PingFederate 13.0 (December 2025)

New PF-37270

We’ve added a feature that lets you use group Managed Service Account (gMSA) credentials in Kerberos realms when running PingFederate on Windows.

With this feature, you can let Active Directory automatically rotate your client password so you don’t have to manage it.

Learn more in Configuring a secret manager for Windows gMSA.

New PF-37374

We’ve added a feature that allows you to set an expiration time for verbose logging.

This feature is disabled by default, but you can enable it by configuring the log4j-categories-settings.conf file.

Learn more in Enabling verbose logging lifetime expiration.

New PF-37671

We’ve added a feature that allows external scope storage using AWS DynamoDB.

This allows administrators to manage a large volume of scopes without replicating for every scope modification.

Learn more in Configuring external databases for scope storage.

New PF-37684

We’ve added a feature that automatically replicates changes to log settings to cluster servers. This feature is enabled by default, but you can disable it from the Cluster Management page.

This feature makes it easier to change log settings across your cluster without running a full replication cycle.

Learn more in Cluster management.

New PF-37691 PF-38064 PF-38065

We’ve added support for connecting PingFederate to Redis.

PingFederate stores short-lived data in a Redis cache to improve resiliency and scalability. It also eases upgrades in clustered environments. PingFederate currently supports storing the following data in Redis:

Learn more in Storing PingFederate data with Redis

New PF-37693

We’ve added a feature that allows you to add custom audience values for OAuth clients.

You can use this feature to migrate clients from your existing issuer into PingFederate.

Learn more in Migrating external OAuth clients into PingFederate.

New PF-37847

We’ve added a feature that allows the PingFederate User Count Utility (UCU) to parse JSON logs.

Learn more in PingFederate User Count Utility in the Ping Identity Support Knowledge Base.

New PF-37909

PingFederate now supports plugins with client-side authenticator functionality.

Client-side authenticators enable PingFederate to leverage authentication methods executed directly by the user’s browser or operating system, allowing for stronger, often passwordless, authentication flows.

Learn more in HTML Form Adapter advanced fields and Configuring an Identifier First Adapter instance.

New PF-38051

We’ve added the ability to perform distributed tracing for inbound and outbound requests to the PingFederate server.

This feature simplifies troubleshooting by giving you better observability of server processing across request workflows.

Learn more in Distributed tracing.

New PF-38062

We’ve added a feature that allows you to configure time-to-live (TTL) settings in PingDS to remove expired data from your directory server.

Learn more in Managing expired persistent grants in PingDS.

New PF-38063

We’ve added a feature that lets you determine how incoming errors are handled before they’re relayed to the requesting application or partner.

Learn more in Overriding error handling in an IdP connection.

New PF-38082

We’ve added support for storing authentication sessions on a PingDS server.

This update makes it easier to integrate your PingFederate and PingDS deployments.

Learn more in Defining a datastore for persistent authentication sessions.

New PF-38114

We’ve added support for the OIDC response_type=none.

This enables clients to request a grant of access from the Authorization Server without requiring the issuance of any tokens or security credentials.

Learn more in None Response Type in the OIDC specification.

New PF-38120

We’ve added a feature that allows you to access additional parameters of an OIDC-enabled IdP’s token endpoint response.

You can use the Token Endpoint Response context values when creating attribute mappings or issuance criteria in OIDC-enabled IdP connections.

Learn more in Configuring target session fulfillment.

Improved PF-37011

Bulkhead warning emails now include the IP address and cluster index of the engine node that triggered the bulkhead.

Improved PF-37547

We’ve improved Jetty thread pool management so that PingFederate no longer creates unnecessary thread pools. The number of threads allocated to unused servers now depends on the operational mode.

Improved PF-38033

The policy list is now sorted alphabetically by name in both the OAuth Client and Client Settings configurations.

Improved PF-38269

The cacheExpirySecs attribute is now exposed by default in the DynamoDB scope manager configuration file.

Learn more in Configuring external databases for scope storage.

Improved PF-38118

We’ve added a feature that allows multiple email addresses for administrative console runtime notification email fields.

This update affects several notification features, such as runtime notifications and licensing events.

Improved

The PingFederate 13.0 documentation has been completely restructured to help customers get up and running faster, improve the overall flow, and make it easier to find information. This is an ongoing effort which will continue after the initial 13.0 release.

info PF-5069

We’ve upgraded the internal Jersey library to version 2.

This change will require you to upgrade some plugins. Learn more in Upgrade considerations.

info PF-36674

We’ve upgraded the Jetty library to version 12.0.

Info PF-37100

We’ve upgraded the log4j2 dependencies to version 2.25.1.

Info PF-37775

We’ve upgraded Apache commons-lang to version 2.6-p1 and commons-lang3 to version 3.18.0 to continue alignment with maintained upstream dependencies.

Info PF-37849

We’ve added support for TLS 1.3 for Oracle Java 21 with Thales and Entrust HSMs.

