PingOne Release Notes
Review release notes for the PingOne Cloud Platform and PingOne Services.
Subscribe to get automatic updates: PingOne Release Notes RSS feed
December 2024
December 16
Device Authorization app restored to PingID policy
Fixed STAGING-25145 PingOne
For PingID accounts that are integrated with PingOne environments, we’ve fixed an issue in the legacy PingID admin portal that was preventing the Device Authorization app from showing in the PingID policy applications list.
December 10
Population alternative identifiers and theme
New PingOne
We’ve added the ability to configure Alternative Identifiers for Populations, making it easier to determine a user’s population based on an identifier value in a DaVinci flow. Additionally, populations can now specify a Theme, making it easier to determine the preferred branding for a user when building authentication experiences in PingOne DaVinci. Learn more in Managing populations.
Add custom attributes from Workday into PingOne
New PingOne
You can add custom attributes from Workday into PingOne. Learn more in Creating a Workday Integration System with a Field Override Service, Adding Workday Integration System IDs to PingOne, and Syncing custom attributes from Workday into PingOne
December 9
Define the user presence timeout for FIDO devices
Improved PingOne MFA
You can now define a user presence timeout value for FIDO2 devices. The User Presence Timeout field defines the amount of time the user has to perform a user presence gesture with their FIDO device before the request expires. Learn more in Adding a FIDO policy.
November 2024
November 20
Added Active Directory compatibility to the Reset Password capability
Improved PingOne
The Reset Password capability in the DaVinci LDAP connector is now compatible with Active Directory. Learn more in LDAP Connector.
November 19
User demographic dashboard
New PingOne
The User demographic dashboard shows a summary of user demographic profiles and activity for the selected environment. Learn more in User demographic dashboard.
November 18
Simplified OIDC application configuration and integration
New PingOne
We’ve enhanced the application configuration process for OpenID Connect (OIDC) applications. The new Integrate tab provides access to prefilled code examples, instructions, and sample apps for testing connections. Initial support is available for Node.js Express and the Ping SDK for JavaScript. Learn more in Integrate PingOne with a Node.js Express app or Integrate Ping SDK for JavaScript with PingOne.
November 14
Manually approve a user’s ID
Improved PingOne Verify
You can now manually approve a user’s ID from the transaction log. Learn more in Manually approving a user’s ID.
November 13
Specifying authentication policy for SAML applications using flowPolicyId
New PingOne
PingOne now supports using the flowPolicyId
HTTP request parameter to indicate the authentication policy for PingOne to use when authenticating users to a SAML application. You can include the flowPolicyId
HTTP request parameter in the Initiate Single Sign-On URL to specify a PingOne authentication policy or a DaVinci flow policy. Learn more in Editing an application - SAML.
Amazon API Gateway integration kit retries for client network errors
New PingOne Authorize
We’ve added a retry mechanism to improve the handling of client network errors caused by connection resets. Use the maxRetries
setting in config.js
to set the maximum number of retries you want before returning a failed response to the client. The default is 1
. Learn more in Configuring Amazon API Gateway for PingOne Authorize integration.
November 12
Language localization
New PingOne Verify
Use language localization to configure one or more languages and modify text fields of PingOne Verify text that is presented to end users in notification and agreements. Learn more in Configuring PingOne Verify language localization.
November 11
Deletion of staging policies when promoting to production
New PingOne Protect
When you promote a staging policy to production, the staging policy will now be automatically deleted from your list of risk policies. You can no longer unlink PingOne Protect staging policies from a production policy. Learn more in Creating and managing staging policies.
November 6
PingOne Protect (Signals) SDK - new versions
New PingOne Protect SDK
We’ve released new versions of the PingOne Protect (Signals) SDK:
-
iOS - 5.2.8
-
Android - 5.1.5
-
Web - 5.4.0
You can find details in the SDK Changelog.
November 5
Support for offline_access
scope in OIDC applications
New PingOne
PingOne now supports the offline_access
scope for OIDC-based applications. Add offline_access
as an allowed scope to enable an application to use the Refresh Token grant type to access previously approved resources when the user is not present and on a per-request basis. This allows the application to drive the decision to request a refresh token based on whether or not it needs a refresh token. Learn more in Editing an application.
