PingFederate Server

PingFederate 12.3 (June 2025)

New features and enhancements

Audit log failure behavior

New PF-36795 PF-36817

We’ve added a feature that allows you to configure how PingFederate responds when writing to the audit log fails.

This feature can improve user experience by allowing PingFederate to continue processing transactions when logging fails.

Learn more in Configuring audit log failure settings.

Remove IP address from account lockout criteria

New PF-36818

We’ve added the ability to remove a user’s IP address from consideration when making account lockout decisions.

This can improve security by preventing malicious actors from masking their IP address to bypass account lockouts.

Learn more in Configuring user account lockout settings.

CORS support for admin API endpoints

New PF-36856

We’ve added a feature that allows you to grant access to administrative API endpoints.

This makes it more secure and convenient for web applications like PingAccess to perform administrative tasks in PingFederate.

Learn more in Configuring administrative API CORS settings.

Validate OIDC ID tokens

New PF-36860

We’ve added the ability to validate an ID token in the introspection endpoint as part of an policy. You can enable this feature as part of a policy, but the runtime flows occur at the introspection endpoint.

This improves security by allowing PingFederate to determine whether a user’s ID token is valid.

Learn more in Configuring policy and ID token settings and Introspection endpoint.

Always return scopes in client credentials response

New PF-36862

We’ve added a feature that allows you to always return the scope parameter in the response to client credential requests.

This allows you return scopes if clients require scopes that users haven’t authorized.

Learn more in Returning scopes in authorization transactions

New PF-36871 PF-37272

We’ve added a feature that allows you to link private keys stored in CloudHSM with their certificates, and store it in PingFederate’s Java keystore.

This allows you to use existing private key and certificate pairs associated with your CloudHSM instance in PingFederate.

Learn more in Link and store CloudHSM keys.

Correlating log events with attributes

New PF-36875

We’ve added the ability to correlate log events between the audit.log, request.log, and server.log files using shared log attributes.

This can make it easier to trace the cause of runtime errors.

Learn more in Correlating log events using attributes.

Duplicate RSA key

New PF-36970

We’ve added a feature that gives you the option to include a duplicate RSA key with the RS256 algorithm. You can enable this option by setting the add-duplicate-rs256-alg-key parameter in the <pingfed-install>/pingfederate/server/default/data/config-store/jwks-endpoint-configuration.xml file to true.

HTTP request logging

New PF-36976

We’ve updated the logging for HTTP requests to the runtime engine and admin console. These requests are now logged to the runtime-request.log and admin-request.log files. Like other PingFederate logs, you can configure outputs for these files in log4j2.xml.

This improves logging efficiency and customization by writing HTTP request logs using the same configurations as other PingFederate log files.

Learn more in HTTP request logging.

Revoke previous client secrets

New PF-37183

We’ve added a feature that allows you to revoke previous OAuth client secrets.

This improves security by allowing you to revoke secrets that are no longer in use. For example, if you move your client to a new secret before the old secret’s grace period ends, you can use this feature to revoke your previous secret.

Learn more in Configuring OAuth clients.

DynamoDB persistent grant storage

New PF-37192

When storing persistent grants in DynamoDB, DynamoDB relies on the DynamoDB Time to Live (TTL) attribute to remove expired persistent grants from the database. Learn more in Configuring external databases for grant storage.

Publish certificate for dynamic keys

New PF-37219

We’ve added a feature that allows dynamic signing keys to publish their public certificates on the JWKS endpoint as an x5c parameter. Learn more in Configuring dynamic signing keys

SCIM 2.0 supported for inbound user provisioning

New PF-37230

PingFederate now supports the SCIM 2.0 protocol for inbound user provisioning. Learn more in System for Cross-domain Identity Management (SCIM).

User session quotas

New PF-37238

We’ve added a feature that allows you to limit the number of sessions a user can have active at one time and configure how PingFederate responds when that quota is exceeded.

This can improve security by limiting the number of active user sessions that have access to applications and other resources.

Learn more in Configuring session quotas.

client_assertion attribute configuration

New PF-37275

We’ve added a feature that allows you to configure the client_assertion for JWT-based authentications by customizing the following attributes:

  • aud

  • lifetime

  • typ

  • nbf

Learn more in Configuring OpenID Provider information.

