PingFederate 12.3.4 (December 2025)

Resolved issues

URL validation for `RelayState`

Fixed PF-38028

We’ve fixed a defect where PingFederate would reject requests with valid, non-encoded relay state values.

LDAP account lockout

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This applies to all LDAP datastore types except for Generic LDAP.

Cluster Management message fix

Fixed PF-38116

We’ve fixed a defect where Cluster Management would present an incorrect success message although the replication failed.

`$adapterId` population issue

Fixed PF-38146

We’ve fixed a defect where the $adapterId variable wasn’t being populated in templates accessed through direct links for the HTML Form Adapter’s Change Password and Forgot Password flows.

Corrected null `SaasGuid`

Fixed PF-38244

We’ve fixed a provisioning defect where disabled users weren’t provisioned after their account was enabled and the Provision Disabled Users setting was set to false.

`X-Forward-For` IP

Fixed PF-38251

We’ve fixed a defect where the X-Forward-For IP wasn’t logged correctly in the admin.log.

Kerberos Adapter redirect URL

Fixed PF-38328

We’ve fixed a defect where the Kerberos Adapter failed to authenticate when a context path is configured.

JWT Admin AI authentication misconfiguration

Fixed PF-38336

We’ve fixed a defect that caused PingFederate to crash or shut down when attempting to access the Admin API with a misconfigured JSON Web Token (JWT) authentication setup.

Administrative API authentication fix

Fixed PF-38393

We’ve fixed a defect that allowed Basic Authentication to access the Administrative API, even when it was disabled in the pf.admin.api.authentication property.

`pi.flow` `response_mode` fix

Fixed PF-38417

We’ve fixed a defect where setting response_mode to pi.flow in Pushed Authorization Requests (PAR) or standard request objects resulted in an INVALID_REQUEST error.

PingFederate Server