October 2024
October 31
Optional sequential character password restrictions added
Improved PingOne
To provide more opportunities to enhance password security, we’ve added options for restricting the use of sequential characters in user passwords. Enforce one or more of these restrictions for your users by adding them to your password policies. Learn more in Password policies.
October 29
SSO into PingOne Advanced Identity Cloud
New PingOne
You can now set up single-sign on (SSO) from the PingOne admin console into PingOne Advanced Identity Cloud. With this capability, you can also now assign Advanced Identity Cloud tenant roles in PingOne for use in SSO. Learn more in Setting up SSO to PingOne Advanced Identity Cloud and Administrator Roles.
AuthnStatement session validity duration for SAML applications
New PingOne
You can now optionally specify a value for the SessionNotOnOrAfter
attribute using the new AuthnStatement session validity duration setting in SAML applications. This new capability improves interoperability, especially if the SAML application requires a longer SessionNotOnOrAfter
value than the lifetime of the SAML assertion defined in the Assertion Validity Duration setting. Learn more in Editing an application - SAML.
October 24
Enhanced Getting Started experience for customer use cases
Improved PingOne
We’ve updated the Getting Started experience for creating a password-based customer solution. Enhancements include a more flexible configuration that makes it easier to test different authentication, registration, account recovery, and profile management use cases. Additionally, the underlying DaVinci flows used by the Getting Started experience have been updated to follow our best practices for flow creation and user interface standards.
Learn more on the Passwords tab of Building a customer solution.
October 21
Native, Worker, and Device Authorization apps removed from PingID policy
Fixed PID-14123 PingOne
For PingID accounts that are integrated with PingOne environments, the legacy PingID admin portal no longer lists Native, Worker, and Device Authorization apps in the PingID Policy Applications list.
Learn more in Administrator Roles and Custom role scenarios.
October 16
Enhanced user interface for external groups
Improved PingOne
We’ve enhanced the UI for external groups to make it easier to determine the source of the group at a glance. The details page for external groups has also been updated to provide more information and includes a link to the configuration details so that you can easily make changes if needed. Warning and informational messages have been added to alert you to potential issues.
Learn more in About groups and populations and Viewing groups.
Updated LDAP Gateway client application
New PingOne
We’ve released LDAP Gateway client application version 3.3.0. This version includes:
-
Support for using a forward web proxy server that requires authentication to handle traffic between the gateway client and PingOne.
-
Upgraded dependencies for better security and stability.
Learn more about using a web proxy server in Starting a gateway instance.
October 15
Custom administrator roles
New PingOne
For increased security and flexibility of role assignment, we’ve introduced the ability to create custom administrator roles in PingOne. PingOne administrators with the proper role assignment can now create, edit, and assign custom roles using any of the permissions available in PingOne. Custom roles can then be assigned to implement delegated administration and to provide least-privileged access to PingOne resources. The new Administrator Roles UI includes enhanced permission descriptions, privileged permissions tags, and labels that ensure you include permissions essential to using the PingOne admin console. Like built-in roles, custom roles can be assigned to users, groups, worker apps, or PingFederate gateways.
October 9
PingOne notifications - sending through an external email service
New PingOneMFA
You can now use an external email service to send notifications to your users. Learn more in Using a custom email provider for notifications.
October 6
Configure the one-time passcode (OTP) length
New PingOne MFA
You can now configure the length of the one-time passcode presented to the user. This feature is available for Email, SMS, and Voice authentication methods. Learn more: Adding an MFA policy
October 4
Multi-factor authentication required for access to admin console - updates
Improved PingOne
As part of our continued efforts to support best practice security measures in PingOne, we have enhanced the multi-factor authentication requirements introduced earlier this year.
The following updates have been made:
-
You can now enable enhanced administrator security on a per environment basis for organizations that were created before July 18, 2024. Go to Settings > Administrator Security and click Enable Enhanced Security. You will be prompted to confirm your choice. If you later want to disable enhanced administrator security before it is required for all environments, click Disable Enhanced Security on the same page, and respond to the prompt.
-
You can now select the MFA authentication methods you want to support for administrators. Learn more in Configuring administrator security.