Bouncy Castle FIPS 2.0 compatibility

Info PF-36846

We’ve upgraded Bouncy Castle to version 2.0. This versions is certified to operate in Federal Information Processing Standards (FIPS) mode 140-3.

Java 21 compatibility

Info PF-36857

We’ve confirmed that PingFederate is compatible with Java 21.

Red Hat Enterprise Linux 8.10 compatibility

Info PF-36972

We’ve confirmed that PingFederate is compatible with Red Hat Enterprise Linux ES 8.10.

Integration Kit template parameters

Info PF-37102

We’ve updated PingFederate to use the same default template parameters for all integration kits.

Learn more about template parameters in Customizable user-facing pages.

Authentication policies list readability

Info PF-37221

  • The Policies UI in the administrative console now collapses long lists of authentication sources by default. Users can easily expand or collapse these lists as needed, making it easier to navigate and manage policies.

  • We’ve added a Selectors column to the Policies overview, providing a list of the selectors used in each policy.

NATIVE_S3_PING update

Info PF-37234

We’ve updated the behavior of the NATIVE_S3_PING discovery protocol when the remove_all_data_on_view_change parameter is active.

Previously, the protocol would delete all files in the S3 bucket, which could lead to the creation of an unwanted subcluster.

Now the protocol deletes all files except for its own to prevent the S3 bucket from being empty.

Learn more in Dynamic cluster discovery.

Java Service Wrapper update

Info PF-37236

We’ve updated the Java Service Wrapper to the latest version, 3.5.60.

Learn more in the Tanuki release notes.

Amazon Aurora MySQL 3.09 compatibility

Info PF-37277

We’ve confirmed that PingFederate is compatible with Amazon Aurora MySQL 3.09.

PingOne Singapore region

Info PF-37451

We’ve added support for the new PingOne Singapore region, pingone.sg.

Resolved issues

d3-color library

Security PF-36745

We’ve fixed a security vulnerability that could allow denial of service attacks using legacy d3-color library versions.

Refresh token MySQL deadlocks

Fixed PF-35868

We’ve fixed a defect that caused multiple refresh token requests in short succession to result in data source deadlocks and duplicated data entry into the database.

This feature can cause significant performance issues if PingFederate or the JDBC data source have insufficient resources.

Reencrypt data archive failure with KMS

Fixed PF-36487

We’ve fixed a defect where importing a valid configuration data archive with Reencrypt Data enabled failed with a Could not reencrypt data archive error message when configured to use the Amazon Web Services or Google Cloud Platform Key Management System (KMS).

Expired grants reuse

Fixed PF-36568

We’ve fixed a defect that allowed the use of OAuth grants that have passed idle timeout, but not expired, to be retrieved from persistent grant storage.

Access token manager Admin API error

Fixed PF-36845

We’ve fixed a defect that caused a 500 error when creating or updating an access token manager using the Administrative API.

Refresh token error when authorization bypass enabled

Fixed PF-36851

We’ve fixed a defect that caused PingFederate to return a revoked or expired consent error when both Bypass Authorization Approval and Bypass Authorization Approval for Previously Approved Consents are enabled.

This is My Device error on HTML Form Adapter

Fixed PF-36864

We’ve fixed a defect that caused PingFederate to behave inconsistently when This is My Device is selected and an HTML Form Adapter instance has more than one session configuration in the session overrides.

TLS connection in BCFIPS mode

Fixed PF-36865

We’ve fixed a defect where PingFederate could not accept a TLS 1.2 connection in BCFIPS mode on Java 17.

Group membership loss during provisioning

Fixed PF-36874

We’ve fixed a defect that caused PingFederate to lose user group membership information when it lost contact with the datastore during provisioning operations.

Jetty Upgrade redirect errors

Fixed PF-36877

We’ve fixed a defect where upgrading to Jetty library version 9.5.53 caused HTTP header compression errors when redirect URLs included special characters.

Change password failure with PingOne Protect

Fixed PF-37012

We’ve fixed a defect that caused the HTML Form Adapter Change Password using an authentication policy to fail when PingOne Protect is the risk provider.

