--- title: Upgrade considerations introduced in PingFederate 9.x description: When integrating with Gemalto SafeNet Luna Network HSM 6 (hardware security module), PingFederate 9.2 requires firmware version of 6.3.0 and client driver version of 6.3. See Integrating with Thales Luna Network HSM for setup information. component: pingfederate version: 13.1 page_id: pingfederate:upgrading_pingfederate:pf_upgrade_considerations_introduced_pf_9x canonical_url: https://docs.pingidentity.com/pingfederate/13.1/upgrading_pingfederate/pf_upgrade_considerations_introduced_pf_9x.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 8, 2024 --- # Upgrade considerations introduced in PingFederate 9.x * Gemalto SafeNet Luna HSM 6.3 When integrating with Gemalto SafeNet Luna Network HSM 6 (hardware security module), PingFederate 9.2 requires firmware version of 6.3.0 and client driver version of 6.3. See [Integrating with Thales Luna Network HSM](../getting_started_with_pingfederate/pf_integrating_thales_luna_network_hsm.html) for setup information. * Weaker cipher suites disabled Starting with PingFederate 9.1, weaker cipher suites TLS\_RSA\_WITH\_AES\_128\_CBC\_SHA and TLS\_ECDHE\_RSA\_WITH\_AES\_128\_CBC\_SHA are disabled in new installations and upgrades. As a result, the administrative and runtime servers support only TLS 1.2. If you must re-enable these cipher suites for legacy clients, refer to [Managing cipher suites](../administrators_reference_guide/pf_managing_cipher_suites.html) for more information. * LDAP service accounts on PingDirectory If PingFederate 9.3.1 or newer has an LDAP connection with PingDirectory, then add the config-read privilege to its service account in PingDirectory. Otherwise, users will not receive password expiry notifications. Learn more in [Working with privileges](https://docs.pingidentity.com/pingdirectory/latest/managing_access_control/pd_ds_work_with_privileges.html) in the PingDirectory documentation. * Improved validation for `AudienceRestriction` If an IdP connection is configured with multiple virtual server IDs, the `AudienceRestriction` value in a SAML response must now match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message. Otherwise the SSO attempt fails. To override this validation on a per-connection basis, see [Configuring validation for the AudienceRestriction element](../administrators_reference_guide/pf_config_validat_for_audiencerestric_element.html). * Custom authentication selector If you have created a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection, you must update the associated descriptor instance. Learn more in [Updating the custom authentication selector](pf_migrate_other_componen.html#_updating_the_custom_authentication_selector). * Provisioning datastore reset Upgrading to PingFederate 9.0 or 9.0.1 when using its outbound provisioning capability can result in user records being disabled at SaaS applications. The issue is resolved in version 9.0.2. If you are upgrading from version 8.4.4 (or earlier) or from version 9.0.2, 9.0.3, and 9.0.4 to version 10.0, the upgrade process automatically resolves this issue. No further action is required. If you are upgrading from version 9.0 or 9.0.1 to PingFederate 10.0, you must use the `provmgr` command-line tool to reset the provisioning datastore on the upgraded installation. See [Reviewing database changes](pf_review_database_change.html) for more information. * Security enhancement in JDBC datastore queries A security enhancement was made in PingFederate 9.0 to safeguard JDBC datastore queries against back-end SQL injection attacks. This protection is enabled for all new installations. For upgrades, see [Reviewing database changes](pf_review_database_change.html). * Access token validation response Starting with PingFederate 9.2, the access token validation response no longer includes the username and subject elements by default. Responses include them only if they were mapped in the issuing access token management instance.