-
You can now enable enhanced security for environments using PingID and PingOne SSO. Learn more in Configuring administrator security - PingID.
-
The Multi-factor Authentication setting for all existing administrator users has been updated to Enabled so that these users can enroll a second authentication factor if enhanced security is enabled for their environment.
Learn more in Administrator security and the PingOne administrators MFA requirement - FAQ.
Amazon API Gateway integration kit retries for 5xx errors
New PingOne Authorize
We’ve added a retry mechanism to improve handling of 5xx errors caused by transient network or service issues. Use the maxRetries
setting in config.js
to set the maximum number of retries you want before returning a failed response to the client. The default is 1
. Learn more in Configuring Amazon API Gateway for PingOne Authorize integration.
October 3
Support for Microsoft Entra ID external authentication methods by authentication policies
New PingOne
External authentication methods allow Microsoft Entra ID users to leverage external authentication providers for multi-factor authentication (MFA). You can now enable this integration with PingOne authentication policies. Learn more in Setting up PingOne SSO and PingID as the external MFA provider for Microsoft Entra ID.
October 2
Merge or overwrite memberships in outbound group provisioning
New PingOne
You can now merge or overwrite memberships when a group with the same name exists on the target. Learn more in Configuring outbound group provisioning.
September 2024
September 30
MFA policies - application name in authenticator app
New PingOneMFA
To help users recognize which application the OTP displayed in their authenticator app is for, the MFA policy configuration page now includes an option called Show application name. Use this option to specify the text that should be displayed alongside the OTP in the authenticator app.
September 9
Enhanced administrator onboarding experience
New PingOne
We’ve released a significant update in the PingOne Administrators environment to streamline the onboarding process for new PingOne administrators. This release introduces a Getting Started experience tailored to address common points of confusion and help new administrators quickly understand and manage their responsibilities within the platform. Learn more in the Introduction to PingOne.
August 2024
August 22
Updated API gateway integration kits
New PingOne Authorize
We’ve released new versions of the following API gateway integration kits:
-
Amazon API Gateway integration kit 1.1.0
-
Apigee integration kit 1.1.0
-
Kong integration kit 1.1.0
These versions improve how the integration kits handle rate limiting to achieve more reliable and stable authorization services. Learn more about connecting your API gateway to PingOne Authorize in PingOne Authorize API gateway integrations.
August 21
Default MFA status for new users setting enabled by default
Improved PingOne
The Default MFA status for new users setting on the MFA Settings page is now enabled by default in all new environments. This setting allows just-in-time registration of new multi-factor authentication (MFA) methods for PingOne administrators the first time they sign-on to the admin console. Learn more in Configuring MFA settings.
August 19
New risk predictor - Traffic Anomaly
New PingOne Protect
A new risk predictor called Traffic Anomaly has been added in order to detect traffic anomalies in terms of variables such as users, devices, and sessions.
The Traffic Anomaly predictor will eventually include a variety of rules, some of which you can select to enable or disable. In this initial release of the predictor, PingOne Protect detects situations where there are a large number of risk evaluations requested for a single user within a short period of time, and optionally can also detect situations where the number of users per device during a given period is suspicious.
When a risk level of High is calculated for the Traffic Anomaly predictor, it is recommended that you deny access because the suspicious activity is likely due to malicious behavior.
For details, see Predictors, Configuring predictors, and the Risk Predictors section of the PingOne API documentation.
User IP from Signals (Protect) SDK payload
Improved PingOne Protect
Due to the use of corporate proxies and other network tools, the user’s true IP was often masked by an internal IP, reducing the benefit provided by risk predictors that factor in the IP or user location. To handle such situations, if PingOne Protect encounters an internal IP, it now uses the user IP that is included in the Signals (Protect) SDK payload. This feature requires version 5.2.7 or later of the Signals SDK for Web.
August 7
Updated LDAP Gateway client application
New PingOne
We’ve released LDAP Gateway client application version 3.2.0. This version includes:
-
Support for using a forward web proxy server to handle WebSocket traffic between the gateway client and PingOne
-
Debug logging improvements
-
Bug fixes
Learn more about using a web proxy server in LDAP gateways and Starting a gateway instance.