Info PF-37943

We’ve upgraded Bouncy Castle to version 2.0.1. This version is certified to operate in Federal Information Processing Standards (FIPS) mode 140-3.

Info PF-38045

We’ve qualified PingFederate for use with Amazon Aurora MySQL version 3.10 (compatible with MySQL 8.0.42).

Info PF-38048

We’ve qualified PingFederate for use with PostgreSQL version 18.0.

Info PF-38053

We’ve qualified PingFederate for use with Oracle MySQL version 8.4. This version has an updated database driver. Learn more in Compatible database drivers.

Info PF-38250

We’ve upgraded the Apache commons-net version to 3.12.0 to continue alignment with maintained upstream dependencies.

Security PF-36848

We’ve fixed a security vulnerability in the admin console where passwords entered for certificate and key management were visible when navigating back to the previous page. Password fields are now masked.

Security PF-33113

We’ve fixed a security vulnerability that could have allowed malicious parties to extract PingFederate administrative console IP addresses using HTTP Response headers.

Security PF-36426

After a successful PingFederate administrative password change, all other active concurrent sessions for that administrative account are now immediately invalidated, enhancing security and requiring reauthentication with the new credentials.

Security PF-37460

We’ve upgraded jackson-core to version 2.20.0 to continue alignment with maintained upstream dependencies and remove potential security vulnerabilities.

Security PF-37460

We’ve fixed a security vulnerability that could have allowed malicious parties to redirect PingFederate admin console traffic using a spoofed Host header.

Security PF-37902

We’ve corrected a security regression in the HTML Form Adapter to ensure that password credentials are cleared from the browser immediately after form submission, mitigating a risk of residual exposure in the browser’s memory.

Security PF-38044

PingFederate now prevents user enumeration in the Policy mode Password Reset flow by eliminating the observable difference between valid and invalid usernames.

Security PF-38245

We’ve upgraded jakarta.mail to 1.6.8 to continue alignment with maintained upstream dependencies.

Fixed PF-25517

We’ve fixed a defect in several default template files where the language locale wasn’t retrieved correctly.

Fixed PF-35123

We’ve added private key JWT authentication support for Microsoft Azure AD as an OIDC provider.

Fixed PF-37156

We’ve fixed a defect that caused failed AWS CloudHSM certificate linking to appear to succeed when the key alias was a value that was previously used in the environment.

Fixed PF-37634

We’ve fixed a defect in the Client Settings menu where removing scopes using the search bar could result in removing the wrong scope.

Fixed PF-37688

We’ve fixed a defect where JARM responses with an error parameter caused PingFederate to return a 500 error. It now returns a 200 response with the appropriate error page.

Fixed PF-36953

We’ve fixed a defect in Authentication Policy Fragments where input contract values and tracked parameters were missing from the Data Store Filter configuration page when setting up an Attribute Source & User Lookup for a local identity mapping.

Fixed PF-37405

We’ve fixed a defect that caused JSON objects using OGNL expressions included in JWT request objects sent to the OIDC provider in OIDC IdP connections not to be serialized properly.

Fixed PF-37696

We’ve fixed a defect where unnecessary Jetty log warnings appeared after upgrading to new PingFederate versions.

Fixed PF-37716

We’ve fixed a defect that caused an error in PingFederate when configuring an access token manager if the administrative node (ATM) isn’t the coordinator node.

Fixed PF-37722

We’ve fixed a defect where PingFederate returned an incorrect error when a refresh token was used by a different client after the original client was deleted.

Fixed PF-37732

We’ve fixed a terminology inconsistency in the PingFederate UI and changed Data-Store to Data Store in General settings.

Fixed PF-37743

We’ve fixed a defect that omitted the authorization_details parameter from the access token if the value was an empty array.

Fixed PF-37793

PingFederate now always includes the SNI extension in the ClientHello message during a TLS handshake when running in BCFIPS mode.

Fixed PF-37794

We’ve fixed a defect where PingFederate was refusing wildcard TLS certificates when running in BCFIPS mode.

Fixed PF-37798

We’ve fixed a defect that caused lengthy stacktrace data to be included in ERROR level logging for Kerberos errors.

Fixed PF-37816

We’ve fixed a defect where a race condition could cause the PingFailoverAppender to get stuck in a failed state without switching back to its primary appender.

Fixed PF-37818

We’ve fixed a defect where PingFederate incorrectly accepted DPoP proof JWTs with a future iat value.

Fixed PF-37819

We’ve fixed an issue that could cause ClassNotFoundException on the admin console.

Fixed PF-37841

We’ve added JWT as an authentication method for the admin API during upgrade utility validation.

Fixed PF-37846

We’ve removed an unused file associated with the PingOne Advanced Identity Cloud DevOps deployment that was mistakenly included in the PingFederate Server .zip archive.

