Security PF-38742

We improved role-based access control (RBAC) for the administrative expression testing endpoint. Access to expression evaluation is now limited to appropriately-privileged roles, ensuring alignment with intended administrative permissions.

Fixed PF-38508

We fixed a defect that caused a null pointer exception (NPE) error when an SP connection with backchannel authentication inbound authentication type set to No Client Authentication and Require SSL enabled was created or updated using the Admin API.

Fixed PF-38627

We fixed a defect where log settings weren’t applied to newly joined engine nodes.

Fixed PF-38656

We fixed a defect that caused a refresh token for access token exchange to fail with 500 Internal Server Error instead of 400 Bad Request when the user’s sessions had been revoked.

Fixed PF-38706

We fixed a defect that caused CIBA token requests to fail when persistent grants are stored in an LDAP directory like PingDirectory.

Fixed PF-38722

We fixed a defect that caused OAuth and JWT authentication through the Admin API to fail when the role attribute name parameter used the scope claim containing space-delimited values.

New PF-38501

We’ve added a feature that allows you to disable automatic validation of IdP adapters when you go to the Authentication > Integration > IdP Adapters menu.

Disabling automatic validation can reduce loading time if you have a large number of IdP adapters configured.

Learn more in Disabling automatic IdP adapter validation.

Info PF-38526

We’ve added a new configuration option to limit the Pushed Authorization Request (PAR) to the parameters mentioned in the specification when the connection is configured to use JWT-secured Authorization Request (JAR).

Info PF-38538

We’ve upgraded log4j-core to version 2.25.3.

This upgrade ensures continued alignment with maintained upstream dependencies and resolves a potential security vulnerability.

Fixed PF-38417

We’ve fixed a defect where setting response_mode to pi.flow in Pushed Authorization Requests (PAR) or standard request objects resulted in an INVALID_REQUEST error.

Fixed PF-38548

We’ve fixed a defect that caused dynamic client registration to fail when Retain Client Secret was enabled and Client Secret Retention Period was set globally in Authorization Server Settings.

Fixed PF-38585

We’ve fixed a defect that prevented PingFederate from creating, updating, or testing Kerberos realms when the AutoGenerateKrb5Conf parameter was set to false in the com.pingidentity.common.util.KerberosConfigUtil file.

Fixed PF-38585

We’ve fixed a defect where PingFederate temporarily overwrote the krb5.conf file during Kerberos realms testing when AutoGenerateKrb5Conf was disabled.

Fixed PF-38595

We’ve fixed a defect that caused the heartbeat endpoint to be potentially unresponsive in rare concurrent access situations.

Fixed PF-38623

We’ve fixed a defect that caused an error when authentication policies with a Requested AuthN Context Authentication had Add or Update AuthN Context Attribute enabled.

New PF-37270

We’ve added a feature that lets you use group Managed Service Account (gMSA) credentials in Kerberos realms when running PingFederate on Windows.

With this feature, you can let Active Directory automatically rotate your client password so you don’t have to manage it.

Learn more in Configuring a secret manager for Windows gMSA.

New PF-37374

We’ve added a feature that allows you to set an expiration time for verbose logging.

This feature is disabled by default, but you can enable it by configuring the log4j-categories-settings.conf file.

Learn more in Enabling verbose logging lifetime expiration.

New PF-37671

We’ve added a feature that allows external scope storage using AWS DynamoDB.

This allows administrators to manage a large volume of scopes without replicating for every scope modification.

Learn more in Configuring external databases for scope storage.

New PF-37684

We’ve added a feature that automatically replicates changes to log settings to cluster servers. This feature is enabled by default, but you can disable it from the Cluster Management page.

This feature makes it easier to change log settings across your cluster without running a full replication cycle.

Learn more in Cluster management.

New PF-37691 PF-38064 PF-38065

We’ve added support for connecting PingFederate to Redis.

PingFederate stores short-lived data in a Redis cache to improve resiliency and scalability. It also eases upgrades in clustered environments. PingFederate currently supports storing the following data in Redis:

Learn more in Storing PingFederate data with Redis

New PF-37693

We’ve added a feature that allows you to add custom audience values for OAuth clients.

You can use this feature to migrate clients from your existing issuer into PingFederate.

Learn more in Migrating external OAuth clients into PingFederate.

New PF-37847

We’ve added a feature that allows the PingFederate User Count Utility (UCU) to parse JSON logs.

Learn more in PingFederate User Count Utility in the Ping Identity Support Knowledge Base.

New PF-37909

PingFederate now supports plugins with client-side authenticator functionality.

Client-side authenticators enable PingFederate to leverage authentication methods executed directly by the user’s browser or operating system, such as Passkeys. This allows for stronger, often passwordless, authentication flows.

Learn more in HTML Form Adapter advanced fields and Configuring an Identifier First Adapter instance.

New PF-38051

We’ve added the ability to perform distributed tracing for inbound and outbound requests to the PingFederate server.

This feature simplifies troubleshooting by giving you better observability of server processing across request workflows.

Learn more in Distributed tracing.

New PF-38062

We’ve added a feature that allows you to configure time-to-live (TTL) settings in PingDS to remove expired data from your directory server.

Learn more in Managing expired persistent grants in PingDS.

New PF-38063

We’ve added a feature that lets you determine how incoming errors are handled before they’re relayed to the requesting application or partner.

Learn more in Overriding error handling in an IdP connection.

New PF-38082

We’ve added support for storing authentication sessions on a PingDS server.

This update makes it easier to integrate your PingFederate and PingDS deployments.

Learn more in Defining a datastore for persistent authentication sessions.

New PF-38114

We’ve added support for the OIDC response_type=none.

This enables clients to request a grant of access from the Authorization Server without requiring the issuance of any tokens or security credentials.

Learn more in None Response Type in the OIDC specification.

New PF-38120

We’ve added a feature that allows you to access additional parameters of an OIDC-enabled IdP’s token endpoint response.

You can use the Token Endpoint Response context values when creating attribute mappings or issuance criteria in OIDC-enabled IdP connections.

Learn more in Configuring target session fulfillment.

Improved PF-37011

Bulkhead warning emails now include the IP address and cluster index of the engine node that triggered the bulkhead.

Improved PF-37547

We’ve improved Jetty thread pool management so that PingFederate no longer creates unnecessary thread pools. The number of threads allocated to unused servers now depends on the operational mode.

Improved PF-38033

The policy list is now sorted alphabetically by name in both the OAuth Client and Client Settings configurations.

Improved PF-38269

The cacheExpirySecs attribute is now exposed by default in the DynamoDB scope manager configuration file.

Learn more in Configuring external databases for scope storage.

Improved PF-38118

We’ve added a feature that allows multiple email addresses for administrative console runtime notification email fields.

This update affects several notification features, such as runtime notifications and licensing events.

Improved

The PingFederate 13.0 documentation has been completely restructured to help customers get up and running faster, improve the overall flow, and make it easier to find information. This is an ongoing effort which will continue after the initial 13.0 release.

info PF-5069

We’ve upgraded the internal Jersey library to version 2.

This change will require you to upgrade some plugins. Learn more in Upgrade considerations.

info PF-36674

We’ve upgraded the Jetty library to version 12.0.

Info PF-37100

We’ve upgraded the log4j2 dependencies to version 2.25.1.

Info PF-37775

We’ve upgraded Apache commons-lang to version 2.6-p1 and commons-lang3 to version 3.18.0 to continue alignment with maintained upstream dependencies.

Info PF-37849

We’ve added support for TLS 1.3 for Oracle Java 21 with Thales and Entrust HSMs.

Info PF-37943

We’ve upgraded Bouncy Castle to version 2.0.1. This version is certified to operate in Federal Information Processing Standards (FIPS) mode 140-3.

Info PF-38045

We’ve qualified PingFederate for use with Amazon Aurora MySQL version 3.10 (compatible with MySQL 8.0.42).

Info PF-38048

We’ve qualified PingFederate for use with PostgreSQL version 18.0.

Info PF-38053

We’ve qualified PingFederate for use with Oracle MySQL version 8.4. This version has an updated database driver. Learn more in Compatible database drivers.

Info PF-38250

We’ve upgraded the Apache commons-net version to 3.12.0 to continue alignment with maintained upstream dependencies.

Security PF-36848

We’ve fixed a security vulnerability in the admin console where passwords entered for certificate and key management were visible when navigating back to the previous page. Password fields are now masked.

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract PingFederate administrative console IP addresses using HTTP Response headers.

Security PF-36426

After a successful PingFederate administrative password change, all other active concurrent sessions for that administrative account are now immediately invalidated, enhancing security and requiring reauthentication with the new credentials.

Security PF-37460

We’ve upgraded jackson-core to version 2.20.0 to continue alignment with maintained upstream dependencies and remove potential security vulnerabilities.

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

Security PF-37902

We’ve corrected a security regression in the HTML Form Adapter to ensure that password credentials are cleared from the browser immediately after form submission, mitigating a risk of residual exposure in the browser’s memory.

Security PF-38044

PingFederate now prevents user enumeration in the Policy mode Password Reset flow by eliminating the observable difference between valid and invalid usernames.

Security PF-38245

We’ve upgraded jakarta.mail to 1.6.8 to continue alignment with maintained upstream dependencies.

Fixed PF-25517

We’ve fixed a defect in several default template files where the language locale wasn’t retrieved correctly.

Fixed PF-35123

We’ve added private key JWT authentication support for Microsoft Azure AD as an OIDC provider.

Fixed PF-37156

We’ve fixed a defect that caused failed AWS CloudHSM certificate linking to appear to succeed when the key alias was a value that was previously used in the environment.

Fixed PF-37634

We’ve fixed a defect in the Client Settings menu where removing scopes using the search bar could result in removing the wrong scope.

Fixed PF-37688

We’ve fixed a defect where JARM responses with an error parameter caused PingFederate to return a 500 error. It now returns a 200 response with the appropriate error page.

Fixed PF-36953

We’ve fixed a defect in Authentication Policy Fragments where input contract values and tracked parameters were missing from the Data Store Filter configuration page when setting up an Attribute Source & User Lookup for a local identity mapping.

Fixed PF-37405

We’ve fixed a defect that caused JSON objects using OGNL expressions included in JWT request objects sent to the OIDC provider in OIDC IdP connections not to be serialized properly.

Fixed PF-37696

We’ve fixed a defect where unnecessary Jetty log warnings appeared after upgrading to new PingFederate versions.

Fixed PF-37716

We’ve fixed a defect that caused an error in PingFederate when configuring an access token manager if the administrative node (ATM) isn’t the coordinator node.

Fixed PF-37722

We’ve fixed a defect where PingFederate returned an incorrect error when a refresh token was used by a different client after the original client was deleted.

Fixed PF-37732

We’ve fixed a terminology inconsistency in the PingFederate UI and changed Data-Store to Data Store in General settings.

Fixed PF-37743

We’ve fixed a defect that omitted the authorization_details parameter from the access token if the value was an empty array.

Fixed PF-37793

PingFederate now always includes the SNI extension in the ClientHello message during a TLS handshake when running in BCFIPS mode.

Fixed PF-37794

We’ve fixed a defect where PingFederate was refusing wildcard TLS certificates when running in BCFIPS mode.

Fixed PF-37798

We’ve fixed a defect that caused lengthy stacktrace data to be included in ERROR level logging for Kerberos errors.

Fixed PF-37816

We’ve fixed a defect where a race condition could cause the PingFailoverAppender to get stuck in a failed state without switching back to its primary appender.

Fixed PF-37818

We’ve fixed a defect where PingFederate incorrectly accepted DPoP proof JWTs with a future iat value.

Fixed PF-37819

We’ve fixed an issue that could cause ClassNotFoundException on the admin console.

Fixed PF-37841

We’ve added JWT as an authentication method for the admin API during upgrade utility validation.

Fixed PF-37846

We’ve removed an unused file associated with the PingOne Advanced Identity Cloud DevOps deployment that was mistakenly included in the PingFederate Server .zip archive.

