PingFederate 12.3.5 (February 2026)

New features and enhancements

PAR parameters

Info PF-38526

We’ve added a new configuration option to limit the Pushed Authorization Request (PAR) to the parameters mentioned in the specification when the connection is configured to use JWT-secured Authorization Request (JAR).

Resolved issues

User Enumeration in Policy Password Reset

Security PF-38628

PingFederate now prevents user enumeration in the Policy mode Password Reset flow by eliminating the observable difference between valid and invalid usernames.

Serialized OGNL Java objects

Fixed PF-37405

We’ve fixed a defect that caused JSON objects using OGNL expressions included in JWT request objects sent to the OIDC provider in OIDC IdP connections not to be serialized properly.

Kerberos realm validation error

Fixed PF-38585

We’ve fixed a defect that prevented PingFederate from creating, updating, or testing Kerberos realms when the AutoGenerateKrb5Conf parameter was set to false in the com.pingidentity.common.util.KerberosConfigUtil file.

Kerberos realm test connectivity overwriting `krb5.conf`

Fixed PF-38585

We’ve fixed a defect where PingFederate temporarily overwrote the krb5.conf file during Kerberos realms testing when AutoGenerateKrb5Conf was disabled.

Authentication policy error

Fixed PF-38623

We’ve fixed a defect that caused an error when authentication policies with a Requested AuthN Context Authentication had Add or Update AuthN Context Attribute enabled.

PingFederate Server