PingFederate 12.3.1 (August 2025)

New features and enhancements

Apache version upgrade

New PF-37674

We’ve upgraded the Apache commons-fileupload version to 1.6.0.

Resolved issues

Admin console IP exposure

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract the PingFederate administrative console’s IP address through HTTP Response headers.

Host header redirect

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

PingDirectory PCV error messaging

Fixed PF-37452

We’ve fixed a defect where disabling PingDirectory Detailed Password Policy Requirement Messaging caused password validation errors to not show up in the Authn API.

Firefox Kerberos negotiation

Fixed PF-37559

We’ve fixed a defect that caused Kerberos negotiations to fail with Firefox after the initial exchange.

CSD error in BCFIPS mode

Fixed PF-37667

We’ve fixed a defect that caused an error in the CSD when running in BCFIPS mode.

IdP connection Admin API error

Fixed PF-37670

We’ve fixed a defect that caused a failure when creating or updating an IdP connection with the CLAIMS source type in JIT provisioning user attribute mapping using the Administrative API.

Admin console and API alignment

Fixed PF-37673

We’ve fixed a defect where the Admin Console allowed configuring an IdP connection without a client secret, but the Admin API returned an error. The Admin API no longer returns an error in this case.

JARM response with `error` parameter

Fixed PF-37688

We’ve fixed a defect where JARM responses with an error parameter caused PingFederate to return a 500 error. It now returns a 200 response with the appropriate error page.

ATM configuration error

Fixed PF-37716

We’ve fixed a defect that caused an error in PingFederate when configuring an access token manager if the administrative node (ATM) isn’t the coordinator node.

Write Users attributes causing validation failures

Fixed PF-37776

We’ve fixed a defect where certain SCIM attribute mappings were incorrectly causing validation failures when updating IdP connections through the Admin API.

SNI extension error in BCFIPS mode

Fixed PF-37793

PingFederate now always includes the SNI extension in the ClientHello message during a TLS handshake when running in BCFIPS mode.

Wildcard TLS certificate error in BCFIPS mode

Fixed PF-37794

We’ve fixed a defect where PingFederate was refusing wildcard TLS certificates when running in BCFIPS mode.

PingFederate Server