Fixed PF-37918

We’ve fixed a defect that caused the forgot password flow to fail when reCAPTCHA is enabled and the flow is initiated using the Enter key rather than a mouse click.

Fixed PF-37942

We’ve fixed a defect where overriding the reset password message in a Password Credential Validator incorrectly returned a generic VALIDATION_ERROR during the redirectless flow, preventing users who are required to change their password from receiving the necessary MUST_CHANGE_PASSWORD status and associated _links.

Fixed PF-37952 PF-37953

Logging for IdP connections now includes greater detail when handling invalid state parameters and failing PAR requests.

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual hostname in some email notifications.

Fixed PF-38028

We’ve fixed a defect where PingFederate would reject requests with valid, non-encoded relay state values.

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser sign-on page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Ping Identity Support Knowledge Base.

Fixed PF-38040

We’ve fixed a defect where the show-speed-bump-for-new-devices parameter in the org.sourceid.servlet.filter.SimultaneousAuthnRequestCheckingFilter.xml file was set to true instead of false by default.

The new behavior enables show-speed-bump-for-new-devices by default for new installs, but disables it by default for upgrades, if the source version doesn’t have the parameter configured.

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This applies to all LDAP datastore types except for Generic LDAP.

Fixed PF-38052

When PingFederate is configured to expect a JARM-secured JWT response from an IdP, it enforces this requirement by failing the transaction if a plain response is received instead, and logs the details for administrator investigation.

Fixed PF-38060

We’ve fixed a defect that caused IdP adapters to duplicate attribute sources when an SP connection was updated using the Admin API.

Fixed PF-38116

We’ve fixed a defect where Cluster Management would present an incorrect success message although the replication failed.

Fixed PF-38123

We’ve fixed a defect in SAML audit logging by making sure that entries recorded for "Invalid signature" failures now correctly include the associated Connection ID.

Fixed PF-38146

We’ve fixed a defect where the $adapterId variable wasn’t being populated in templates accessed through direct links for the HTML Form Adapter’s Change Password and Forgot Password flows.

Fixed PF-38210

We’ve added trace logging to the RP-initiated logout endpoint to explicitly detail session and token claims, allowing administrators to pinpoint why the logout confirmation page isn’t bypassed despite successful id_token_hint validation.

Fixed PF-38243

We’ve added stricter validation during server startup so that PingFederate immediately halts the boot process and logs an error if an invalid or unrecognized value is detected for the pf.hsm.mode property in run.properties.

Fixed PF-38244

We’ve fixed a provisioning defect where disabled users weren’t provisioned once their account was enabled and the Provision Disabled Users setting was set to false.

Fixed PF-38251

We’ve fixed a defect where the X-Forward-For IP wasn’t logged correctly in the admin.log.

Fixed PF-38284

We’ve fixed a Tapestry error that was incorrectly logged during startup for the SCIM 2.0 Inbound Provisioning component, even when the feature wasn’t enabled or configured.

Fixed PF-38328

We’ve fixed a defect where the Kerberos Adapter failed to authenticate when a context path is configured.

Fixed PF-38393

We’ve fixed a defect that allowed Basic Authentication to access the Administrative API, even when it was disabled in the pf.admin.api.authentication property.

Fixed PF-38468

We’ve fixed a defect where the /as/introspect.oauth2 endpoint incorrectly returned a 500 Internal Server Error instead of the expected 400 Bad Request when the token parameter contained an invalid character like %.

Issue PF-36573

PingFederate returns an unexpected error when you create an instance of the PingOne Verify Integration Kit version 2.2.2 in PingFederate with the Verify feature in PingOne disabled.

Issue PF-35772

Due to multiple vendors' recent browser versions that block third-party cookies, you might experience issues related to single logout with OIDC (via Front-Channel) and WS-Federation.

Refer to browsers' documentation regarding third-party cookie management to unblock them, if feasible.

Issue PF-35643

When you promote a passive admin console to active, the UI doesn’t refresh until you perform an action.

Issue PF-35439

When you make configuration changes on the active console (especially large configuration changes like bulk imports or data archive imports), then promote a passive console to active, it can cause multiple consoles to be active at once. This can result in inconsistent configurations.

Learn how to resolve this issue in Resolving multiple active administrative nodes.

Issue

Issue

PingFederate’s TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

Issue

Issue

AWS CloudHSM

Thales HSMs

Entrust HSMs

Issue

Issue

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Issue

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

Issue

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it’s possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Issue

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

Issue

Issue

Issue

Issue

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

Issue

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.

Improved PF-38898

We added the force.require.replication.data.on.startup parameter to the cluster-config-replication.conf file.

This parameter lets you prevent an engine node from starting up without establishing a connection to the cluster.

Learn more in Cluster management.

Security PF-38742

We improved role-based access control (RBAC) for the administrative expression testing endpoint. Access to expression evaluation is now limited to appropriately privileged roles, ensuring alignment with intended administrative permissions.

Fixed PF-38706

We fixed a defect that caused CIBA token requests to fail when persistent grants are stored in an LDAP directory such as PingDirectory.

Fixed PF-38722

We fixed a defect that caused OAuth and JWT authentication through the Admin API to fail when the role attribute name parameter used the scope claim containing space-delimited values.

Fixed PF-38801

We fixed a defect that caused PingFederate to route users to the base URL for the Multiple Sign-On Delay page when they should’ve been routed to the virtual host URL.

Fixed PF-38875

We fixed a defect that prevented viewing or editing certain custom Authentication Selectors in the admin console.

Fixed PF-38903

We fixed a defect that prevented dynamic JWKS rotation timing from resetting after a node joined a cluster.

Fixed PF-38907

We fixed a defect where PingFederate rejected valid TargetResource values.

Info PF-38526

We’ve added a new configuration option to limit the Pushed Authorization Request (PAR) to the parameters mentioned in the specification when the connection is configured to use JWT-secured Authorization Request (JAR).

Security PF-38628

PingFederate now prevents user enumeration in the Policy mode Password Reset flow by eliminating the observable difference between valid and invalid usernames.

Fixed PF-37405

We’ve fixed a defect that caused JSON objects using OGNL expressions included in JWT request objects sent to the OIDC provider in OIDC IdP connections not to be serialized properly.

Fixed PF-38585

We’ve fixed a defect that prevented PingFederate from creating, updating, or testing Kerberos realms when the AutoGenerateKrb5Conf parameter was set to false in the com.pingidentity.common.util.KerberosConfigUtil file.

Fixed PF-38623

We’ve fixed a defect that caused an error when authentication policies with a Requested AuthN Context Authentication had Add or Update AuthN Context Attribute enabled.

Fixed PF-38028

We’ve fixed a defect where PingFederate would reject requests with valid, non-encoded relay state values.

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This applies to all LDAP datastore types except for Generic LDAP.

Fixed PF-38116

We’ve fixed a defect where Cluster Management would present an incorrect success message although the replication failed.

Fixed PF-38146

We’ve fixed a defect where the $adapterId variable wasn’t being populated in templates accessed through direct links for the HTML Form Adapter’s Change Password and Forgot Password flows.

Fixed PF-38244

We’ve fixed a provisioning defect where disabled users weren’t provisioned after their account was enabled and the Provision Disabled Users setting was set to false.

Fixed PF-38251

We’ve fixed a defect where the X-Forward-For IP wasn’t logged correctly in the admin.log.

Fixed PF-38328

We’ve fixed a defect where the Kerberos Adapter failed to authenticate when a context path is configured.

Fixed PF-38336

We’ve fixed a defect that caused PingFederate to crash or shut down when attempting to access the Admin API with a misconfigured JSON Web Token (JWT) authentication setup.

Fixed PF-38393

We’ve fixed a defect that allowed Basic Authentication to access the Administrative API, even when it was disabled in the pf.admin.api.authentication property.

Fixed PF-38417

We’ve fixed a defect where setting response_mode to pi.flow in Pushed Authorization Requests (PAR) or standard request objects resulted in an INVALID_REQUEST error.

Info PF-37849

We’ve added support for TLS 1.3 for Oracle Java 21 with Thales and Entrust HSMs.

Fixed PF-37918

We’ve fixed a defect that caused the forgot password flow to fail when reCAPTCHA is enabled and the flow is initiated using the Enter key rather than a mouse click.

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual host name in some email notifications.

Fixed PF-38040

We’ve fixed a defect where the show-speed-bump-for-new-devices parameter in the org.sourceid.servlet.filter.SimultaneousAuthnRequestCheckingFilter.xml file was set to true instead of false by default.

The new behavior enables show-speed-bump-for-new-devices by default for new installs, but disables it by default for upgrades, if the source version doesn’t have the parameter configured.

Fixed PF-38060

We’ve fixed a defect that caused IdP adapters to duplicate attribute sources when an SP connection was updated using the Admin API.

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser sign-on page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Ping Identity Support Knowledge Base.

Issue

AWS CloudHSM

Thales HSMs

Entrust HSMs

info PF-37936

We’ve upgraded the Jetty library to version 10.0.26

info PF-37943

We’ve upgraded Bouncy Castle to version 2.0.1. This version is certified to operate in Federal Information Processing Standards (FIPS) mode 140-3.

Fixed PF-37156

We’ve fixed a defect that caused failed AWS CloudHSM certificate linking to appear to succeed when the key alias was a value that was previously used in the environment.

Fixed PF-37743

We’ve fixed a defect that omitted the authorization_details parameter from the access token if the value was an empty array.

Fixed PF-37798

We’ve fixed a defect that caused lengthy stacktrace data to be included in ERROR level logging for Kerberos errors.

Fixed PF-37816

We’ve fixed a defect where a race condition could cause the PingFailoverAppender to get stuck in a failed state without switching back to its primary appender.

Fixed PF-37819

We’ve fixed a defect that could cause ClassNotFoundException errors in the admin console.

Fixed PF-37841

We’ve fixed a defect where JWT wasn’t a valid authentication method for the admin AP during upgrade utility validation.

Fixed PF-37846

We’ve removed an unused file associated with the PingOne Advanced Identity Cloud DevOps deployment that was mistakenly included in the PingFederate Server .zip archive.

New PF-37674

We’ve upgraded the Apache commons-fileupload version to 1.6.0.

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract the PingFederate administrative console’s IP address through HTTP Response headers.

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

Fixed PF-37452

We’ve fixed a defect where disabling PingDirectory Detailed Password Policy Requirement Messaging caused password validation errors to not show up in the Authn API.

Fixed PF-37559

We’ve fixed a defect that caused Kerberos negotiations to fail with Firefox after the initial exchange.

Fixed PF-37667

We’ve fixed a defect that caused an error in the CSD when running in BCFIPS mode.

Fixed PF-37670

We’ve fixed a defect that caused a failure when creating or updating an IdP connection with the CLAIMS source type in JIT provisioning user attribute mapping using the Administrative API.

Fixed PF-37673

We’ve fixed a defect where the Admin Console allowed configuring an IdP connection without a client secret, but the Admin API returned an error. The Admin API no longer returns an error in this case.

Fixed PF-37688

We’ve fixed a defect where JARM responses with an error parameter caused PingFederate to return a 500 error. It now returns a 200 response with the appropriate error page.

Fixed PF-37716

We’ve fixed a defect that caused an error in PingFederate when configuring an access token manager if the administrative node (ATM) isn’t the coordinator node.

Fixed PF-37776

We’ve fixed a defect where certain SCIM attribute mappings were incorrectly causing validation failures when updating IdP connections through the Admin API.

Fixed PF-37793

PingFederate now always includes the SNI extension in the ClientHello message during a TLS handshake when running in BCFIPS mode.

Fixed PF-37794

We’ve fixed a defect where PingFederate was refusing wildcard TLS certificates when running in BCFIPS mode.

New PF-36795 PF-36817

We’ve added a feature that allows you to configure how PingFederate responds when writing to the audit log fails.

This feature can improve user experience by allowing PingFederate to continue processing transactions when logging fails.

Learn more in Configuring audit log failure settings.

