New PingOne

We’ve released LDAP gateway client application version 4.1.1. This version updates the Docker base image and software dependencies to improve security.

Improved PingOne

We’ve increased the limit for the number of custom language key-value pairs that can be added for PingOne DaVinci custom messages from 500 to 2000. Learn more in Adding a custom key for DaVinci.

New PingOne

If you have defined channels in your Syniverse account, you can now create a PingOne notification sender that uses channels rather than individual phone numbers.

New PingOne

You can now add custom metadata properties to applications in PingOne for administrative purposes, such as contact information. You can only add metadata properties to applications created by your organization and not the built-in system applications. Learn more in Editing an application.

Improved PingOne

We’ve updated the Certificates and Key Pairs UI with a new look and feel for a more streamlined experience. Learn more in Certificates and key pairs.

New PingOne PingOne DaVinci

We’ve released a new notification template for verification codes sent by email to users to verify their accounts. You can now also customize the verification code notification template to use in a DaVinci flow with the PingOne Connector. Learn more in Notification Templates and in the PingOne Connector documentation.

New PingOne

AI Agents are now available in PingOne as part of our Identity for AI solution. Use AI Agents to:

This helps you safely bring agentic and autonomous AI into production without relying on shared credentials or opaque access paths. Agent Identity is made available as part of our new Identity for AI solution. Contact your account executive to find out more.

Learn more in AI Agents.

Improved PingOne

We’ve made the following improvements to the API Usage Dashboard:

Additionally, adjustments have been made to correct inaccurate peak API usage data calculations recorded since January 2026.

Learn more in API Usage Dashboard.

New PingOne Protect

Using the PingOne API, you can now erase all of the risk-related data that has been collected for a specific user. You can find details in the Risk Data section of the PingOne API documentation.

Improved PingOne PingOne SSO DaVinci

We’ve enhanced the PingOne Authentication Dashboard (early access) to include PingOne DaVinci-triggered authentication activity, providing a single, consistent view of sign-on activity from PingOne and DaVinci flows. Learn more in New Authentication Dashboard (early access).

PingOne Improved Beta

We’ve made an improvement to the webhooks UI. You can now choose between HTTPS or TCP/IP to determine how webhook events are delivered to your destination. HTTP sends events using HTTP POST requests and TCP/IP sends events over a TCP connection.

The protocol selection feature providing TCP/IP as an option for users is currently released only for beta testing.

Info PingOne Protect

Composite predictors can now contain a maximum of 20 individual items. When the limit is reached, the buttons for adding an item or a group are grayed out.

New PingOne MFA

Administrators with a customer (PingOne MFA) environment can now configure policy-based multi-factor authentication (MFA) from PingOne by creating targeted risk policies for specific authentication flow types. This allows contextual and risk-based evaluation directly within MFA flows, even without a PingOne Protect license. For example, administrators can specify different FIDO2 policies to use based on user group, application, and scenario (such as sign-on from a new device) by applying a different MFA policy in MFA mitigations.

With a customer (PingOne MFA) environment, you can leverage a subset of the risk predictors available with a full PingOne Protect license.

To access the complete set of risk predictors, a full PingOne Protect license is required.

Learn more in Risk policies for MFA-only licenses.

New PingOne

When PingOne is the federated identity provider (IdP) for Microsoft Entra ID, you can now select the attribute PingOne uses to match user records to the username in the username token from request security token (RST) messages. PingOne automatically matches the Entra ID username (userPrincipalName attribute from Active Directory by default) to the email address (mail attribute) in PingOne.

This new setting allows you to configure the Microsoft 365 application in PingOne to match an alternative or custom attribute to the username token. This ensures PingOne can locate user records when obtaining and renewing primary refresh tokens (PRTs) from Entra ID. Learn more in Selecting the attribute to identify users from username tokens and Configuring PingOne as the federated IdP.

New PingOne

PingOne now supports client-initiated backchannel authentication (CIBA) with the new CIBA grant type. CIBA enables an out-of-band authentication flow initiated by an end user from a consumption device, such as a point-of-sale system, and completed on the user’s authentication device. You can download a sample PingOne DaVinci CIBA flow to send email notifications to your end users, allowing them to seamlessly grant or deny authentication requests on their mobile device. Learn more in Configuring a CIBA flow.