August 5
User group conditions in composite predictors
New PingOne Protect
When creating composite risk predictors, you can now include conditions that check what PingOne user groups the user belongs to. For details, see Adding composite predictors and the example in the PingOne API documentation.
New admin alert - suspicious traffic
New PingOne Protect
You can now add an alert to receive an email notification if PingOne Protect detects a pattern of suspicious traffic that requires your attention. For details on adding alerts, see Adding an alert.
Bot detection enhancement
New PingOne Protect
The Bot Detection predictor now has an option that you can select to expand the types of bot activity that PingOne Protect can detect. For details, see Configuring predictors and the Risk Predictors section of the PingOne API documentation.
July 2024
July 30
RADIUS Gateway enhancements
New PingOne
-
We’ve updated the RADIUS Gateway client application to version 1.2.0. This version supports running a standalone RADIUS Gateway as a Windows service.
-
We’ve added the option to configure the RADIUS Gateway port and also added support for PAP protocol when integrating the RADIUS Gateway with a Network Policy Server (NPS).
-
Some minor issues were fixed in the following flows:
Learn more: RADIUS gateways.
July 26
Updated defaults for new single page applications
Improved PingOne
When adding a new single page application, PingOne creates the application with the following new defaults to align with current security best practices:
-
Response Type: Code
-
Grant Type: Authorization Code
-
PKCE Enforcement: S256_REQUIRED
Existing single page applications will not be updated to use the new defaults. You can update the settings for new and existing single page applications as needed. Learn more in Editing an application - Single page.
July 22
Dynamic linking for registration of FIDO devices
New PingOne MFA
For MFA, the PingOne API now includes an option to use dynamic linking to attach a unique identifier to the registration of a FIDO device.
For details, see the FIDO2 devices data model table under MFA devices in the PingOne API documentation.
July 18
Multi-factor authentication required for access to admin console
New PingOne
As part of our ongoing commitment to enterprise security and supporting best practices, multi-factor authentication (MFA) is now mandatory for PingOne administrators in organizations created after July 18, 2024. If your organization was created before July 18, 2024, you will be able to opt in for this requirement on a per-environment basis in the coming months. A message in the admin console will indicate when the early access period begins. In 2025, this requirement will be enabled in all organizations, for all environments. Learn more in Administrator security and the PingOne administrators MFA requirement - FAQ.
July 3
Signals (Protect) SDK - authenticity check
New PingOne Protect
It is now possible to have the device data in the Signals SDK payload converted to a signed JWT, to ensure that the content has not been tampered with.
When defining a Suspicious Device predictor in your PingOne environment, you can specify that any risk policies containing the predictor will require that the Signals SDK payload use the signed JWT option, with the signature being verified before proceeding with risk evaluation.
Currently, the option of providing the SDK payload as a signed JWT can be enabled in the initialization code for the SDK or via the option that has been added to the skrisk component used in DaVinci flows.
For details, see Configuring predictors, the documentation for the web version of the Signals SDK, the Risk Predictors section of the PingOne API documentation, and the documentation for the PingOne Protect DaVinci connector.
June 2024
June 28
Verify policy enable AAMVA
New PingOne Verify
We’ve added a new feature for Verify policies, Enable AAMVA. This allows verification of ID information against the issuing agency database. Learn more in Creating a Verify Policy.
June 26
Delegated administration for applications
New PingOne
We’ve created the Application Owner role to limit administrator access to specific applications. Use this role to provide application developers with access only to the applications they manage. This role provides no other administrator permissions in PingOne. Learn more in Administrator Roles and Managing user roles.
User interface updates
Improved PingOne
To ensure consistent terminology throughout the product, two user interface (UI) updates have been made:
-
In the sidebar, under Directory, Roles is now Administrator Roles.
-
In the Users UI, the Roles → Administrative Roles tab is now Roles → Administrator Roles.
Learn more in Administrator Roles and Managing user roles.
June 25
Verify policy fail expired IDs
New PingOne Verify
We’ve added a new feature for Verify policies, Fail expired IDs. This allows users to fail verification when an ID expires. Learn more in Creating a Verify Policy.