New PF-36818

We’ve added the ability to remove a user’s IP address from consideration when making account lockout decisions.

This can improve security by preventing malicious actors from masking their IP address to bypass account lockouts.

Learn more in Configuring account lockout protection.

New PF-36856

We’ve added a feature that allows you to grant cross-origin resource sharing (CORS) access to administrative API endpoints.

This makes it more secure and convenient for web applications like PingAccess to perform administrative tasks in PingFederate.

Learn more in Configuring administrative API CORS settings.

New PF-36860

We’ve added the ability to validate an ID token in the introspection endpoint as part of an OpenID Connect (OIDC) policy. You can enable this feature as part of a policy, but the runtime flows occur at the introspection endpoint.

This improves security by allowing PingFederate to determine whether a user’s ID token is valid.

Learn more in Configuring policy and ID token settings and Introspection endpoint.

New PF-36862

We’ve added a feature that allows you to always return the scope parameter in the response to client credential requests.

This allows you return scopes if clients require scopes that users haven’t authorized.

Learn more in Returning scopes in authorization transactions

New PF-36871 PF-37272

We’ve added a feature that allows you to link private keys stored in Amazon Web Services (AWS) CloudHSM with their certificates, and store it in PingFederate’s Java keystore.

This allows you to use existing private key and certificate pairs associated with your CloudHSM instance in PingFederate.

Learn more in Link and store CloudHSM keys.

New PF-36875

We’ve added the ability to correlate log events between the audit.log, request.log, and server.log files using shared log attributes.

This can make it easier to trace the cause of runtime errors.

Learn more in Correlating log events using attributes.

New PF-36970

We’ve added a feature that gives you the option to include a duplicate RSA key with the RS256 algorithm. You can enable this option by setting the add-duplicate-rs256-alg-key parameter in the <pingfed-install>/pingfederate/server/default/data/config-store/jwks-endpoint-configuration.xml file to true.

New PF-36976

We’ve updated the logging for HTTP requests to the runtime engine and admin console. These requests are now logged to the runtime-request.log and admin-request.log files. Like other PingFederate logs, you can configure outputs for these files in log4j2.xml.

This improves logging efficiency and customization by writing HTTP request logs using the same configurations as other PingFederate log files.

Learn more in HTTP request logging.

New PF-37183

We’ve added a feature that allows you to revoke previous OAuth client secrets.

This improves security by allowing you to revoke secrets that are no longer in use. For example, if you move your client to a new secret before the old secret’s grace period ends, you can use this feature to revoke your previous secret.

Learn more in Configuring OAuth clients.

New PF-37192

When storing persistent grants in DynamoDB, DynamoDB relies on the DynamoDB Time to Live (TTL) attribute to remove expired persistent grants from the database. Learn more in Configuring external databases for grant storage.

New PF-37219

We’ve added a feature that allows dynamic signing keys to publish their public certificates on the JWKS endpoint as an x5c parameter. Learn more in Configuring dynamic signing keys

New PF-37230

PingFederate now supports the SCIM 2.0 protocol for inbound user provisioning. Learn more in System for Cross-domain Identity Management (SCIM).

New PF-37238

We’ve added a feature that allows you to limit the number of sessions a user can have active at one time and configure how PingFederate responds when that quota is exceeded.

This can improve security by limiting the number of active user sessions that have access to applications and other resources.

Learn more in Configuring session quotas.

New PF-37275

We’ve added a feature that allows you to configure the client_assertion for JWT-based authentications by customizing the following attributes:

Learn more in Configuring OpenID Provider information.

Info PF-36846

We’ve upgraded Bouncy Castle to version 2.0. This versions is certified to operate in Federal Information Processing Standards (FIPS) mode 140-3.

Info PF-36857

We’ve confirmed that PingFederate is compatible with Java 21.

Info PF-36972

We’ve confirmed that PingFederate is compatible with Red Hat Enterprise Linux ES 8.10.

Info PF-37102

We’ve updated PingFederate to use the same default template parameters for all integration kits.

Learn more about template parameters in Customizable user-facing pages.

Info PF-37221

Info PF-37234

We’ve updated the behavior of the NATIVE_S3_PING discovery protocol when the remove_all_data_on_view_change parameter is active.

Previously, the protocol would delete all files in the S3 bucket, which could lead to the creation of an unwanted subcluster.

Now the protocol deletes all files except for its own to prevent the S3 bucket from being empty.

Learn more in Dynamic cluster discovery.

Info PF-37236

We’ve updated the Java Service Wrapper to the latest version, 3.5.60.

Learn more in the Tanuki release notes.

Info PF-37277

We’ve confirmed that PingFederate is compatible with Amazon Aurora MySQL 3.09.

Info PF-37451

We’ve added support for the new PingOne Singapore region, pingone.sg.

Security PF-36745

We’ve fixed a security vulnerability that could allow denial of service attacks using legacy d3-color library versions.

Fixed PF-35868

We’ve fixed a defect that caused multiple refresh token requests in short succession to result in Java database connectivity (JDBC) data source deadlocks and duplicated data entry into the database.

This feature can cause significant performance issues if PingFederate or the JDBC data source have insufficient resources.

Fixed PF-36487

We’ve fixed a defect where importing a valid configuration data archive with Reencrypt Data enabled failed with a Could not reencrypt data archive error message when configured to use the Amazon Web Services or Google Cloud Platform Key Management System (KMS).

Fixed PF-36568

We’ve fixed a defect that allowed the use of OAuth grants that have passed idle timeout, but not expired, to be retrieved from persistent grant storage.

Fixed PF-36845

We’ve fixed a defect that caused a 500 error when creating or updating an access token manager using the Administrative API.

Fixed PF-36851

We’ve fixed a defect that caused PingFederate to return a revoked or expired consent error when both Bypass Authorization Approval and Bypass Authorization Approval for Previously Approved Consents are enabled.

Fixed PF-36864

We’ve fixed a defect that caused PingFederate to behave inconsistently when This is My Device is selected and an HTML Form Adapter instance has more than one session configuration in the session overrides.

Fixed PF-36865

We’ve fixed a defect where PingFederate could not accept a TLS 1.2 connection in BCFIPS mode on Java 17.

Fixed PF-36874

We’ve fixed a defect that caused PingFederate to lose user group membership information when it lost contact with the datastore during provisioning operations.

Fixed PF-36877

We’ve fixed a defect where upgrading to Jetty library version 9.5.53 caused HTTP header compression errors when redirect URLs included special characters.

Fixed PF-37012

We’ve fixed a defect that caused the HTML Form Adapter Change Password using an authentication policy to fail when PingOne Protect is the risk provider.

Fixed PF-37021

We’ve fixed a defect that caused OGNL expressions to fail to load when they contained SDK classes.

Fixed PF-37173

We’ve fixed a defect that caused PingFederate to ignore the id_token_hint value during relying party (RP)-initiated logout when the OAuth client logout mode is set to None.

Fixed PF-37237

We’ve fixed a defect that caused PingFederate to ignore the log file size limit and rotation configurations set by the SizeBasedTriggeringPolicy parameter.

Fixed PF-37279

We’ve fixed a defect that caused the ID token claim to be omitted when an OAuth client uses the secondary secret.

Fixed PF-37404

We’ve fixed a defect where an "IdP connection not found" error occurs when an authorization response includes an iss query parameter that doesn’t match the connection’s primary issuer, but is added as an additional issuer.

Fixed PF-37448

We’ve fixed a defect that caused configuration replication to fail when two or more simultaneous DELETE requests were sent to the Administrative API.

Fixed PF-37450

We’ve fixed a defect that caused the token endpoint to unnecessarily reissue an ID token when using a secondary client secret and an asymmetric algorithm for token signing and encryption.

Fixed PF-37507

PingFederate now uses the Apache Commons BeanUtils library version 1.11.0.

Fixed PF-37514

We’ve fixed a defect where the Scopes Selection modal prevented configurations from saving correctly when added using search.

Fixed PF-37516

We’ve fixed a defect where OAuth scopes that included URL characters such as / couldn’t be updated in the Admin portal.

Issue PF-36573

PingFederate returns an unexpected error when you create an instance of the PingOne Verify Integration Kit version 2.2.2 in PingFederate with the Verify feature in PingOne disabled.

Issue PF-35772

Due to multiple vendors' recent browser versions that block third-party cookies, you might experience issues related to single logout with OIDC (via Front-Channel) and WS-Federation.

Refer to browsers' documentation regarding third-party cookie management to unblock them, if feasible.

Issue PF-35643

When you promote a passive admin console to active, the UI doesn’t refresh until you perform an action.

Issue PF-35439

When you make configuration changes on the active console (especially large configuration changes like bulk imports or data archive imports), then promote a passive console to active, it can cause multiple consoles to be active at once. This can result in inconsistent configurations.

Learn how to resolve this issue in Resolving multiple active administrative nodes.

Issue

Issue

PingFederate’s TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

Issue

Issue

AWS CloudHSM

Thales HSMs

Entrust HSMs

Issue

Issue

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Issue

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

Issue

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it’s possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Issue

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

Issue

Issue

Issue

Issue

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

Issue

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.

Improved PF-38898

We added the force.require.replication.data.on.startup parameter to the cluster-config-replication.conf file.

This parameter lets you prevent an engine node from starting up without establishing a connection to the cluster.

Learn more in Cluster management.

Security PF-38742

We improved role-based access control (RBAC) for the administrative expression testing endpoint. Access to expression evaluation is now limited to appropriately privileged roles, ensuring alignment with intended administrative permissions.

Fixed PF-38801

We fixed a defect that caused PingFederate to route users to the base URL for the Multiple Sign-On Delay page when they should’ve been routed to the virtual host URL.

Fixed PF-38875

We fixed a defect that prevented viewing or editing certain custom Authentication Selectors in the admin console.

Fixed PF-38901

We fixed a defect that caused PingFederate to continue displaying a dependency error warning for the Extended Property Authentication Selector after the selector instance is deleted.

Fixed PF-38903

We fixed a defect that prevented dynamic JWKS rotation timing from resetting after a node joined a cluster.

Fixed PF-38328

We’ve fixed a defect where the Kerberos Adapter failed to authenticate when a context path is configured.

Fixed PF-38336

We’ve fixed a defect that caused PingFederate to crash or shut down when attempting to access the Administrative API with a misconfigured JWT authentication setup.

Fixed PF-38393

We’ve fixed a defect that allowed Basic Authentication to access the Administrative API, even when it was disabled in the pf.admin.api.authentication property.

Fixed PF-38417

We’ve fixed a defect where setting response_mode to pi.flow in Pushed Authorization Requests (PAR) or standard request objects resulted in an INVALID_REQUEST error.

Fixed PF-38623

We’ve fixed a defect that caused an error when authentication policies with a Requested AuthN Context Authentication had Add or Update AuthN Context Attribute enabled.

Fixed PF-37816

We’ve fixed a defect where a race condition could cause the PingFailoverAppender to get stuck in a failed state without switching back to its primary appender.

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual hostname in some email notifications.

Fixed PF-38028

We’ve fixed a defect where PingFederate would reject requests with valid, non-encoded relay state values.

Fixed PF-38029

PingFederate now uses the Apache Commons BeanUtils library version 1.11.0 and the Apache Commons Compress library version 1.26.1.

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser sign-on page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Ping Identity Support Knowledge Base.

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This fix applies to all LDAP datastore types except for Generic LDAP.

Fixed PF-38060

We’ve fixed a defect that caused IdP adapters to duplicate attribute sources when an SP connection was updated using the Admin API.

Fixed PF-38244

We’ve fixed a provisioning defect where disabled users weren’t provisioned once their account was enabled and the Provision Disabled Users setting was set to false.

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract the PingFederate administrative console’s IP address through HTTP Response headers.

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

Fixed PF-36991

We’ve fixed an issue by adding a missing property to pingfederate-messages.properties.

Fixed PF-37688

We’ve fixed a defect where JARM responses with an error parameter caused PingFederate to return a 500 error. It now returns a 200 response with the appropriate error page.

