery protocol has been deprecated. Customers running on AWS infrastructure should instead use NATIVE_S3_PING.

Info

Starting with PingFederate 10.0, the Red Hat Enterprise Linux install script is no longer available. To install PingFederate 10.0 for Linux, you must download and extract the product distribution .zip file.