June 20
Updated LDAP Gateway client application
New PingOne
We’ve released LDAP Gateway client application version 3.1.2. This version includes:
-
Docker image support for ARM-based hardware and virtual environments, providing more flexibility on how you run your LDAP gateway. Docker automatically pulls the right image, so no action is required.
-
Bug fixes for external password policy enforcement
-
Logging enhancements
Learn more in LDAP gateways and the new Best practices for configuring Active Directory for LDAP gateways.
June 18
Specifying flow subtype for risk evaluations
New PingOne Protect
When creating risk evaluations, you can now provide additional detail about the context of the flow by specifying a flow subtype in addition to the flow type. For details, see the description of the new flow.subtype field in the PingOne API documentation.
June 17
Providing feedback for risk evaluations
New PingOne Protect
A new endpoint, riskFeedback
, has been added to the PingOne API to allow you to provide feedback on the accuracy of specific risk evaluations that were carried out. Each such call can include feedback for up to 100 risk evaluations, and for each evaluation you can specify a feedback category and a reason for including the evaluation in that category. For details, see Providing feedback for risk evaluations in the API documentation.
June 14
Population overview
Improved PingOne
We’ve updated the Populations UI into corresponding sections to easily help navigate through various configurations. Admins can now see details attached to a population within the populations UI, along with the ability to navigate to corresponding configurations in Password Policy and External IdP when needed. Learn more in Managing populations.
June 11
CORS support extended
Improved PingOne
We’ve extended support for cross-origin resource sharing (CORS) to additional endpoints in PingOne. CORS allows devices on one domain to access resources on another domain. Learn more in Cross-origin resource sharing and in the Cross-origin resource sharing section of the PingOne API documentation.
June 4
Dynamic linking for FIDO transactions
New PingOne MFA
For MFA, the PingOne API now includes an option to use dynamic linking to attach a unique identifier to a FIDO transaction. For details, see Create a request property JWT and Device authentications data model in the PingOne API documentation.
June 3
Allow user to add device nickname during pairing
Improved PingOne MFA
We’ve added the option to allow the user to add a device nickname during the pairing flow. After successfully pairing the device, a popup window is shown, asking them if they want to define a device nickname. If the user does not edit the text field, the default nickname is applied.
For more information, see Adding an MFA policy.
May 2024
May 22
Social login with PingOne Forms for DaVinci now supported
Improved PingOne
When creating or editing a form in User Experience → Forms, you can now add a social login button from the Toolbox. For details, see Form toolbox.
This feature is in limited release. Contact Ping support to request access to this feature.
May 15
PingOne MFA mobile SDK 1.10.1 (iOS only)
New PingOne Mobile SDK
Version 1.10.1 of the PingOne MFA mobile SDK for iOS has been released.
This version contains a single bug fix. For details, see Release notes - iOS version.
May 9
Application role assignment enhancements
New PingOne Authorize
We’ve made it easier to assign application roles to users. Now you can assign application roles on the Users page, in addition to assigning users to roles when you create an application role. Learn more in Managing user roles.
May 6
New domain for Australia region
New PingOne
We’ve added a new .com.au domain for our Australia region that reflects Australian data residency. Organizations created for our Australia region after May 6, 2024 will use the new .com.au domain name. Organizations created before that date must continue to use the .asia domain name. Learn more about regional domains in Introduction to PingOne.
April 2024
April 25
New Kerberos Check audit event types
New PingOne
We’ve added two new event types for PingOne gateways configured to use the Kerberos protocol for authentication:
-
Kerberos Check Succeeded
-
Kerberos Check Failed
You can review these events in the PingOne Audit log. Learn more in Event types.
April 24
Microsoft 365 application Subject NameIdentifier Format enhancements
New PingOne
When adding or editing a Microsoft 365 application, you can now configure the Subject NameIdentifier Format format value and also configure a mapping for the value to a PingOne attribute. Learn more in Adding Microsoft 365 to PingOne.
Application permissions in access tokens
New PingOne Authorize
Now you can include a permissions claim in access tokens created for your APIs and custom resources. This enables you to retrieve and enforce permissions for application features and API resources developed by your organization. Learn more in Application permissions.