Fixed PF-37716

We’ve fixed a defect that caused an error in PingFederate when configuring an access token manager if the administrative node (ATM) isn’t the coordinator node.

Fixed PF-37793

PingFederate now always includes the SNI extension in the ClientHello message during a TLS handshake when running in BCFIPS mode.

Fixed PF-37794

We’ve fixed a defect where PingFederate was refusing wildcard TLS certificates when running in BCFIPS mode.

Fixed PF-37819

We’ve fixed an issue that could cause ClassNotFoundException on the admin console.

Fixed PF-37841

We’ve added JWT as an authentication method for the admin API during upgrade utility validation.

Info PF-37451

We’ve added support for the new PingOne Singapore region, pingone.sg.

Fixed PF-35868

We’ve fixed a defect that caused multiple refresh token requests in short succession to result in JDBC data source deadlocks and duplicated data entry into the database.

This feature can cause significant performance issues if PingFederate or the JDBC data source has insufficient resources.

Fixed PF-37398

We’ve fixed a defect that caused the Collect Support Data tool to fail when executed in the admin console when running PingFederate as a Windows service.

Fixed PF-37450

We’ve fixed a defect that caused the token endpoint to unnecessarily reissue an ID token when using a secondary client secret and an asymmetric algorithm for token signing and encryption.

Fixed PF-37559

We’ve fixed a defect that caused Kerberos negotiations to fail with Firefox after the initial exchange.

Info PF-36846

We’ve upgraded Bouncy Castle to version 2.0. This versions is certified to operate in Federal Information Processing Standards (FIPS) mode 140-3.

Info PF-37234

We’ve updated the behavior of the NATIVE_S3_PING discovery protocol when the remove_all_data_on_view_change parameter is active.

Previously, the protocol would delete all files in the S3 bucket, which could lead to the creation of an unwanted subcluster.

Now the protocol deletes all files except for its own to prevent the S3 bucket from being empty.

Learn more in Dynamic cluster discovery.

Fixed PF-37173

We’ve fixed a defect that caused PingFederate to ignore the id_token_hint value during RP-initiated logout when the OAuth client logout mode is set to None.

Fixed PF-37237

We’ve fixed a defect that caused PingFederate to ignore the log file size limit and rotation configurations set by the SizeBasedTriggeringPolicy parameter.

Fixed PF-37279

We’ve fixed a defect that caused the ID token claim to be omitted when an OAuth client uses the secondary secret.

Fixed PF-37046

We’ve fixed a defect where PingFederate failed to create or update service provider (SP) connections when using additional attributes from a data store in OGNL expressions, affecting both the spConnections endpoint in the Administrative API and the Import Connection process in the Admin console.

Fixed PF-37126

We’ve fixed a defect that could cause PingFederate to generate a large number of metric objects unnecessarily when making HTTP requests, which affected performance.

New PF-36970

We’ve added a feature that gives you the option to include a duplicate RSA key with the RS256 algorithm. You can enable this option by setting the add-duplicate-rs256-alg-key parameter in the <pingfed-install>/pingfederate/server/default/data/config-store/jwks-endpoint-configuration.xml file to true.

Info PF-36972

We’ve confirmed that PingFederate is compatible with Red Hat Enterprise Linux ES 8.10.

Fixed PF-36845

We’ve fixed a defect that caused a 500 error when creating or updating an access token manager using the Administrative API.

Fixed PF-36851

We’ve fixed a defect that caused PingFederate to return a revoked or expired consent error when both Bypass Authorization Approval and Bypass Authorization Approval for Previously Approved Consents are enabled.

Fixed PF-36864

We’ve fixed a defect that caused PingFederate to behave inconsistently when This is My Device is selected and an HTML Form Adapter instance has more than one session configuration in the session overrides.

Fixed PF-36865

We’ve fixed a defect where PingFederate could not accept a TLS 1.2 connection in BCFIPS mode on Java 17.

Fixed PF-36874

We’ve fixed a defect that caused PingFederate to lose user group membership information when it lost contact with the datastore during provisioning operations.

Fixed PF-37012

We’ve fixed a defect that caused the HTML Form Adapter Change Password using an authentication policy to fail when PingOne Protect is the risk provider.

Fixed PF-37021

We’ve fixed a defect that caused OGNL expressions to fail to load when they contained SDK classes.

New PF-36314

We’ve added the ability for PingFederate to read extended properties in adapter contract mappings.

This improves flexibility by allowing you to use extended properties as values for attributes fulfilled by your adapter or as lookup values from your datastore.

Learn more in Configuring IdP adapter contract fulfillment and Defining issuance criteria for IdP adapter contract.

New PF-36315

We’ve added the ability for PingFederate to read extended properties in token generator mappings and token exchange policy processor mappings.

This improves flexibility by allowing you to use extended properties in token generation and exchange operations. You can also use extended properties as lookup values from your data store.

New PF-36316

We’ve added the ability for PingFederate to read extended properties in adapter and authentication policy contract (APC) mappings for browser single sign-on (SSO).

This improves flexibility by allowing you to use extended properties in identity provider (IdP) and service provider (SP) connections.

Learn more in Configuring target session fulfillment.

New PF-35864

We’ve added support for Kerberos validation when PingFederate is deployed in the cloud without direct Key Distribution Center (KDC) connectivity.

This can improve performance by allowing PingFederate to validate Kerberos tickets locally without the need for additional components.

Learn more in Adding Active Directory domains and Kerberos realms.

New PF-35343

We’ve improved the logging of authentication policies and fragments used during authentication. The following items are now included in their respective log files:

Learn more about the audit.log changes in Security audit logging.

New PF-36649

We’ve added a feature that allows PingFederate to consume URL-encoded client certificate headers.

This improves compatibility with NGINX mTLS-terminating reverse proxy.

Learn more in Configuring incoming proxy settings.

New PF-34426

We’ve added a feature that automatically upgrades an imported configuration data archive from an older version of PingFederate to be compatible with the current version.

This makes it easier to upgrade to newer versions of PingFederate by allowing you to upgrade your configuration data without using the Upgrade Utility.

Learn more in Upgrading configuration data and Importing and deploying administrative console configuration data.

New PF-36296

We’ve added a feature that allows PingFederate to automatically replicate configuration data archives to clustered server nodes when they uploaded to the drop-in deployer.

This makes it easier to ensure that your clustered nodes have the same configuration data.

Learn more in Upgrading configuration data and Configuration-archive deployment.

New PF-35857

We’ve added a feature that allows you to also get a refresh token during OAuth token exchange.

This allows you to make extended interactions without using long-lived access tokens received from token exchange.

Learn more in Managing processor policy grant mapping.

New PF-35863

We’ve added a feature that allows you to customize which attributes are returned in the Token Endpoint response based on the scopes that are included in the request.

This improves flexibility by giving you more control over where PingFederate can return attributes.

Learn more in Defining the token endpoint management contract.

New PF-36602

We’ve improved the error output for the Administrative API. When access to the administrative API in configured to use OAuth 2.0 or JWT authorization, and the access token is invalid, the error response now includes both error and error_description in the WWW-Authentication header.

This improves troubleshooting by providing an error code and description when authorization fails.

New PF-36291

We’ve added an optional description field to the CIDR Authentication Selector.

This helps you keep track of your defined network ranges by giving them an easily identifiable name.

Learn more in Configuring the CIDR Authentication Selector.

New PF-35859

We’ve added a feature that allows PingFederate to include an ID token along with an access token and refresh token in OAuth token exchanges.

This can improve your end-user experience by passing ID token information along with access tokens during SSO and other token exchange operations.

Learn more in Configuring policy and ID token settings.

New PF-36317

We’ve added support for JSON formatted logging for most PingFederate logs through the log4j2 logging library.

This improves your ability to monitor PingFederate perfomance by producing logs in an easily parsed standard format.

Learn more in Logging in JSON format.

New PF-35420

We’ve added a feature that allows you to collect support data using the administrative console and the administrative API.

This will improve your Ping Identity Support experience by allowing you to more easily customize and collect support data.

Learn more in Collecting support data in the administrative console.

New PF-29353

We’ve added the ability to include the name of OAuth clients in HTML form login templates. You can use the $escape utility with the $clientName variable to include the client name.

This allows you to track the name of the client you use when customizing user-facing login pages.

Learn more in Customizable user-facing pages.

New PF-35854

We’ve added TLS 1.3 support for Hardware Security Modules (HSMs). New installations of PingFederate will have TLS 1.3 enabled by default when in HSM mode.

This improves security by adding TLS by default to your HSM, and streamlines the HSM configuration process by removing a step to manually add TLS.

New PF-35858

We’ve added a feature that allows PingFederate to return ID tokens when issuing OpenID device authorization grants.

This allows you to personalize response messages during device authorization flows. For example, you can display the user’s name as part of the authorization message.

Learn more in Configuring authorization server settings.

New PF-36302

We’ve added support for Google Cloud Key Management System (KMS).

This improves security by allowing you to encrypt the master key file when PingFederate is running in Google Cloud Platform.

Learn more in Implementing a MasterKeyEncryptor using Google Cloud KMS.

New PF-36298

We’ve made it possible to globally disable the MaxMaliciousActions parameter in the <pf-install>/pingfederate/server/default/data/config-store/com.pingidentity.common.security.AccountLockingService.xml file.

This prevents an issue during upgrades where PingFederate unintentionally locks out an OAuth client when it tries to revoke invalid Reference Bearer Access Tokens.

New PF-36299

We’ve made it possible to override the MaxMaliciousActions parameter in the <pf-install>/pingfederate/server/default/data/config-store/com.pingidentity.common.security.AccountLockingService.xml file as it applies to an OAuth client.

This prevents an issue during upgrades where PingFederate unintentionally locks out an OAuth client when it tries to revoke Reference Bearer Access Tokens.

We’ve also improved the error messaging to clarify when it’s the client, not the account, that’s locked out.

Learn more in Configuring authorization server settings and Managing client configuration defaults.

New PF-35855

We’ve added new feature that allows clients to access the Administrative API using a JWT.

This improves flexibility by adding a new secure method for your applications to access PingFederate administrative functions.

Learn more in Enabling JWT authorization.

New PF-36588

PingFederate can now accept OAuth access tokens without scopes through the Admin API.

New PF-34715

We’ve moved the setting for JGroups maximum thread pool size from tcp.xml and udp.xml to run.properties.

This new parameter in the run.properties file allows you to configure your JGroups thread pool more easily and ensure that changes are carried over during upgrade.

Learn more in Deploying cluster servers.

New PF-32832

We’ve added the jetty.runtime.requestlog.format property to the run.properties file to allow you to customize the format of the Jetty runtime log request.

You can use this property to add milliseconds to your log format, which is helpful for troubleshooting high volumes of requests.

Learn more in Configuring PingFederate properties.

New PF-35861

We’ve added support for Google reCAPTCHA Enterprise.

reCAPTCHA Enterprise can handle higher volumes of assessment transactions and offers more levels of bot score granularity.

Learn more in Configuring Google reCAPTCHA Enterprise.

New PF-35862

We’ve added JSON web token (JWT) support to PingFederate’s UserInfo endpoint when acting as the OpenId provider (OP). As the relying party (RP), PingFederate now supports consuming JWT-based responses from other OPs UserInfo endpoint.

This improves security by replacing information sent in JSON form with a signed token, an encrypted token, or both.

Learn more in Configuring OAuth clients and OAuth Client Management Service.

Improved PF-28890

We’ve added a new provisioner-channel-summary.log file to capture data about users and groups added, removed, and updated by provisioning cycles. We’ve also added new information at the INFO level to the provisioner.log and provisioner-audit.log files.

These updates give you improved summary information about provisioning operations without the unnecessary detail of DEBUG-level logging.

Learn more in PingFederate log files.

Improved PF-36573

The PingOne Verify Integration Kit has been updated to version 2.2.2.

Improved PF-36573

The PingOne MFA Integration Kit has been updated to version 2.5.

PingFederate now supports Microsoft External Authentication Method (EAM) to handle multi-factor authentication (MFA) flows with PingID or other MFA integrations.