OGNL expressions with SDK classes

Fixed PF-37021

We’ve fixed a defect that caused OGNL expressions to fail to load when they contained SDK classes.

RP-initiated logout error

Fixed PF-37173

We’ve fixed a defect that caused PingFederate to ignore the id_token_hint value during -initiated logout when the OAuth client logout mode is set to None.

Log rotation policy ignored

Fixed PF-37237

We’ve fixed a defect that caused PingFederate to ignore the log file size limit and rotation configurations set by the SizeBasedTriggeringPolicy parameter.

Secondary secret missing ID token claim

Fixed PF-37279

We’ve fixed a defect that caused the ID token claim to be omitted when an OAuth client uses the secondary secret.

Failed IdP connection with additional issuer

Fixed PF-37404

We’ve fixed a defect where an "IdP connection not found" error occurs when an authorization response includes an iss query parameter that doesn’t match the connection’s primary issuer, but is added as an additional issuer.

Unnecessary ID token reissued with secondary client secret

Fixed PF-37450

We’ve fixed a defect that caused the token endpoint to unnecessarily reissue an ID token when using a secondary client secret and an asymmetric algorithm for token signing and encryption.

Apache Commons BeanUtils

Fixed PF-37507

PingFederate now uses the Apache Commons BeanUtils library version 1.11.0.

Fixed PF-37514

We’ve fixed a defect where the Scopes Selection modal prevented configurations from saving correctly when added using search.

Scopes with URL characters not updating

Fixed PF-37516

We’ve fixed a defect where OAuth scopes that included URL characters such as / couldn’t be updated in the Admin portal.

Known issues and limitations

PingOne Verify IK unexpected error

Issue PF-36573

PingFederate returns an unexpected error when you create an instance of the PingOne Verify Integration Kit version 2.2.2 in PingFederate with the Verify feature in PingOne disabled.

Issue PF-35772

Due to multiple vendors' recent browser versions that block third-party cookies, you might experience issues related to single logout with OIDC (via Front-Channel) and WS-Federation.

Refer to browsers' documentation regarding third-party cookie management to unblock them, if feasible.

Passive admin console UI refresh

Issue PF-35643

When you promote a passive admin console to active, the UI doesn’t refresh until you perform an action.

Multiple active admin consoles

Issue PF-35439

When you make configuration changes on the active console (especially large configuration changes like bulk imports or data archive imports), then promote a passive console to active, it can cause multiple consoles to be active at once. This can result in inconsistent configurations.

Learn how to resolve this issue in Resolving multiple active administrative nodes.

Administrative console and administrative API

Issue

  • Although PingFederate 11.3 and later support DPoP, a known limitation is that the following features don’t support DPoP when PingFederate is the RP:

    • The administrative console authentication scheme using OIDC

    • The administrative API authentication scheme using OAuth 2.0

  • /bulk: Only resource types currently supported by the administrative API are included in the exported data. We don’t intend to introduce administrative API support to the following areas:

  • Previously, the administrative API did not accurately reflect a Persistent Grant Max Lifetime setting of 29 days (or shorter) with the selection of the Grants Do Not Timeout Due To Inactivity option. As a result, if you have configured such OAuth authorization server settings and have generated a bulk export in version 10.0 through 10.0.2, we recommend that you re-generate a new bulk export after upgrading to version 10.0.3 (or a more recent version). The newly exported data does not contain the aforementioned flaw, and you can safely import it to version 10.0.3 (or a more recent version).

  • When enabling mTLS certificate-based authentication, administrators often configure a list of acceptable client certificate issuers. When you use a browser to access the console or the administrative API documentation, PingFederate returns to the browser the list of acceptable issuers as part of the TLS handshake. If the browser’s client certificate store contains multiple client certificates, the browser often presents you only the certificates whose issuer matches one of the acceptable issuers. However, when PingFederate runs in a Java 11 environment, Chrome presents you all its configured client certificates, regardless of whether the issuer matches one of the acceptable issuers or not.

  • When using mTLS authentication to authenticate to an LDAP server for administrative console or administrative API access, PingFederate doesn’t support using a Microsoft Active Directory server.

  • Prior to toggling the status of a connection with the administrative API, you must ensure that any expired certificates or no longer available attributes are replaced with valid certificates or attributes; otherwise, the update request fails.

