Upgrade considerations
The following modifications since PingFederate 12.0 might affect existing deployments.
- Resource indicators for OAuth 2.0
-
Starting with PingFederate 12.1, we’ve added support for the
resource
parameter to allow clients to indicate the protected resources to which the client is requesting access.If the incoming authorization or token request includes
resource
parameter(s), then you must add the resource(s) to the Resource URIs within an Access Token Manager. Otherwise, the authorization or token request will result in an error.Learn more in Managing resource URIs.
- Persist users consent decision when revoking
refresh_token
-
Starting with PingFederate 12.0, you can configure your authorization server settings for OAuth and OpenID Connect (OIDC) users so that their decisions to grant access can be persisted after a
refresh_token
is revoked.If you have a custom implementation of the
AccessGrantManager
interface, you need to add the new methods:-
Required:
void updateExpiry(AccessGrant accessGrant)
-
Optional:
Collection<AccessGrant> getByUserKeyClientIdGrantType(String userKey, String clientId, String grantType)
If you don’t implement these changes, PingFederate will use existing methods in the
AccessGrantManager
interface to perform the same lookup with additional filtering.When you enable this feature, PingFederate creates more records in the external datastore used for Access Grants. It will not necessarily generate more data because OAuth consent records don’t retain the same information as access grants.
You must manually add the newly-added index to your existing Access Grant external datastore.
- JDBC (for all supported JDBC types)
-
Create a new index
UNIQUEUSERIDCLIENTIDGRANTTYPEIDX
.You can find the create index command in the table-setup scripts for your database server provided in the
<pf_install>/pingfederate/server/default/conf/access-grant/sql-scripts
directory. - LDAP
-
For PingDirectory, create a new index
accessGrantGrantType
and rebuild your index.
-
- Alert and report when approaching
maxThreads
-
Starting with PingFederate 12.0, you can configure your runtime notifications to alert you when the number of threads in use exceeds a set threshold. You can also use this feature to initiate and log a thread dump event that you can use for troubleshooting.
If you’re using a customized log4j.xml file, add the following to your list of Appenders:
<!-- Thread Pool Exhaustion thread dump log : A size based file rolling appender --> <RollingFile name="ThreadDumpAppender" fileName="${sys:pf.log.dir}/thread-pool-exhaustion-dump.log" filePattern="${sys:pf.log.dir}/thread-pool-exhaustion-dump.log.%i" ignoreExceptions="false"> <PatternLayout> <!-- Uncomment this if you want to use UTF-8 encoding instead of system's default encoding. <charset>UTF-8</charset> --> <pattern>%d %m%n</pattern> </PatternLayout> <Policies> <SizeBasedTriggeringPolicy size="10000 KB" /> </Policies> <DefaultRolloverStrategy max="5" /> </RollingFile>
Also add the following to your list of Loggers:
<AsyncLogger name="ThreadDumpLogger" level="INFO" additivity="false" includeLocation="false"> <appender-ref ref="ThreadDumpAppender" /> </AsyncLogger>
- PingID properties file encrypted
-
From RADIUS PCV 3.0.4 and later, the PingID properties file is encrypted after it is uploaded to PingFederate.
If you are upgrading from an earlier version, to ensure the properties file is encrypted, you need to upload it to the PingID RADIUS PCV instance in PingFederate.
- Skip redirect to authentication application if no action is required
-
Starting with PingFederate 12.0, API-capable IdP adapters can now prevent a redirect to the authentication application if no user interaction is required.
If the adapter determines that no authentication action is required—for example when a request parameter is being passed, or because the adapter maintains a valid session—PingFederate will skip the redirect to the authentication application.
This capability is implemented in the HTML Form Adapter and the Identifier First Adapter, and is also available for custom adapters using the
TRY_LOOKUP_AUTHN
metadata key and input parameter. - Prevent JGroups thread pool exhaustion in large clusters
-
Starting with PingFederate 12.0 the default value of pf.cluster.TCPPING.return_entire_cache in
jgroups.properties
tofalse
on fresh installations of PingFederate.Setting pf.cluster.TCPPING.return_entire_cache to
false
avoids an issue where the thread pool for cluster RPCs temporarily runs out of threads and some RPCs get dropped. This issue only occurs in large clusters under heavy load.Setting pf.cluster.TCPPING.return_entire_cache means that all clusters must be listed in pf.cluster.tcp.discovery.initial.hosts.
On upgrade, the existing value of pf.cluster.TCPPING.return_entire_cache is preserved, but customers using
TCPPING
with large clusters should set it tofalse
, provided that all cluster members are listed in pf.cluster.tcp.discovery.initial.hosts. - Removed support for Java 8
-
Starting with version 12.0, PingFederate no longer supports Java 8. Use Java 11 or Java 17 instead.
- Categories for verbose log settings
-
Starting with PingFederate 12.0, some information has been moved from the Core log category to the new Protocol Requests and Responses log category. Learn more in Log settings.
- Properties in
start.ini
moved torun.properties
-
Starting with PingFederate 12.0, the properties previously in the
start.ini
file are now in therun.properties
file to facilitate future upgrade of those properties. - Default port range in
tcp.xml
-
Starting with PingFederate 12.0, the default port range in the
tcp.xml
file has been changed from10
to0
.As a result, PingFederate will only listen on the configured
pf.cluster.bind.port
and will fail to start up if that port is in use. - OpenID Connect Front-Channel Logout
-
Starting with version 12.0, PingFederate supports OpenID Connect Front-Channel Logout. For this feature to work correctly, if the value for the
exclude-patterns
item in theX-Frame-Options
map in<pf_install>/pingfederate/server/default/data/config-store/response-header-runtime-config.xml
has been edited, then you must add/fc-logout.openid;/resume/sp/fc-logout.ping
to theexclude-patterns
item. - SAML IdP Discovery and SAML AP Affiliations
-
As of PingFederate 12.0, the SAML IdP Discovery and SAML AP Affiliations features have been deprecated, and will be removed in a future release.
- Text Message SSPR
-
Starting with PingFederate 12.0, text message self-service password reset (SSPR) has been removed.
- SAML SP connection configuration
-
Existing SAML SP connections that rely on multiple session states in a single transaction will be affected by new session state validation measures introduced in PingFederate 11.2.5 and 11.3 under PF-33168. Learn more in PingFederate 11.3 (June 2023).
You can find more information about how to diagnose and resolve issues caused by this update in Solicited SAML Response Validation in the Ping Identity Support Portal.
- Upgrade from PingFederate 6.x and 7.x
-
Starting with version 12.0, PingFederate no longer supports upgrading from PingFederate 6.x or 7.x.