Learn more in Microsoft EAM Integration Kit.

Info PF-35782

We’ve confirmed that PingFederate 12.2 and 12.1 are compatible with Microsoft Active Directory 2022.

Info PF-36312 PF-36288

We’ve confirmed that PingFederate version 12.2 is compatible with PostgreSQL versions 16.4 and 17.

Info PF-36289

We’ve confirmed that PingFederate is compatible with Amazon Aurora PostgreSQL version 16.4.

Info PF-36445

PingFederate now uses the jose4j library version 0.9.6.

Info PF-36446

PingFederate now uses Apache Commons Compress library version 1.27.1.

Info PF-36579

We’ve upgraded the Amazon Web Services (AWS) Key Management Service (KMS) master-key-encryptor library to the latest version as of this release.

Info PF-36675

Forward slashes are now valid characters in the request header for correlation ID.

Learn more in General settings and Correlating PingFederate events with PingDirectory LDAP activities.

info PF-36276

We’ve updated the provisioning Flag Comparison Value attribute to be case-insensitive.

Learn more in Modifying source settings.

Security PF-35092

We’ve fixed a security vulnerability that could have allowed auditors to access LDAP credentials stored in configured datastores.

Security PF-35279

We’ve fixed a security vulnerability that could have allowed malicious actors to use the Partner Metadata URL loader to list the IP addresses of network assets.

Fixed PF-35847

We’ve fixed a defect that cause the ValidateRelayStateLength parameter in the org.sourceid.saml20.bindings.AbstractAsyncBinding.xml file to be evaluated only on startup. Now, the parameter is always evaluated in runtime flows.

Fixed PF-35919

We’ve fixed a defect that caused PingFederate to return an unexpected error when replicating on a newly promoted passive admin node after deleting connections or clients on the previously active admin node.

Fixed PF-35990

We’ve fixed a defect that caused Kerberos and Form SSO policies to fail when a user attempted SSO using iOS.

Fixed PF-36035

We’ve fixed a defect that caused outbound provisioning to fail and cease if a source user object exceeded a 255-character limit. In the new behavior, PingFederate will skip user objects that exceed 255 characters and log a warning.

Fixed PF-36232

We’ve fixed a defect that prevented PingFederate from issuing a password expiration warning when using PingDirectory as a datastore.

Fixed PF-36239

We’ve fixed a defect that could cause inconsistent sessions or authentication errors when starting multiple applications in different browser tabs at the same time.

Fixed PF-36478

We’ve fixed a defect that caused PingFederate to fail to restart when forcing an import of an unsupported configuration data archive using the drop-in deployer.

Fixed PF-36546

We’ve fixed a defect that caused the banner message warning that a configuration is out of date to persist after a configuration had been replicated. This defect occurred when running PingFederate as a Windows service.

Fixed PF-36550

We’ve fixed a defect that caused PingFederate to log errors excluding details of what error occurred. The fix now includes missing details.

Fixed PF-36574

We’ve fixed a defect that caused the email verification screen to fail to appear when a user registered through an authentication source.

Fixed PF-36600

We’ve fixed an issue that caused PingFederate to fail to revoke multi-part refresh tokens through the revoke_token.oauth2 endpoint.

Issue PF-36573

PingFederate returns an unexpected error when you create an instance of the PingOne Verify Integration Kit version 2.2.2 in PingFederate with the Verify feature in PingOne disabled.

Issue PF-36487

When PingFederate is configured to use the Amazon Web Services or Google Cloud Platform Key Management System (KMS), importing a valid configuration data archive with Reencrypt Data enabled fails with a Could not reencrypt data archive error message. This failure causes PingFederate to fail to restart.

Issue PF-35772

Due to multiple vendors' recent browser versions that block third-party cookies, you might experience issues related to single logout with OIDC (via Front-Channel) and WS-Federation.

Refer to browsers' documentation regarding third-party cookie management to unblock them, if feasible.

Issue PF-35643

When you promote a passive admin console to active, the UI doesn’t refresh until you perform an action.

Issue PF-35439

When you make configuration changes on the active console (especially large configuration changes like bulk imports or data archive imports), then promote a passive console to active, it can cause multiple consoles to be active at once. This can result in inconsistent configurations.

Learn how to resolve this issue in Resolving multiple active administrative nodes.

Issue

Issue

PingFederate’s TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

Issue

Issue

AWS CloudHSM

Thales HSMs

Entrust HSMs

Issue

Issue

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Issue

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

Issue

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it’s possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Issue

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

Issue

Issue

Issue

Issue

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

Issue

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.

Improved PF-38898

PingFederate now supports the force.require.replication.data.on.startup parameter in the cluster-config-replication.conf file. This parameter allows you to prevent an engine node from starting up without establishing a connection to the cluster and retrieving replication data.

Learn more in Cluster management.

Security PF-38742

We improved role-based access control (RBAC) for the administrative expression-testing endpoint. Access to expression evaluation is now limited to appropriately privileged roles, ensuring it aligns with intended administrative permissions.

Fixed PF-38028

We fixed a defect where PingFederate would reject requests with valid, non-encoded RelayState values.

Fixed PF-38393

We fixed a defect that allowed Basic Authentication to access the Administrative API even when Basic Authentication was disabled in the pf.admin.api.authentication property.

Fixed PF-38623

We fixed a defect that caused an error when authentication policies with a Requested AuthN Context authentication had Add or Update AuthN Context Attribute enabled.

Fixed PF-38903

We fixed a defect that prevented the dynamic JWKS rotation timer from resetting after a node joined a cluster.

Fixed PF-38029

PingFederate now uses the Apache Commons BeanUtils library version 1.11.0 and the Apache Commons Compress library version 1.26.1.

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This fix applies to all LDAP datastore types except for Generic LDAP.

Fixed PF-38060

We’ve fixed a defect that caused IdP adapters to duplicate attribute sources when an SP connection was updated using the Admin API.

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract PingFederate administrative console IP addresses using HTTP Response headers.

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

Fixed PF-35868

We’ve fixed a defect that caused multiple refresh token requests in short succession to result in JDBC data source deadlocks and duplicated data entry into the database.

This change can cause significant performance issues if PingFederate or the JDBC data source has insufficient resources.

Fixed PF-37450

We’ve fixed a defect that caused the token endpoint to unnecessarily reissue an ID token when using a secondary client secret and an asymmetric algorithm for token signing and encryption.

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual hostname in some email notifications.

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser login page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Support Knowledge Base.

Info PF-37234

We’ve updated the behavior of the NATIVE_S3_PING discovery protocol when the remove_all_data_on_view_change parameter is active.

Previously, the protocol would delete all files in the S3 bucket, which could lead to the creation of an unwanted subcluster.

Now the protocol deletes all files except for its own to prevent the S3 bucket from being empty.

Learn more in Dynamic cluster discovery.

Fixed PF-37279

We’ve fixed a defect that caused the ID token claim to be omitted when an OAuth client uses the secondary secret.

Fixed PF-37126

We’ve fixed a defect that could cause PingFederate to generate a large number of metric objects unnecessarily when making HTTP requests, which affected performance.

New PF-36970

We’ve added a feature that gives you the option to include a duplicate RSA key with the RS256 algorithm. You can enable this option by setting the add-duplicate-rs256-alg-key parameter in the <pingfed-install>/pingfederate/server/default/data/config-store/jwks-endpoint-configuration.xml file to true.

Fixed PF-36874

We’ve fixed a defect that caused PingFederate to lose user group membership information when it lost contact with the datastore during provisioning operations.

Security PF-36304 PF-36311 PF-36313

We’ve fixed a security vulnerability where PingFederate accepted cross-site scripting inputs.

Fixed PF-36574

We’ve fixed a defect that caused the email verification screen to fail to appear when a user registered through an authentication source.

Fixed PF-36600

We’ve fixed an issue that caused PingFederate to fail to revoke multi-part refresh tokens through the revoke_token.oauth2 endpoint.

Fixed PF-36662

We’ve fixed a defect that caused an error in searching for OAuth Client for OAuth Client Set Authentication Selector when DynamoDB is the client storage.

Fixed PF-36816

We’ve fixed a defect when using the PingFederate Administrative API sp/idpConnections endpoint to create or update inbound provisioning connections. The API returned errors about coreAttributes values missing from the JSON payload even though the attributes were not required.

Fixed PF-36851

We’ve fixed a defect that caused PingFederate to return a revoked or expired consent error when both Bypass Authorization Approval and Bypass Authorization Approval for Previously Approved Consents are enabled.

New PF-36298

We’ve made it possible to globally disable the MaxMaliciousActions parameter in the com.pingidentity.common.security.AccountLockingService file.

This will prevent an issue during upgrades where PingFederate unintentionally locks out an OAuth client when it tries to revoke Reference Bearer Access Tokens.

Fixed PF-35919

We’ve fixed a defect that caused PingFederate to return an unexpected error when replicating on a newly promoted passive admin node after deleting connections or clients on the previously active admin node.

Fixed PF-36035

We’ve fixed a defect that caused outbound provisioning to fail and cease if a source user object exceeded a 255-character limit. In the new behavior, PingFederate will skip user objects that exceed 255 characters and log a warning.

Fixed PF-36194

We’ve fixed a defect that caused the PingFederate REST API Datastore to unnecessarily include a Content-Type value when sending GET requests.

Fixed PF-36232

We’ve fixed a defect that prevented PingFederate from issuing a password expiration warning when using PingDirectory as a datastore.

Fixed PF-36239

We’ve fixed a defect that could cause inconsistent sessions or authentication errors when starting multiple applications in different browser tabs at the same time.

Fixed PF-36241

We’ve fixed a defect that caused PingFederate to set the wrong base path for Swagger docs when the pf.admin.baseurl parameter includes a file path.

Fixed PF-36257

We’ve fixed a defect that caused PingFederate to ignore defined OGNL expression variables in datastore attributes.

Fixed PF-36260

We’ve fixed a defect that caused PingFederate to return a validation error when using the /serverSettings endpoint to update the notification settings to LOGGING_ONLY in an environment with no previously-defined notification publisher.

Fixed PF-36261

We’ve fixed a defect that caused device authorization grant flow errors when clustered server nodes are in different time zones.

Fixed PF-36269

We’ve fixed a defect that caused a validation error when sending a valid PUT request to the /serverSettings or /serverSettings/notifications endpoints when the bulkhead notification is active on the default notification publisher.

Fixed PF-36546

We’ve fixed a defect that caused the banner message warning that a configuration is out of date to persist after a configuration had been replicated. This defect occurred when running PingFederate as a Windows service.

info PF-36276

We’ve updated the provisioning Flag Comparison Value attribute to be case-insensitive.

Learn more in Modifying source settings.

Improved PF-36180

We’ve added an option to process PKCE parameters from outside the signed request object when the parameters are not included in the request object.

Fixed PF-36086

We’ve fixed a defect that caused PingFederate to not display a custom error message when using a custom authorization adapter without an authorization API application.

Security PF-35678

We’ve fixed a defect that caused PingFederate to retrieve the wrong file when using relative paths in symbolic links.

Fixed PF-35842

We’ve fixed a defect that caused the heartbeat endpoint to return a 500 error after upgrading to PingFederate 12.1.

Fixed PF-35867

We’ve fixed a defect that caused refresh tokens to roll prematurely when making authorization requests to servers in different time zones.

Fixed PF-35920

We’ve fixed a defect that caused the incremental update package for PingFederate versions 12.0 and 12.1 to unnecessarily install the entire SDK directory.

Fixed PF-35952

We’ve fixed a defect that caused PingFederate to redirect failed IdP sign on attempts rather than handling the error locally.

Security PF-35631

Included a patch to address multiple vulnerabilities related to Apache Axis1.

Fixed PF-35166

Fixed a defect that caused PingFederate to roll refresh tokens when Refresh Token Rolling Policy is disabled but Refresh Token Rolling Interval has a value.

