PingFederate 13.0.2 (April 2026)

Resolved issues

OGNL code test

Security PF-38742

We improved role-based access control (RBAC) for the administrative expression testing endpoint. Access to expression evaluation is now limited to appropriately-privileged roles, ensuring alignment with intended administrative permissions.

Fixed NPE when updating SP connection

Fixed PF-38508

We fixed a defect that caused a null pointer exception (NPE) error when an SP connection with backchannel authentication inbound authentication type set to No Client Authentication and Require SSL enabled was created or updated using the Admin API.

Log settings not applied on new engine nodes

Fixed PF-38627

We fixed a defect where log settings weren’t applied to newly joined engine nodes.

Response code for refresh token exchange failure with revoked user session

Fixed PF-38656

We fixed a defect that caused a refresh token for access token exchange to fail with 500 Internal Server Error instead of 400 Bad Request when the user’s sessions had been revoked.

CIBA token request fails with LDAP persistent grant storage

Fixed PF-38706

We fixed a defect that caused CIBA token requests to fail when persistent grants are stored in an LDAP directory like PingDirectory.

Admin API OAuth authentication failure

Fixed PF-38722

We fixed a defect that caused OAuth and JWT authentication through the Admin API to fail when the role attribute name parameter used the scope claim containing space-delimited values.

PingFederate Server