Additional protocols supported in custom theme footers
Improved PingOne
The tel
and sms
protocols are now supported in HTML footers used in customize themes. Learn more in Customizing a theme.
April 16
Custom data group properties in PingOne Directory
New PingOne
We’ve made it easier to add custom properties to groups in PingOne Directory. Now you can simply add metadata properties as key-value pairs in the user interface for creating or updating groups. Learn more in Creating a group.
April 10
Verify dashboard
New PingOne Verify
The Verify dashboard shows identity verification transaction activity for your organization. Learn more in Verify dashboard.
Ability to upload and download a complete language pack
Improved PingOne
Previously, when uploading or downloading a language pack in User Experience > Languages, you could only download the translatable keys for each module. Now, you can download or upload the complete language pack.
Learn more in Downloading a language bundle and Uploading a language bundle.
April 8
Verify policy document authentication provider
New PingOne Verify
You can now configure a document authentication provider in your verify policy. Learn more in Creating a verify policy.
April 4
Verify policy retry attempts
New PingOne Verify
We’ve added two new features for Verify policies: Government ID Retry Attempts and Selfie Retry Attempts. This allows users to retake pictures of a government ID or selfie if the previous image had a quality problem.
Learn more about government ID retry and selfie retry in Creating a verify policy.
April 3
Automatic verification of "sender" email address
New PingOne
The requirement of responding to a verification email when adding a "sender" email address made it difficult to add an address that does not have an inbox. Now, when you create a trusted email domain, PingOne creates an additional text record that reflects the association of the domain with the specific PingOne environment. If you add this new record to your DNS, any sender email address belonging to the domain is set to active status as soon as you create it, with no need for a verification email.
April 2
Unique theme IDs and names added to Branding and Themes
New PingOne
Branding and Themes now have unique Theme IDs for themes that can be copied and pasted directly into the PingOne Forms connector. A unique theme name will also be generated by default to prevent having duplicate themes in the environment.
Learn more in PingOne Forms connector.
Aggregate passkey devices per user during authentication
New PingOne MFA
We’ve added the ability to aggregate all FIDO2 devices associated with a user’s account during authentication. This simplifies authentication, as the user is presented with a single FIDO2 authentication method representing all of their paired FIDO2 devices, rather than seeing each device listed separately. If the user chooses to authenticate with the aggregated FIDO2 authentication method, the OS of the accessing device selects the most appropriate method for them to use to authenticate.
Learn more at Adding a FIDO policy.
April 1
Environments UI enhancements
Improved PingOne
We’ve updated the Environments page to include search and sort capabilities that make it easier to find the environment you need. We’ve also added the ability to upload a custom icon to make an environment stand out visually in the list. Additionally, you can now view and edit environment details without leaving the Environments page. The Environment Properties page has also been updated, providing a consistent experience. Learn more at Getting started with PingOne and Environment properties.
March 2024
March 26
Integration of a PingID account with PingOne
Improved PingOne
We’ve improved the process for integrating an existing PingID account with PingOne. PingOne now performs more comprehensive validations during the integration process, enabling Administrators to fix issues and ensure license compliance before starting the integration. Learn more at Integrating a PingID account with a new PingOne environment.
March 20
Role assignment UI enhancements
Improved PingOne
We’ve streamlined the user interface for viewing and assigning roles. This update reduces scrolling and clarifies the context in which the user or group has roles assigned. Learn more at Managing user roles and Managing group roles.
March 12
LDAP Gateway user attribute updates on every authentication
New PingOne
We’ve added the ability for PingOne to always update PingOne user attribute changes from an external directory on every successful authentication through the LDAP Gateway client. Learn more about enabling user attribute updates in Adding a user type.