Fixed PF-37918

We’ve fixed a defect that caused the forgot password flow to fail when reCAPTCHA is enabled and the flow is initiated using the Enter key rather than a mouse click.

Fixed PF-37942

We’ve fixed a defect where overriding the reset password message in a Password Credential Validator incorrectly returned a generic VALIDATION_ERROR during the redirectless flow, preventing users who are required to change their password from receiving the necessary MUST_CHANGE_PASSWORD status and associated _links.

Fixed PF-37952 PF-37953

Logging for IdP connections now includes greater detail when handling invalid state parameters and failing PAR requests.

Fixed PF-37964

We’ve fixed a defect where a template variable incorrectly used the primary PingFederate base URL instead of the virtual hostname in some email notifications.

Fixed PF-38028

We’ve fixed a defect where PingFederate would reject requests with valid, non-encoded relay state values.

Fixed PF-38039

We’ve fixed a defect that could potentially allow a user to access an HTML browser sign-on page when the Authentication API redirectless mode is used.

Learn more in PingFederate unexpected template rendering in redirectless mode in the Ping Identity Support Knowledge Base.

Fixed PF-38040

We’ve fixed a defect where the show-speed-bump-for-new-devices parameter in the org.sourceid.servlet.filter.SimultaneousAuthnRequestCheckingFilter.xml file was set to true instead of false by default.

The new behavior enables show-speed-bump-for-new-devices by default for new installs, but disables it by default for upgrades, if the source version doesn’t have the parameter configured.

Fixed PF-38043

We’ve fixed a defect where PingFederate could incorrectly lock user accounts during an LDAP connectivity failure with Active Directory. This applies to all LDAP datastore types except for Generic LDAP.

Fixed PF-38052

When PingFederate is configured to expect a JARM-secured JWT response from an IdP, it enforces this requirement by failing the transaction if a plain response is received instead, and logs the details for administrator investigation.

Fixed PF-38060

We’ve fixed a defect that caused IdP adapters to duplicate attribute sources when an SP connection was updated using the Admin API.

Fixed PF-38116

We’ve fixed a defect where Cluster Management would present an incorrect success message although the replication failed.

Fixed PF-38123

We’ve fixed a defect in SAML audit logging by making sure that entries recorded for "Invalid signature" failures now correctly include the associated Connection ID.

Fixed PF-38146

We’ve fixed a defect where the $adapterId variable wasn’t being populated in templates accessed through direct links for the HTML Form Adapter’s Change Password and Forgot Password flows.

Fixed PF-38210

We’ve added trace logging to the RP-initiated logout endpoint to explicitly detail session and token claims, allowing administrators to pinpoint why the logout confirmation page isn’t bypassed despite successful id_token_hint validation.

Fixed PF-38243

We’ve added stricter validation during server startup so that PingFederate immediately halts the boot process and logs an error if an invalid or unrecognized value is detected for the pf.hsm.mode property in run.properties.

Fixed PF-38244

We’ve fixed a provisioning defect where disabled users weren’t provisioned once their account was enabled and the Provision Disabled Users setting was set to false.

Fixed PF-38251

We’ve fixed a defect where the X-Forward-For IP wasn’t logged correctly in the admin.log.

Fixed PF-38284

We’ve fixed a Tapestry error that was incorrectly logged during startup for the SCIM 2.0 Inbound Provisioning component, even when the feature wasn’t enabled or configured.

Fixed PF-38328

We’ve fixed a defect where the Kerberos Adapter failed to authenticate when a context path is configured.

Fixed PF-38393

We’ve fixed a defect that allowed Basic Authentication to access the Administrative API, even when it was disabled in the pf.admin.api.authentication property.

Fixed PF-38468

We’ve fixed a defect where the /as/introspect.oauth2 endpoint incorrectly returned a 500 Internal Server Error instead of the expected 400 Bad Request when the token parameter contained an invalid character like %.

Issue PF-36573

PingFederate returns an unexpected error when you create an instance of the PingOne Verify Integration Kit version 2.2.2 in PingFederate with the Verify feature in PingOne disabled.

Issue PF-35772

Due to multiple vendors' recent browser versions that block third-party cookies, you might experience issues related to single logout with OIDC (via Front-Channel) and WS-Federation.

Refer to browsers' documentation regarding third-party cookie management to unblock them, if feasible.

Issue PF-35643

When you promote a passive admin console to active, the UI doesn’t refresh until you perform an action.

Issue PF-35439

When you make configuration changes on the active console (especially large configuration changes like bulk imports or data archive imports), then promote a passive console to active, it can cause multiple consoles to be active at once. This can result in inconsistent configurations.

Learn how to resolve this issue in Resolving multiple active administrative nodes.

Issue

Issue

PingFederate’s TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

Issue

Issue

AWS CloudHSM

Thales HSMs

Entrust HSMs

Issue

Issue

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Issue

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

Issue

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it’s possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Issue

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

Issue

Issue

Issue

Issue

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

Issue

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.