Fixed PF-35304

Fixed a defect that caused the provisioner to propagate group updates even if user updates didn’t finish.

Fixed PF-35737

Fixed a defect that caused PingFederate to validate only the first OAuth client access token manager it found when Validate Against All Eligible Access Token Managers was checked, and the aud parameter was included in the request.

Fixed PF-35783

Fixed a defect where PingFederate failed to return IPv4 addresses in a custom adapter request using the request.getRemoteAddr() method.

Fixed PF-35800

Fixed a defect that caused PingFederate to fail to map new attributes added to an existing access token manager to the Context SRI.

Fixed PF-35815

Fixed a defect that caused PingFederate to present an error message when user tries to sign on again after a session expires due to inactivity.

New PF-34962

We’ve added a feature that allows you to create an active admin console and one or more passive backup admin consoles in a clustered environment.

Even though only one node can be active, the passive nodes are always kept in sync, so you can easily promote them to the active console. This reduces downtime in the event of an outage on the node with the active admin console.

Learn more in Active and passive administrative nodes.

New PF-35345

We’ve added the ability to implement runtime thread bulkheads that limit the percentage of threads that can be waiting on external data sources. After the limit is reached, further requests are rejected.

This improves resilience, reliability, and availability by minimizing the impact of a broken data source connection on other connections.

You can configure bulkheads in the com.pingidentity.common.util.resiliency.BulkheadManagerImpl.xml file. You can also configure runtime notifications for bulkhead threshold events.

Learn more in Configuring runtime thread bulkheads.

New PF-34887

We’ve added a new special attribute, SAML_AUTHN_RESPONSE_ASSERTION, to access the Assertion element of the SAML 2.0 response messages during attribute mapping.

Learn more in Special attribute names in contracts.

New PF-34883

We’ve added the ability to define a custom key identifier (KID) for OIDC and OAuth signing and decryption keys for each RSA-based signing algorithm.

Custom KID values help with special environments and custom requirements for RSA-based JSON Web Keys (JWK) published in the JSON Web Keys endpoint.

Learn more in Keys for OAuth and OpenID Connect.

New PF-34889

We’ve added the ability to enable a redirectless authentication API OAuth flow through the authorization endpoint without cookies.

You can now use the authentication API without having to manage and process cookies. Instead of cookies, the API includes details within the JSON response that need to be included as a simple HTTP header value in responses to PingFederate.

This improvement is especially useful for native app developers and reduces the implications of third-party cookie issues.

Learn more in Configuring OAuth clients.

New PF-35341

We’ve added support for the resource parameter to allow clients to indicate the protected resources to which it is requesting access.

The resource parameter is available for use during access token mapping.

Learn more in the RFC 8707 specification and Token endpoint.

New PF-31859

We’ve added support for the Australia region in the PingOne unified admin feature. You can now configure the pf.pingone.admin.url.region property for Australia (.com.au).

The Asia region is deprecated. We recommend using the Australia region instead.

Learn more in Configuring PingFederate properties.

New PF-34886

We’ve added the ability to optionally publish asymmetric signing keys configured in a JWT Access Token Management Plugin instance to the PingFederate JWKS endpoint.

Publishing JWKs to the JWKS endpoint reduces the number of required JWKS endpoints, and allows you to use more standard client libraries and fewer custom clients.

Published keys are discoverable using the OpenID Provider configuration endpoint.

Learn more in Configuring an access token management instance.

New PF-35342

PingFederate now publishes the x5t x.509 certificate SHA-1 thumbprint parameter from the JWKS endpoint by default.

Learn more in JSON Web Keys endpoint.

New PF-34891

We’ve added support for custom URI schemes in redirect validation for OAuth and OIDC clients.

You can now allow redirects to URIs such as native applications or APIs outside of the HTTP/HTTPS scheme. Because application URIs are often company or brand-specific, this feature reduces the potential for naming collisions with other apps on the same device.

Learn more in Configuring redirect validation.

New PF-34884

We’ve added support for JWT Authorization Response Mode (JARM) to identity provider (IdP) connections.

PingFederate already supports JARM in its role as a relying party (RP), and now supports it in its role as an OpenID provider (OP). Instead of having to receive an issued authorization_code and state parameter as a query component, your connection can process a JWT instead.

Learn more in Creating an OpenID Connect IdP connection.

New PF-34885

We’ve added a feature allowing you to configure the interval of rolling OAuth tokens in hours, minutes, or seconds.

Learn more in Configuring OAuth clients, Configuring authorization server settings, and Managing client configuration defaults.

New PF-34422

We’ve added support for the PingFederate Magic Link Integration Kit.

Learn more in the Magic Link Integration Kit documentation.

New PF-35012

We’ve added the ability to configure the timeout duration for LDAP health checks.

You can configure this option in the ~/server/default/data/config-store/com.pingidentity.common.util.ldap.LDAPUtil.xml file using the HealthCheckResponseTimeoutMillis parameter.

The default value is 2000.

New PF-35349

PingFederate now supports LDAPv3 with the StartTLS command to secure LDAP connections to a directory server.

This feature allows LDAP connections to be initiated on a non-SSL port (such as 389), and then be upgraded to SSL on the same port. This reduces the number of ports that potentially have to be opened within a firewall.

Learn more in Configuring an LDAP connection.

New PF-35346

PingFederate now supports the OpenID Connect (OIDC) offline_access scope.

You can now configure OAuth and OIDC clients to receive only a refresh_token when this scope is requested. You can also optionally configure a resource owner consent as required.

Learn more in Configuring authorization server settings and OAuth Client Management Service.

New PF-35347

PingFederate now supports user registration through OIDC 1.0 using the prompt=create command.

Including this parameter initiates a user registration flow within the context of OIDC, which reduces developer efforts by eliminating the need for a separate customer registration flow.

Learn more in Configuring request parameters and SSO URLs.

New PF-35453

We’ve added the IN_PARAMETER_NAME_SRI parameter to the SDK, which contains the current pi.sri.

We’ve also exposed the pi.sri value in the Context type for most attribute mappings.

New PF-34464

We’ve added a new SessionManager class in the SDK to allow for revoking all sessions or all but the current session.

This works similarly to the Revoke sessions after password change or reset option in the HTML Form Adapter.

New PF-34338

We’ve added support for the log tracking ID feature in PingDirectory 10.0. PingFederate can use this tracking ID as a transactionId value.

Learn more in Security audit logging.

Improved PF-35079

We’ve improved logging capabilities to associate an adapter ID with adapters that fail to load. This makes misconfigured adapters easier to trace.

Improved PF-34952

We’ve added a pop-up modal to several OAuth scope reference pages to improve the scope management user interface.

Learn more in Configuring scope constraints.

Improved PF-34890

We’ve improved the user interface for the Scope Management page, including pagination, a search feature, and new tabs for managing common and exclusive scope groups.

Learn more in Defining scopes.

Improved PF-34892

We’ve added new connection pool metrics to the heartbeat endpoint and JMX MBeans for Java Database Connectivity (JDBC) and LDAP connections.

New metrics include maximum connection pool size, minimum connection pool size, number of active connections, and number of idle connections.

Learn more in Customizing the heartbeat message and Liveliness and responsiveness.

Improved PF-35527

Refresh grants are no longer revoked when issuance criteria fail.

Also, new grants or access tokens are not issued due to the failure of issuance criteria.

This is the new default behavior for refresh grants.

Improved PF-35325

The PingOne MFA Integration Kit has been updated to version 2.3.1.

Improved PF-35383

PingFederate now supports Aurora PostgreSQL version 16.2.

Improved PF-35384

PingFederate now supports PostgreSQL version 16.2.

Info PF-34434

We’ve added support for PingDS (formerly ForgeRock DS) datastore.

Learn more in System requirements.

Improved PF-34039

We’ve upgraded Jetty to version 10.

Info PF-34897

PingFederate 12.1 is certified for FAPI OpenID Providers (OP) and Profiles, and FAPI CIBA OpenID Providers and Profiles.

Fixed PF-34523

We’ve fixed an issue that caused PingFederate’s OIDC admin console login to fail when the node.group.id value didn’t match an existing node id.

Fixed PF-34333

We’ve fixed an issue that caused PingFederate to query all attributes for PingDirectory users, rather than just the required attributes.

Fixed PF-35082

We’ve fixed a defect that caused access token requests to fail due to OAuth 2.0 Demonstrating Proof of Possession (DPoP) proof validation failure when reusing existing persistent access grant is enabled for confidential claims.

Fixed PF-35114

We’ve fixed an issue that caused PingFederate to display the expiration date of a PingFederate license in terms of the browser time zone rather than the server time zone.

Fixed PF-35272

We’ve fixed an issue that caused significant slowdown when PingFederate processed an unencrypted JSON web token (JWT) using JSON web encryption (JWE) deobfuscation.

Fixed PF-35352

We’ve fixed a defect that caused the PingFederate REST API datastore to pass malformed cookies into datastore request headers.

Fixed PF-35744

We’ve fixed a defect where client in-use detection caused an IndexOutOfBoundsException when a custom solution is used for client storage.

Fixed PF-35753

We’ve fixed a defect that caused changes in ClientManagerDynamoDBImpl not to apply when performing a bulk import or using the configuration store API unless you restarted PingFederate.

Fixed PF-35075

We’ve fixed a defect that caused PingFederate to ignore valid license files if they were issued prior to the current license file.

Issue PF-35772

Due to multiple vendors' recent browser versions that block third-party cookies, you might experience issues related to single logout with OIDC (via Front-Channel) and WS-Federation.

Refer to browsers' documentation regarding third-party cookie management to unblock them, if feasible.

Issue PF-35642

When you switch a passive console to active, PingFederate might display a notification that the configuration has not been replicated, even though the configuration is up-to-date.

Issue PF-35643

When you promote a passive admin console to active, the UI doesn’t refresh until you perform an action.

Issue PF-35439

When you make configuration changes on the active console (especially large configuration changes like bulk imports or data archive imports), then promote a passive console to active, it can cause multiple consoles to be active at once. This can result in inconsistent configurations.

Learn how to resolve this issue in Resolving multiple active administrative nodes.

Issue

Issue

PingFederate’s TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

Issue

Issue

AWS CloudHSM

Thales HSMs

Entrust HSMs

Issue

Issue

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Issue

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

Issue

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it’s possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Issue

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

Issue

Issue

Issue

Issue

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

Issue

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.

Info PF-34682

The authorizationDetails JSON field returned by the OAuth consent management endpoint has been deprecated in favor of the new authorizationDetail and authorizationDetailDescription fields.

Learn more about the consent management endpoint in OAuth Consent Management Service.

Improved PF-38898

We added the force.require.replication.data.on.startup parameter to the cluster-config-replication.conf file.

This parameter allows you to prevent an engine node from starting up without establishing a connection to the cluster.

Learn more in Cluster management.

Security PF-38742

We improved role-based access control (RBAC) for the administrative expression testing endpoint. Access to expression evaluation is now limited to appropriately privileged roles, ensuring alignment with intended administrative permissions.

Fixed PF-38442

We fixed a defect where front-channel logouts requests to /idp/startSLO.ping failed to send logout requests to relying party URIs.

Fixed PF-38903

We fixed a defect that prevented dynamic JWKS rotation timing from resetting after a node joined a cluster.

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual host name in some email notifications.

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser sign-on page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Ping Identity Support Knowledge Base.

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This fix applies to all LDAP datastore types except for Generic LDAP.

Fixed PF-38060

We’ve fixed a defect that caused IdP adapters to duplicate attribute sources when an SP connection was updated using the Admin API.

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract the PingFederate administrative console’s IP address through HTTP Response headers.

Fixed PF-35868

We’ve fixed a defect that caused multiple refresh token requests in short succession to result in JDBC data source deadlocks and duplicated data entry into the database.

This fix can cause significant performance issues if PingFederate or the JDBC data source has insufficient resources.

Fixed PF-37450

We’ve fixed a defect that caused the token endpoint to unnecessarily reissue an ID token when using a secondary client secret and an asymmetric algorithm for token signing and encryption.