New PingOne MFA

We’ve released version 2.2.1 of the PingOne MFA mobile SDK. This version contains a number of bug fixes.

Learn more in the documentation for the Android version and the documentation for the iOS version.

Improved PingOne

You can now use the Circuit Breaker Events chart to view polling and sync failure for a specific rule and take the necessary action to resolve any failure. Learn more in Provisioning Dashboard.

New PingOne

We’ve released LDAP gateway client application version 4.1.0. This version includes improved provisioning support for Radiant Logic and OpenLDAP directories.

improved PingOne Protect

Enhancements have been made to the anonymous network detection predictor to reduce the likelihood of a legitimate IP being identified as an anonymous network risk.

New PingID

PingID desktop app 1.0 provides users with a consistent passwordless authentication experience across different browsers from a Mac or Windows machine using the machine’s device biometrics.

This solution replaces the existing PingID desktop app, which has been renamed PingID desktop app (legacy).

Info PingOne

As part of our continued efforts to support best practice security measures and advanced integrations in PingOne, we’ve begun the transition to using Cloudflare instead of Amazon CloudFront as our custom domain ingress infrastructure. This change is being deployed in a phased approach and affects you only if you use custom domains.

Phase 1 started March 17, 2025 with all new custom domains from that date on configured to use Cloudflare.

Now, in phase 2, you can migrate PingOne custom domains created before March 17, 2025 to Cloudflare. Learn more in Migrating a custom domain to Cloudflare.

Improved PingOne

We’ve made improvements and added more expiry, recovery, and troubleshooting information to the Gateway Version Deprecating email alert. Learn more in Monitoring gateways.

Improved PingOne

We’ve added support for the updatedAt attribute in user searches. This attribute allows you to search for users who were added or updated at a certain time. Learn more in the PingOne API documentation.

PingID TRIAGE-31838 Fixed

We’ve fixed an issue in workforce PingID where the Show Application name text defined in the MFA policy for Authenticator App (TOTP) wasn’t displaying.

New PingOne

PingOne can now use key rotation policies (KRPs) for token signing for OIDC-based applications, regardless of whether the application includes PingOne API scopes in its authorization requests. You can also now update worker applications to use the default KRP for token signing.

Beginning March 2, 2027, PingOne will only use signing keys from KRPs to sign ID tokens and access tokens, regardless of whether the audience for the access token is PingOne APIs or custom resources. Any OIDC-based applications not using the KRP will automatically update to use the default KRP on this date.

Learn more in Key rotation policies and Editing an application - Worker.

Improved PingOne

Administrators can now assign a role to a group they’re a member of if that role is directly assigned to them. Learn more in Managing group roles.

Info PingOne DaVinci

We’re introducing technical improvements to modernize PingOne Forms rendering. These updates don’t change the end-user experience, and most customers don’t need to take any action.

However, if you use automated testing tools that check for specific HTML structures, your tests could be affected. These updates will go live for all customers following a one-month preview period. Learn more in Updates to PingOne Forms Rendering in the Ping Identity Support Knowledge Base.

New PingOne

As part of our ongoing commitment to security, PingOne now supports issuing opaque refresh tokens for OIDC-based applications. You can currently choose JSON Web Token (JWT) or opaque refresh token on the Configuration tab. Learn more in Editing an application.

Beginning March 2, 2027, PingOne will issue only opaque refresh tokens, and JWTs will be deprecated for refresh tokens. You must update existing applications to use opaque refresh tokens by March 1, 2027 to avoid your users being unable to access resources they need. Learn more in Refresh tokens.

Fixed TRIAGE-31681 PingOne

We’ve fixed an issue that was causing RADIUS PCV authentications to fail if the user was using a one-time passcode (OTP) to authenticate with a secondary device. This issue only occurred when RADIUS PCV was in no-challenge mode and only affected PingID accounts that were migrated to PingOne.

New PingOne Protect SDK

We’ve released new versions of the PingOne Protect (Signals) SDK:

You can find details in the SDK Changelog.