March 7
Password Check audit event descriptions enhanced
Improved PingOne
The descriptions for the Password Check Succeeded and Password Check Failed audit events in PingOne have been enhanced to include more information for users signing on through a PingOne gateway and to improve the troubleshooting experience, as described in the following table:
PingOne gateway user? | Event type | Previous description | New description |
---|---|---|---|
Yes |
Password Check Succeeded |
Check Succeeded Password <userId> |
Password check succeeded for Gateway User <userId> through Gateway <gatewayId> using User Type <userTypeId> |
Yes |
Password Check Failed |
Check Failed Password <userId> |
Password check failed for Gateway User <userId> through Gateway <gatewayId> using User Type <userTypeId> |
No |
Password Check Succeeded |
Check Succeeded Password <userId> |
Password check succeeded for User <userId> |
No |
Password Check Failed |
Check Failed Password <userId> |
Password check failed for User <userId> |
Learn more about audit events in Event types.
March 5
User Updated audit event enhancements
Improved PingOne
The User Updated audit event in PingOne has been enhanced to include information about most user attributes that were changed, added, or removed during the update. Learn more about auditing events in Event types. Learn more about user attributes.
PKCE support added for custom OIDC identity providers
New PingOne
You can now enable Proof Key for Code Exchange (PKCE) for custom OIDC identity providers in PingOne. PKCE helps to secure communication with the provider and can prevent authorization code interception attacks. Learn more at Adding an identity provider - OIDC.
March 4
New risk predictor - Email Reputation
New PingOne Protect
The use of disposable email addresses is a common characteristic of fraudulent activity. PingOne Protect now has a risk predictor to detect the use of disposable email addresses during registration.
You can add the predictor to your risk policies, and you can also define a specific course of action if the result.recommendedAction
field in the risk evaluation response indicates the use of a disposable email address.
PingOne API - field added to risk evaluation response
Info PingOne Protect
For risk evaluations that use a risk policy with the New Device predictor, the API response now includes a field that represents the date and time that the device was last seen. For details, see Risk Evaluations in the API documentation.
March 1
New API Access Management audit event types
New PingOne Authorize
We’ve added the following new API Access Management event types:
-
API Service Created
-
API Service Updated
-
API Service Deployed
-
API Service Deleted
You can review these events in the PingOne Audit log or create webhooks to ensure management of API Services is working correctly. Learn more in Viewing API Access Management events in your PingOne environment audit log.
February 2024
February 28
OAuth 2.0 device authorization grant support added
New PingOne
We’ve added support for the device authorization grant type, which you can use to enable users to authorize access to a protected resource on a device with limited user input capabilities, such as a smart TV, using a browser on a second device, such as a smartphone or computer.
For more information, see Device authorization and Editing an application - Device authorization.
PingOne API - resend OTP for pairing device
New PingOne MFA
To cover situations where a user did not receive the one-time passcode (OTP) that was sent for pairing a device, the PingOne API now provides a request for resending the OTP. For details, see Resend Pairing OTP in the API documentation.
February 20
User verification field added to User Devices report
Improved PingOne MFA
When you generate a User Devices report, the report now include a field called fidoUserVerification, which indicates whether user verification has been performed successfully with a FIDO device during registration or authentication. For more information on user verification, see Adding a FIDO policy.
PingOne MFA User Devices chart
New PingOne MFA
We’ve added the User Devices chart to the PingOne MFA dashboards. The User Devices chart is comprised of the following two charts (in the drill-down view):
-
User Devices: view the number or percentage of devices used by the authentication method.
-
App Version: view mobile applications by version.
You can filter the results by primary or secondary device, and OS version (Android or iOS).
For more information, see User devices and app version charts.
February 14
Support for client secret JWT and private key JWT in OIDC applications and custom resources
New PingOne
OIDC-based applications and custom resources in PingOne now support client secret JWT and private key JWT for token introspection endpoint authentication method. OIDC applications also now support asymmetric request object signing algorithms. You must provide either the JSON Web Key Set (JWKS) itself or the URL where PingOne can retrieve the JWKS to use private key JWT for authentication and for an OIDC application to send asymmetrically signed request objects.
For more information, see Token endpoint authentication methods, Editing an application, and Editing a resource.
February 12
New risk predictor - Adversary-in-the-Middle (AitM)
New PingOne Protect
To further enhance its ability to prevent account takeover, PingOne Protect now has a dedicated risk predictor to handle Adversary-in-the-Middle attacks.
AitM is a variant of Man-in-the-Middle attacks in which a malicious actor uses a reverse proxy to position themselves between a user and an online service in order to obtain user credentials and session tokens. This type of attack circumvents the protection usually provided by OTP-based multi-factor authentication, and of late has become a common technique in phishing attempts.