Info PF-37234

We’ve updated the behavior of the NATIVE_S3_PING discovery protocol when the remove_all_data_on_view_change parameter is active.

Previously, the protocol would delete all files in the S3 bucket, which could lead to the creation of an unwanted subcluster.

Now the protocol deletes all files except for its own to prevent the S3 bucket from being empty.

Learn more in Dynamic cluster discovery.

Fixed PF-36874

We’ve fixed a defect where temporary connection loss to the source datastore during provisioning could lead to unintended membership information loss on the target SaaS application.

Fixed PF-37279

We’ve fixed a defect that caused the ID token claim to be omitted when an OAuth client uses the secondary secret.

Security PF-36304 PF-36311 PF-36313

We’ve fixed a security vulnerability where PingFederate accepted cross-site scripting inputs.

Fixed PF-36574

We’ve fixed a defect that caused the email verification screen to fail to appear when a user registered through an authentication source.

Fixed PF-36662

We’ve fixed a defect that caused an error in searching for OAuth Client for OAuth Client Set Authentication Selector when DynamoDB is the client storage.

Fixed PF-36035

We’ve fixed a defect that caused outbound provisioning to fail and cease if a source user object exceeded a 255-character limit. In the new behavior, PingFederate will skip user objects that exceed 255 characters and log a warning.

Fixed PF-36232

We’ve fixed a defect that prevented PingFederate from issuing a password expiration warning when using PingDirectory as a datastore.

Fixed PF-36239

We’ve fixed a defect that could cause inconsistent sessions or authentication errors when starting multiple applications in different browser tabs at the same time.

Fixed PF-36261

We’ve fixed a defect that caused device authorization grant flow errors when clustered server nodes are in different time zones.

Security PF-35678

We’ve fixed a defect that caused PingFederate to retrieve the wrong file when using relative paths in symbolic links.

Fixed PF-35867

We’ve fixed a defect that caused refresh tokens to roll prematurely when making authorization requests to servers in different time zones.

Fixed PF-35867

We’ve fixed a defect that caused the incremental update package for PingFederate versions 12.0 and 12.1 to unnecessarily install the entire SDK directory.

Fixed PF-35166

We’ve fixed a defect that caused PingFederate to roll refresh tokens when Refresh Token Rolling Policy is disabled but Refresh Token Rolling Interval has a value.

Fixed PF-35737

We’ve fixed a defect that caused PingFederate to validate only the first OAuth client access token manager it found when Validate Against All Eligible Access Token Managers was checked, and the aud parameter was included in the request.

Fixed PF-35783

We’ve fixed a defect where PingFederate failed to return IPv4 addresses in a custom adapter request using the request.getRemoteAddr() method.

Fixed PF-35815

We’ve fixed a defect that caused PingFederate to present an error message when user tries to sign on again after a session expires due to inactivity.

Fixed PF-34523

We’ve fixed a defect that caused the OIDC administrative console login to fail when the node.group.id didn’t match a server’s node id.

Fixed PF-35744

We’ve fixed a defect where client in-use detection caused an IndexOutOfBoundsException when a custom solution is used for client storage.

Fixed PF-35753

We’ve fixed a defect that caused changes in ClientManagerDynamoDBImpl not to apply when performing a bulk import or using the configuration store API unless you restarted PingFederate.

Info PF-35838

The Davinci integration kit has been updated to version 1.2.

New PF-31859

Added support for the Australia region to the pf.pingone.admin.url.region property.

The Asia region is deprecated. We recommend using the Australia region instead.

Learn more in Configuring PingFederate properties.

Fixed PF-35609

Fixed a defect that caused the authentication API to allow a different user to proceed with the MUST_CHANGE_PASSWORD function than the user who initiated the flow.

Fixed PF-35423

Fixed a defect that caused PingFederate not to release memory when using the admin API on the policy tree.

Fixed PF-35618

Fixed a defect that caused the authentication API to ignore credentials for password changes provided after user authentication.

Fixed PF-35430

Fixed a defect that caused a validation error in the authentication API when including the ui_locales parameter.

Fixed PF-35286

Fixed a defect that caused redundant user provisioner updates when the data source and PingFederate were in different time zones.

Fixed PF-35395

Fixed a defect that caused PingFederate to ignore the Bypass Authorization Approval setting when Bypass Authorization For Previously Approved Consents is enabled.

Fixed PF-35411

Fixed a defect that caused repeated looping in authentication policy involving a local Identity profile.

Fixed PF-35407

Fixed a defect with In Use detection when DynamoDB is used for OAuth client storage.

Fixed PF-35357

Fixed a defect where deleting an OIDC policy fails when using DynamoDB storage for a large number of OAuth clients.

Fixed PF-35111

Fixed a defect where extended properties retrieved by OGNL are not populated.

Fixed PF-35134

Fixed a defect that caused PingFederate to not process authentication policy rules for fragment nodes that do not contain an output contract.

Fixed PF-35142

Fixed a defect that caused LDAP data source connection pools to close when still in use after the LDAP data source is modified and replicating under heavy load.

Fixed PF-35195

Fixed a defect that caused errors in synchronization and accessing dynamic JSON Web Key Set (JWKS) keys when running a cluster that was a mix of PingFederate versions 12.0 and 12.0.1.

Fixed PF-35309

Fixed a defect that caused the alg parameter to fail to populate when EC dynamic keys are rotated on a lead cluster node and shared to the cluster.

Improved PF-35325

Upgraded the PingOne MFA Integration Kit to version 2.3.1.

Improved PF-35310

Upgraded the lightning LDAP library to version 1.5.22.

Improved PF-35184

Upgraded the Jetty library to version 9.4.54.v20240208.

Improved PF-34832

Added a feature to generate a warning message on the Runtime Notifications tab if you have enabled thread dumps, but you have not configured the ThreadDumpAppender and ThreadDumpLogger properties in the log4j2.xml file.

To learn more about configuring thread pool exhaustion events, see Configuring runtime notifications.

Improved PF-30913

Added a feature allowing you to generate random provisioner.node.id values.

To learn more about configuring provisioners, see Deploying provisioning failover.

Improved PF-34883

Added a feature allowing administrators to define custom KeyID values for static OAuth and OIDC keys and token signing keys.

Fixed an defect that caused PingFederate to not publish the alg parameter on the JWKS endpoint. This issue occurred for dynamically-generated EC signing keys on engine nodes.

To learn more about keys, see Keys for OAuth and OpenID Connect.

Security PF-34720

Fixed a JSON injection vulnerability in REST datastores described in security advisory SECADV044.

Security PF-34896

Fixed a path traversal vulnerability in Runtime nodes described in security advisory SECADV044.

Security PF-35081

Fixed a Cross-Site Scripting vulnerability in the OpenID Connect Policy Management Editor described in security advisory SECADV044.

Fixed PF-34641

Fixed a defect where SAML requests using HTTP GET method with multiple signature-related parameters encoded in the RelayState parameter were causing errors in processing signature validation.

Fixed PF-34813

Fixed a defect that caused PingFederate to issue null pointer exception (NPE) errors when querying the token endpoint.

Fixed PF-34854

Fixed a defect that caused the certificate expiry warning notification icon to remain when there were no notifications to display.

Fixed PF-34409

Fixed a defect where changes made on the administrative console were not replicated to the engine during reencryption.

Fixed PF-34796

Fixed a defect that caused the JMX monitoring to fail to register archive files that are imported to PingFederate.

Fixed PF-34865

Fixed a defect that caused the content-type of a response from the well_known endpoint to change from JSON to HTML if a response is too large.

Fixed PF-34701

Fixed a defect that caused PingFederate to display an unlock your account page during self-service password reset to accounts that are not locked.

Fixed PF-34879

Fixed a defect that caused PingFederate to fail on startup when installed on a Red Hat Enterprise Linux (RHEL) server with OS-levels FIPS enabled.

Fixed PF-34882

Fixed a defect that returned a 500 error with no details when an authentication policy fragment had a LOCAL_IDENTITY_MAPPING action with an invalid localIdentityRef ID.

Fixed PF-34839

Fixed a defect where PingFederate was unable to deobfuscate grant attributes of a certain length.

Fixed PF-34853

Fixed a defect that caused PingFederate to incorrectly return an Invalid Configuration error for a valid authentication policy.

New PF-34418

OpenID Connect (OIDC) relying party (RP) initiated logout allows OAuth clients to request that the OpenID Provider (OP) perform a federated logout. PingFederate now supports this standard, both when PingFederate acts as the OP as well as when it acts as the RP via an OIDC IdP connection.

For more information, see OAuth Client Management Service, Configuring OpenID Provider information, and OpenID Connect RP-initiated logout endpoint.

New PF-34415

You can now add risk provider such as CAPTCHA to Identifier First adapters.

For more information, see Configuring an Identifier First Adapter instance

New PF-34413

API-capable IdP adapters can now prevent a redirect to the authentication application if no user interaction is required.

For more information, see Upgrade considerations introduced in PingFederate 12.x.

New PF-34437

You can now configure runtime notifications to alert you when the number of threads in use exceeds a set threshold. You can also use this feature to initiate and log a thread dump event.

For more information, see Configuring runtime notifications.

New PF-33318

You can now configure your authorization server settings for OAuth and OIDC users so that their decisions to grant access can be persisted after a refresh_token is revoked.

For more information, see Authorization Consent in Configuring authorization server settings.

New PF-34428

PingFederate will now issue a notification in the admin console before a certificate expires. You can configure the duration of the notification before and after expiry in the Runtime Notifications menu.

Deleted certificates are removed from the notifications menu.

For more information, see Configuring runtime notifications.

New PF-33989

We further improved support for self-service and application on-boarding use cases. OAuth applications and SAML connections can now be replicated to PingFederate engine nodes without affecting any dependencies. This enhancement lets development teams manage their applications without the help of PingFederate administrators. For more information, see Cluster management.

New PF-33986

Continuing the PingFederate tradition of recognizing open identity standards, it now supports the OpenID Connect Front-Channel Logout specification. This feature enables global sign-off user journeys. It’s available in addition to PingFederate’s proprietary front-channel logout protocol. For more information, see Configuring OAuth clients.

New PF-33987

For OpenID Connect IDP connections, log files now include more details so that you can analyze and resolve connection problems easier. You can enable this feature just by selecting a checkbox in the Log Settings. For more information, see Log settings.

New PF-33982

Now you can configure PingFederate to enable sessions on shared devices. Devices can be configured as private or public (unspecified) and maintain persistent sessions. This feature is available through the HTML Form Adapter. For more information, see Configuring authentication sessions.

New PF-33985

The integration with the CyberArk Secret Manager now allows access to all values available through the CyberArk interface. This gives you more freedom when building user journeys. For more information, see Configuring instances of the secret manager plugin for the CyberArk Credential Provider.

New PF-33983

When you use OAuth and OpenID Connect flows with response_mode=pi.flow, users are redirected back to the associated authentication application rather than to PingFederate. This is enables more consistent user journeys. For more information, see Configuring self-service account recovery.

New PF-33988

To further support Amazon DynamoDB use cases, now you can also use account linking with this NoSQL database. For more information, see Configuring an Amazon DynamoDB for account-link storage.

New PF-33332

This feature simplifies the use of PingFederate policies because it no longer requires input or output contracts for certain fragments. This improves the readability, maintainability, and performance of these policies. For more information, see Defining policy fragments.

New PF-33631

Enhancing PingFederate’s support for OAuth DPoP, this release includes support for this type of access token. It lets developers learn more about the use and importance of the dpop_bound_access_tokens parameter. For more information about the parameter, see the PingFederate Open Banking Software Assertion Validator plug-in on GitHub.

New PF-34640

In rare cases where plugin creation and initialization significantly slows down PingFederate startup, you can now turn off plugin creation and initialization. Plugins will then only be initialized on first use.

The default startup behavior is recommended for most customers. For more information about this option and the tradeoffs involved in enabling it, open a support case.

New PF-34147

The PingOne Protect Integration Kit is now bundled with PingFederate.