PingID TRIAGE-31834 Fixed

Fixed an issue that was considering a FIDO2 device incompatible with all communication methods (such as USB, NFC) if its transport list was not populated. Now a FIDO2 device with an empty transport list is considered compatible with all communication methods. This issue affected PingID accounts that migrated to PingOne environments and use Windows login.

improved PingOne

Several improvements have been made to themes to enable more comprehensive customization for your end-user pages:

Learn more in Branding and Themes.

New PingOne

Improved PingOne MFA

When using authenticator apps for authentication, PingOne can now accept passcodes that are up to 8 digits long.

New PingOne MFA

We’ve released version 2.2 of the PingOne MFA mobile SDK. In addition to security enhancements and minor bug fixes, this version includes the following changes.

New PingOne MFA

To reduce the likelihood of PingOne email notifications getting flagged as spam when you are using Ping Identity as the notification sender, you can now define a custom MAIL FROM domain for trusted email domains that you have configured. Specifying a MAIL FROM domain results in SPF alignment with the FROM header, reducing the chances that the DMARC check will fail. You can find detailed instructions in Setting up SPF and a custom MAIL FROM domain.

New PingOne Verify

We’ve added the ability to Store Verified Claims in a verify policy. This enables you to store verified personally identifiable information (PII) within the PingOne Directory. Learn more in Creating a verify policy, Viewing users, and Editing a user.

New PingOne

The Provisioning Dashboard shows a summary of outbound and inbound provisioning activity for the selected environment. Learn more in Provisioning Dashboard.

Improved PingOneMFA

We’ve made the following changes to help limit the number of MFA devices that have never been activated:

Improved PingOne

We’ve enhanced the provisioning rules UI. You can now configure both inbound and outbound provisioning rules faster and more effectively. Learn more in Provisioning rules.

New PingOne

When configuring an agreement component for Forms, you can now select Use Agreement ID from Form node. In DaVinci, the Form connector’s Show Form node lets you select a specific agreement or provide a dynamic agreement ID using a variable.

This enhancement enables you to reuse one agreement form for any flow or user context. For example, you can now dynamically present different agreements to different populations.

New PingOne Protect

When you save a risk policy, PingOne Protect now checks the scores you assigned to various risk predictors. If the scores assigned are likely to lead to missing high-risk or medium-risk situations, PingOne Protect displays a message that identifies the problem and asks if you want to adjust the assigned scores before saving the risk policy.

New PingOne

You can now configure gateway alerts to send error, warning, and information email notifications. Learn more in Gateways.

Info PingOne

Previously, you could add multiple Agreement components to a single form. This made it difficult to determine which agreement ID was output by the Show Form node.

Now, you can add only one Agreement component to each form. The agreement ID is output in a predictable location with a clear name.

This change also supports an upcoming ability to control the agreement selection from the Show Form node.

New PingOne

Previously announced changes to how audit events older than 14 days are retrieved are now live. The following updates were made:

New PingOne PingOne SSO

As organizations expand their on-premise Active Directory (AD) infrastructure to Microsoft Entra ID in the cloud, you can optionally hybrid join your organization’s Windows devices to Entra ID to simplify device management. As an identity provider (IdP) federated with Entra ID, PingOne can now issue security tokens for the hybrid join process, helping to accelerate adoption of Entra ID features and cloud services. This new capability is available as a limited access release for customers with a PingOne for Workforce Plus or Premium license in the North America region only. Learn more in Setting up PingOne as the federated IdP for Microsoft Entra ID.

Improved Strong Authentication PingID

We’ve made some changes as to how the MFA status is updated following the integration of an existing PingID account to an existing PingOne environment, or migration of PingID management from the legacy PingID admin portal to a PingOne environment.

Learn more in What you need to know before integrating or migrating a PingID account into a PingOne environment.

New PingOne

We’ve released LDAP Gateway client application version 4.0.3. This version fixes an issue where provisioning users from LDAP to PingOne failed to sync the Active Directory memberOf attribute, which potentially resulted in a loss of group or role-based application access.

New PingOne

We’ve made it easier to share your forms, such as when sending your flows to the Ping Identity Support team or collaborating with an implementation partner. This change will also allow Ping Identity to add flows to the Ping Identity Marketplace that include easy drag-and-drop forms.

