PingFederate Server

PingFederate 12.3.3 (October 2025)

Resolved issues

TLS 1.3 support for Oracle Java 21

Info PF-37849

We’ve added support for TLS 1.3 for Oracle Java 21 with Thales and Entrust HSMs.

Forgot password flow failure

Fixed PF-37918

We’ve fixed a defect that caused the forgot password flow to fail when reCAPTCHA is enabled and the flow is initiated using the Enter key rather than a mouse click.

Virtual hostname accuracy in email notifications

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual host name in some email notifications.

New device speed bump parameter default

Fixed PF-38040

We’ve fixed a defect where the show-speed-bump-for-new-devices parameter in the org.sourceid.servlet.filter.SimultaneousAuthnRequestCheckingFilter.xml file was set to true instead of false by default.

The new behavior enables show-speed-bump-for-new-devices by default for new installs, but disables it by default for upgrades, if the source version doesn’t have the parameter configured.

IdP Adapter duplicate attribute sources

Fixed PF-38060

We’ve fixed a defect that caused IdP adapters to duplicate attribute sources when an SP connection was updated using the Admin API.

HTML flow login and Authentication API

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser sign-on page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Ping Identity Support Knowledge Base.

Known issues and limitations

HSMs

Issue

AWS CloudHSM

  • It is not possible to use an elliptic curve (EC) certificate as an SSL server certificate.

  • When creating an EC certificate with a signatureAlgorithm smaller than the keySize value, a 500 Server error occurs. For example, a signatureAlgorithm of SHA256withECDSA with a keySize of 384 results in an error. Learn more in ECDSA signing fails with "invalid mechanism" error starting with SDK 5.16 in the CloudHSM documentation.

  • TLS 1.3 is not currently supported with Oracle JDK 11, 17, or 21.

Thales HSMs

  • JWT token decryption using ECDH-ES may fail. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key.

  • It is not possible to use an EC certificate as an SSL server certificate.

  • TLS 1.3 isn’t currently supported with Oracle JDK 11 or 17.

Entrust HSMs

  • JWT token decryption using ECDH-ES may fail. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key.

  • It is not possible to import a PKCS12- or PEM-formatted EC certificate.

  • It is not possible to use an EC certificate as an SSL server certificate.

  • TLS 1.3 isn’t currently supported with Oracle JDK 11 or 17.