Improved PF-34369

The PingID Integration Kit has been updated to version 2.26.

Improved PF-34368

The PingOne MFA Integration Kit has been updated to version 2.2.1.

Improved PF-34168

When integrating with Thales Luna Network hardware security modules (HSMs), you can now use Java 17.

For more information, see Integrating with Thales Luna Network HSM

Improved PF-34050

The administrator audit log file (admin.log) now logs any OGNL expression tests performed and the expression variables used with an event type of TEST_EXPRESSION. For more information, see Administrator audit logging.

Improved PF-33095

The Collect Support Data (CSD) script has been improved to capture more details.

Improved PF-33621

Now PingFederate supports authentication to Azure SQL Managed Instance through Azure Active Directory without a username and password. For more information, see Configuring a JDBC connection.

Improved PF-32747

Upgraded the BCFIPS library to 1.0.2.4, which now supports enabling BCFIPS mode with Java 17.

For more information, see Bouncy Castle FIPS provider and Integrating Bouncy Castle FIPS providers.

Improved

Security PF-34645

Fixed a potential security vulnerability described in SECADV040.

Security PF-34646

Fixed a Server-Side Request Forgery vulnerability in the Initial Setup Wizard described in security advisory SECADV041.

Fixed PF-34718

For fresh installs, we changed the default value of pf.cluster.TCPPING.return_entire_cache in jgroups.properties from true to false.

This prevents an issue where remote procedure calls (RPCs) can be dropped in large clusters that use TCPPING.

For more information, see Upgrade considerations introduced in PingFederate 12.x.

Fixed PF-34500

Fixed an issue with the administrative API doc on the /oauth/accessTokenMappings endpoint not matching the actual endpoint response.

Fixed PF-33560

Policy Rules conditions that use multi-value contains DN now ignore case while comparing the DN value.

Fixed PF-33305

Now log messages about illegal characters in API calls are logged at the DEBUG level rather than the WARN level.

Fixed PF-34115

Added the value none to /.well-known/openid-configuration/token_endpoint_auth_methods_supported

Fixed PF-34210

The id_token_jti property is no longer included in token endpoint responses.

Fixed PF-34216

Fixed an administrative API defect when a fragment rule had Default to Success disabled

Fixed PF-34322

Fixed an issue that was returning a 404 error if the /idp/startSLO.ping endpoint was hit while a virtual issuer was configured. You can now configure virtual issuers with a context path.

Fixed PF-34504

Clients that maintain a JWKS endpoint can now use private key JWT based authentication when requesting an access token.

Fixed PF-34606

Checking for existing but expired grants with DynamoDB no longer causes a null pointer exception error (NPE).

Fixed PF-34545

Fixed an issue preventing PingFederate from closing connections after receiving a 401 or 403 response from PingOne MFA.

Fixed PF-33466

You can now turn off server-side sorting via a configuration option.

Fixed PF-34433

You can now copy and paste a policy contract below a selector node.

Fixed PF-34536

Fixed an issue where decryption of an encrypted SAML element could fail if a KeyName was specified.

Fixed PF-33983

When using redirectless mode, now the one-time link (OTL) in password-reset email messages returns users to the authentication API application configured for the policy, rather than to PingFederate.

Fixed PF-34111

When a service provider (SP) authentication policy fails, PingFederate now renders the sp.sso.error.page.template.html page instead of the idp.sso.error.page.template.html page.

Fixed PF-34146

Fixed a defect where an OAuth client created with dynamic client registration (DCR) couldn’t be updated with DCR after it was modified with the administrative console.

Fixed PF-34163

Now PingFederate closes idle JDBC datastore connections until the minimum pool size is reached instead of closing and recreating all of them.

Fixed PF-34210

The id_token_jti property is no longer included in token endpoint responses.

Fixed PF-34216

Fixed an administrative API defect when a fragment rule had Default to Success disabled

Fixed PF-34225

Resolved an issue that caused PingFederate to send email notifications for licensing events even though they were disabled in the Runtime Notifications configuration.

Fixed PF-31865

We upgraded the Jetty library, resolving CVE-2022-2047 and CVE-2022-2048.

Fixed PF-33056

Using submit and onSubmit as OAuth scope names in the administrative UI drop-down no longer causes front-end JavaScript errors.

Fixed PF-33174

The authorization_details claim in a JWT access token manager configuration is no longer sent if it’s empty.

Fixed PF-33156

Policy fragments with valid authentication sources no longer fail with an Invalid Configuration error during runtime.

Fixed PF-33441

PingFederate, when configured with PingDirectory as an outbound provisioning data source, no longer sends redundant group updates in each provisioning cycle when the entry remains unchanged.

Fixed PF-33449

We’ve resolved a potential security vulnerability that is described in security advisory SECADV037.

Fixed PF-33450

We fixed an issue so that PingFederate as a Windows service now runs on Java 17. When updating to the latest maintenance release using an in-place update method (for example, from 11.3.0 to 11.3.x), in addition to the steps in Updating to the latest maintenance release, you must remove the existing PingFederate Windows service. After removal, re-install the PingFederate Windows Service to apply this fix.

Fixed PF-33519

When an OIDC identity provider (IdP) connection fails in an authentication policy, PingFederate now continues on to the fail path of the authentication policy.

Fixed PF-33722

We resolved an issue that incorrectly produced an administrative API validation error when the fragment mapping references context.RequestedUser as the mapping source.

Fixed PF-33863

PingFederate now processes authorization details within a rich authorization request (RAR) as a JSON Array in a JWT request. Additionally, PingFederate no longer supports authorization details sent as stringified JSON arrays.

Fixed PF-33881

Resolved a replication issue that, in rare cases, caused an engine node in a cluster to start without replication data from other nodes.

Fixed PF-33920

Resolved an issue that prevented user sessions from being revoked through the session management API when using persistent sessions.

Fixed PF-33935

We’ve resolved a potential security vulnerability that is described in security advisory SECADV037.

Fixed PF-33957

When utilizing the PingFederate administrative API to create or update a fragment that includes another fragment, the API will no longer produce a validation error when fragment mapping involves an input source type.

Fixed PF-34016

The message-template-end-user-password-change.html template now contains the USERNAME variable.

Fixed PF-34017

We’ve resolved a potential security vulnerability that is described in security advisory SECADV037.

Fixed PF-34051

We fixed a policy evaluation issue that occurred when ui_locales was present in an authentication request.

Fixed PF-34074

We updated the administrative UI to include certification serial number in the drop-down, thus preventing import errors for certifications sharing the same Subject DN and expiration date combination.

Fixed PF-34099

We fixed an attribute lookup error that occurred when different DynamoDB attributes shared an overlapping path.

Fixed PF-34077

We fixed a defect that caused PingFederate to check every certificate when loading certificate-related pages in the administrative interface, which slowed down performance.

Issue

PingFederate versions 11.1.4, 11.1.5, 11.2.1, and 11.2.2 contain version 3.0.2 of the PingID password credential validator (PCV). That version of the PCV has known issues that you should review before upgrading. For more information, see Known issues in PingID RADIUS PCV 3.0.2.

Issue

Issue PingOne MFA

PingFederate 11.3 is not compatible with the PingOne MFA CIBA Authenticator bundled in PingOne MFA Integration Kit version 2.1 and earlier. This issue was resolved in version 2.2 of that integration kit.

Issue

For Java versions that don’t support TLSv1.3 (meaning versions earlier than 8u261), PingFederate fails on start up with a NoSuchAlgorithmException exception. To resolve this error, remove TLSv1.3 from the following settings in the run.properties file:

Issue

PingFederate’s TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

Issue

Issue

AWS CloudHSM

Thales HSMs

Entrust HSMs

Issue

Issue

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Issue

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

Issue

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it’s possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Issue

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

Issue

Issue

Issue

Issue

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

Issue

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.

Info

As of PingFederate 12.0, these features have been deprecated, and will be removed in a future release.

Info

Support for text message self-service password reset (SSPR) is deprecated as of PingFederate 12.0 and will be removed in a future release. To ensure continued support, migrate your SSPR configurations to an authentication policy using the One-Time Passcode Integration Kit.

Info

Starting with version 12.0, PingFederate no longer supports upgrading from PingFederate version 6.x and 7.x.

Info PingOne Fraud

The PingOne Fraud integration kit is no longer bundled with PingFederate.

Info

Ping Identity commits to deliver the best experience for administrators and users. As we continue to improve our products, we encourage you to migrate off of Microsoft Internet Explorer 11. Starting with PingFederate 11.0, Internet Explorer 11 is no longer included in the PingFederate qualification process for administrators or users. For a list of supported browsers, see System requirements.

Info

As of PingFederate 10.2, these features have been deprecated and will be removed in a future release.

Info

As Oracle ended its Premier Support for Oracle Directory Server Enterprise Edition (ODSEE 11g) in December 2019, we no longer include ODSEE as part of the PingFederate qualification process (starting with PingFederate 10.2). We continue to qualify against Oracle Unified Directory and other supported directory servers. For a full list, see System requirements.

Info

Starting with PingFederate 10.2, monitoring and reporting through the SNMP has been removed.

Info

Starting with PingFederate 10.1, roles and protocols are always enabled and no longer configurable through the administrative console and API.

Info

Starting with PingFederate 10.1, the S3_PING discovery protocol has been deprecated. Customers running on AWS infrastructure should instead use NATIVE_S3_PING.

Info

Starting with PingFederate 10.0, the Red Hat Enterprise Linux install script is no longer available. To install PingFederate 10.0 for Linux, you must download and extract the product distribution .zip file.

Improved PF-38898

We added the force.require.replication.data.on.startup parameter to the cluster-config-replication.conf file.

This parameter allows you to prevent an engine node from starting up without establishing a connection to the cluster.

Learn more in Cluster management.

Security PF-38742

We improved role-based access control (RBAC) for the administrative expression testing endpoint. Access to expression evaluation is now limited to appropriately privileged roles, ensuring alignment with intended administrative permissions.

Fixed PF-38442

We fixed a defect where front-channel logouts requests to /idp/startSLO.ping failed to send logout requests to relying party URIs.

Fixed PF-38903

We fixed a defect that prevented dynamic JWKS rotation timing from resetting after a node joined a cluster.

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser sign-on page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Ping Identity Support Knowledge Base.

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This fix applies to all LDAP datastore types except for Generic LDAP.

Fixed PF-35868

We’ve fixed a defect that caused multiple refresh token requests in short succession to result in JDBC data source deadlocks and duplicated data entry into the database.

This feature can cause significant performance issues if PingFederate or the JDBC data source has insufficient resources.

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual hostname in some email notifications.

Fixed PF-38029

PingFederate now uses the Apache Commons BeanUtils library version 1.11.0 and Apache Commons Compress library version 1.26.

Fixed PF-37450

We’ve fixed a defect that caused the token endpoint to unnecessarily reissue an ID token when using a secondary client secret and an asymmetric algorithm for token signing and encryption.

Improved PF-37234

We’ve updated the behavior of the NATIVE_S3_PING discovery protocol when the remove_all_data_on_view_change parameter is active.

Previously, the protocol would delete all files in the S3 bucket, which could lead to the creation of an unwanted subcluster.

Now the protocol deletes all files except for its own to prevent the S3 bucket from being empty.

Learn more in Dynamic cluster discovery.

Fixed PF-36874

We’ve fixed a defect that caused PingFederate to lose user group membership information when it lost contact with the datastore during provisioning operations.

Fixed PF-37279

We’ve fixed a defect that caused the ID token claim to be omitted when an OAuth client uses the secondary secret.

Security PF-36304 PF-36311 PF-36313

We’ve fixed a security vulnerability where PingFederate accepted cross-site scripting inputs.

Fixed PF-36574

We’ve fixed a defect that caused the email verification screen to fail to appear when a user registered through an authentication source.

Fixed PF-36662

We’ve fixed a defect that caused an error in searching for OAuth Client for OAuth Client Set Authentication Selector when DynamoDB is the client storage.

Fixed PF-35867