  • When creating or updating a child instance of a hierarchical plugin, the administrative API retains objects with an "inherited": false name/value pair (or without such name/value pair altogether), ignores those with a value of true, and returns a 200 HTTP status code. No error messages are returned for the ignored objects.

  • Using the browser’s navigation mechanisms (for example, the Back button) causes inconsistent behavior in the administrative console. Use the navigation buttons provided at the bottom of windows in the PingFederate console.

  • Using the PingFederate console in multiple tabs on one browser might cause inconsistent behavior which could corrupt its configuration.

  • If authenticated to the PingFederate administrative console using certificate authentication, a session that has timed out might not appear to behave as expected. Normally (when using password authentication), when a session has timed out and a user attempts some action in the console, the browser is redirected to the sign-on page, and then back to the administrative console after authentication is complete. Similar behavior applies for certificate authentication, in principle. However, because the browser might automatically resubmit the certificate for authentication, the browser might redirect to the administrative console and not the sign on page.

TLS cipher suite customization

Issue

PingFederate’s TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

Java

Issue

  • Updating Java version 8 to version 11 results in an error when PingFederate is already installed and running on Windows. To work around this issue, uninstall and reinstall the PingFederate Windows service by running the UninstallPingFederateService.bat and InstallPingFederateService.bat files located in <pf_install>/pingfederate/sbin/wrapper.

HSMs

Issue

AWS CloudHSM

  • It is not possible to use an elliptic curve (EC) certificate as an SSL server certificate.

  • When creating an EC certificate with a signatureAlgorithm smaller than the keySize value, a 500 Server error occurs. For example, a signatureAlgorithm of SHA256withECDSA with a keySize of 384 results in an error. Learn more in ECDSA signing fails with "invalid mechanism" error starting with SDK 5.16 in the CloudHSM documentation.

  • TLS 1.3 is not currently supported with Oracle JDK 11, 17, or 21.

Thales HSMs

  • JWT token decryption using ECDH-ES may fail. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key.

  • It is not possible to use an EC certificate as an SSL server certificate.

  • TLS 1.3 is not currently supported with Oracle JDK 11, 17, or 21.

Entrust HSMs

  • JWT token decryption using ECDH-ES may fail. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key.

  • It is not possible to import a PKCS12- or PEM-formatted EC certificate.

  • It is not possible to use an EC certificate as an SSL server certificate.

  • TLS 1.3 is not currently supported with Oracle JDK 11, 17, or 21.

SSO and SLO

Issue

  • When consuming SAML metadata, PingFederate does not report an error when neither the validUntil nor the cacheDuration attribute is included in the metadata. Note that PingFederate does reject expired SAML metadata as indicated by the validUntil attribute value, if it is provided.

  • The anchored-certificate trust model cannot be used with the single logout (SLO) redirect binding because the certificate cannot be included with the logout request.

  • If an IdP connection is configured for multiple virtual server IDs, PingFederate will always use the default virtual server ID for IdP Discovery during an SP-initiated SSO event.

Composite Adapter configuration

Issue

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Self-service password reset

Issue

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

OAuth

Issue

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it’s possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Customer identity and access management

Issue

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

Provisioning

Issue

  • LDAP referrals return an error and cause provisioning to fail if the user or group objects are defined at the DC level, and not within an OU or within the Users CN.

  • The totalResults value in SCIM responses indicates the number of results returned in the current response, not the total number of estimated results on the LDAP server.

Logging

Issue

  • If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth’s persistent grant USER_KEY attribute, the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.

  • Even if a source attribute has been configured for masking in an IdP adapter and the source attribute is mapped as the adapter’s unique user key, the user key attribute is not masked in the server or audit logs.

Database logging

Issue

  • If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth’s persistent grant USER_KEY attribute, the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.

  • Even if a source attribute has been configured for masking in an IdP adapter and the source attribute is mapped as the adapter’s unique user key, the user key attribute is not masked in the server or audit logs.

RADIUS NAS-IP-Address

Issue

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

Amazon SNS Notification Publisher

Issue

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.

Deprecated features

No features were deprecated for PingFederate 12.3.