For details, see Configuring predictors and Risk Predictors in the API documentation.
PingOne Protect dashboard - event details table
Improved PingOne Protect
For the individual charts included in the PingOne Protect dashboard (other than Risk Heat Map) the event details table now includes all risk evaluation events, even those where all the risk predictors in the policy indicated low risk.
February 6
Outbound Group Provisioning
New PingOne
PingOne now supports outbound group provisioning. Use PingOne provisioning to sync groups along with its memberships out of PingOne to a connected software as a service (SaaS) application. For more information, see Outbound group provisioning.
February 1
New LDAP Gateway service connection
New PingOne Authorize
With the new Gateway service, you can retrieve user profile information stored in on-premise and external LDAP directories, such as PingDirectory or Microsoft Active Directory, for use in authorization policies. User data is cached for improved performance. For more information, see Authorization services.
January 2024
January 16
Support for multiple client secrets in OIDC applications and custom resources
Improved PingOne
After you update a client secret in PingOne, you must ensure that any applications or resources that use the secret are updated. Previously, if there was lag time between when a new client secret was generated and when application or resource owners updated the application or resource to use the new secret, errors could occur because the old secret was invalidated immediately. Now you can choose to retain the previous client secret for up to 30 days, giving application or resource owners time to update the secret without end users experiencing errors in the meantime. Additionally, you can immediately revoke the previous client secret at any time during the retention period if it is no longer needed.
Multiple client secret support applies only to OIDC-based applications and custom resources at this time. You can use the PingOne admin console or the PingOne API to generate a new client secret and define a retention period for the previous secret. For more information, see Rotating the client secret for an application and Rotating the client secret for a resource.
Use the policy request parameter with the PingOne Application Portal
New PingOne
You can now use the optional policy
request parameter to specify which policy to use for the Application Portal application. The authentication policy defines the sign-on requirements for accessing the Application Portal. For more information, see Applying authentication policies to the Application Portal.
January 11
Application permissions and roles
New PingOne Authorize
Managing permissions in your custom applications is now as easy as checking a box. Now you can:
-
Define permissions for application features and APIs without changing your application code
-
Centralize permissions enforcement through your API gateway
-
Manage permissions assignment with roles
-
Extend permissions with custom policies
For more information, see Application permissions.
January 8
PingID users can manage their devices from PingOne MyAccounts page
New PingOne MFA
We’ve added the following features to allow PingID users to manage their devices from the PingOne MyAccount page, rather than the PingID Devices page:
-
Self Service: We’ve added the Manage PingID Devices via MyAccount option to enable PingID workforce users to manage their devices through the MyAccount app.
-
MyAccount app reduced scopes: The Allow user actions according to granted authentication scopes check box provides a limited subset of scopes for users that have not yet authenticated. When this option is selected users are required to authenticate to get a more complete set of scopes that allow them to add or change a device. When the Manage PingID Devices via MyAccount option is selected in Self-Service, this option is automatically selected. For information, see Self service.
-
Reordering the device list: We’ve added the ability to drag and drop devices to reorder them in the MyAccount device list.
January 7
User Devices report
New PingOne MFA
You can now view and export reports that list the details of MFA devices, such as the username and user ID associated with the device, using a number of device-related filters. For example, you can generate a report listing all email devices or a report containing all of the devices whose phone number starts with a certain country code. Results can be exported in csv
or json
format.
For details, see User Devices report.
January 4
Composite predictors - user ID and user name
New PingOne Protect
When composing a composite predictor, you can now include user name and user ID as criteria. You can use this feature to assign a different risk level for user names or user IDs that contain specific strings, for example, a specific domain name.
For details, see Adding composite predictors and the Risk Predictors section in the API documentation.
January 3
CORS support added
Improved PingOne
We’ve added support for cross-origin resource sharing (CORS) to PingOne. CORS allows devices on one domain to access resources on another domain. Configure CORS settings to enable your OIDC or SAML application to access third-party resources, such as cross-origin images, scripts, and stylesheets. For more information, see Cross-origin resource sharing.