PingFederate 12.3.6 (April 2026)

New features & enhancements

Unconnected cluster node startup

Improved PF-38898

We added the force.require.replication.data.on.startup parameter to the cluster-config-replication.conf file.

This parameter lets you prevent an engine node from starting up without establishing a connection to the cluster.

Learn more in Cluster management.

Resolved issues

OGNL code test

Security PF-38742

We improved role-based access control (RBAC) for the administrative expression testing endpoint. Access to expression evaluation is now limited to appropriately privileged roles, ensuring alignment with intended administrative permissions.

CIBA token request fails with LDAP persistent grant storage

Fixed PF-38706

We fixed a defect that caused CIBA token requests to fail when persistent grants are stored in an LDAP directory such as PingDirectory.

Admin API OAuth authentication failure

Fixed PF-38722

We fixed a defect that caused OAuth and JWT authentication through the Admin API to fail when the role attribute name parameter used the scope claim containing space-delimited values.

Multiple Sign-On Delay routing

Fixed PF-38801

We fixed a defect that caused PingFederate to route users to the base URL for the Multiple Sign-On Delay page when they should’ve been routed to the virtual host URL.

Custom Authentication Selector error

Fixed PF-38875

We fixed a defect that prevented viewing or editing certain custom Authentication Selectors in the admin console.

Dynamic JWKS rotation timer

Fixed PF-38903

We fixed a defect that prevented dynamic JWKS rotation timing from resetting after a node joined a cluster.

URL validation for `TargetResource`

Fixed PF-38907

We fixed a defect where PingFederate rejected valid TargetResource values.

PingFederate Server