Now, when exporting a DaVinci flow, the forms associated with any Show Form nodes are included in the exported flow JSON file. When importing a flow, DaVinci imports any forms into User Experience > Forms.

This feature is designed to share forms across unrelated environments, so exported forms don’t include external IdP information or custom user attributes.

Learn more in Importing and exporting forms.

Improved PingOne

PingOne now supports up to 100 million identities in a single environment. Learn more in PingOne standard platform limits.

Info PingOne

PingOne now includes OAuth 2.0 authorization server metadata in its /.well-known/oauth-authorization-server response. This adds support for the OAuth metadata URI to enable consistency with the OAuth 2.0 metadata specification and interoperability across Ping Identity products.

Improved PingOne

We’ve made several improvements to the UI for the Groups page to give you a more organized and efficient experience. The groups list is now displayed in columns that bring important group information to the surface. Customize the display by showing and hiding columns as needed. Use our new filters to quickly refine the list further and show only the groups you want to see.

Learn more in Groups.

New PingOne

The audit retrieval changes announced on October 2 have been deployed in the Singapore region. The changes will be deployed to the remaining regions by the end of the month.

New PingOne PingOne SSO

PingOne now supports always accepting an assertion consumer service (ACS) URL in a signed SAML AuthnRequest regardless of whether the ACS URL is added on the application’s Configuration tab. This new setting is useful if a service provider (SP) generates ACS URLs dynamically. Learn more in Editing an application - SAML.

New PingOne

Starting October 27, 2025, the following changes will be made to how audit events older than 14 days are retrieved:

API GET operations for events older than 14 days will require an additional request parameter to start the retrieval process.

After you request data older than 14 days, you’ll be notified by email when the data is accessible, and at that point you can run queries against the retrieved data from the Audit page or using the API. This data will be available for reporting for 14 days from the retrieval date.

Depending on the number of days requested and the average number of events logged per day, the process can take from 2 to 24 hours.

Improved PingOne

We modernized Domains in PingOne with a new look and feel. Learn more in Domains.

New PingOne

To ensure that every PingOne customer has the share of resources they need at any given time, PingOne sets rate limits based on your purchased PingOne products, as well as the product APIs licensed in your product license. Rate groups, which are groups of endpoints related to a particular product or service, each have their own rate entitlements.

Our new API Usage Dashboard lets you monitor your peak usage against the established entitlements so that you can plan effectively. Additionally, a new Rate Limits and Allowed IPs page in Settings allows you to bypass per IP rate limits for server-sourced traffic.

PingOne Integration Kits have been updated to support this new rate limiting model. Go to the Ping Identity Integration Directory and download the latest versions of your integration kits.

Learn more about rate limiting in PingOne in the following topics:

Improved Strong Authentication PingID

When migrating a PingID account to a PingOne environment, PingOne allows migration to complete even if a small number of the PingID accounts fail to migrate successfully.

To identify any user accounts that failed to migrate, Admins should check the PingID administrative activity report. The report includes the total number of failed accounts as well as an entry identifying the username for each failed account.

Learn more in Considerations after integrating or migrating a PingID account into a PingOne environment.

Improved Strong Authentication PingID

We’ve added backward compatibility for PingID accounts on PingOne when the MFA policy is configured to User selected default.

With this update, if a user signs in from a browser or application that does not support WebAuthn, they are now automatically prompted to authenticate with the next available method in their device list, instead of being asked to manually select a different device.

New PingOne Authorize

API Access Management now validates access tokens from third-party authorization servers. This allows integration with PingOne Advanced Identity Cloud, PingOne Advanced Services, or your current third-party identity provider while leveraging PingOne Authorize for centralized API access control. Token claims are automatically mapped to built-in attributes, making them easy to use in claims-based access control policies.

Learn more in External OAuth servers in PingOne Authorize.

New PingOne MFA

You can now configure the Self-Service-MyAccount application to require users to authenticate with MFA before they can manage their authentication methods for customer (PingOne MFA) use cases.

Learn more in Require users to perform MFA to manage MyAccount page (Customer only).

New PingOne PingOne Authorize

We’ve released Authorize gateway version 1.1.0. This version includes the following features and enhancements.

New PingOne

We now support RFC 7914 for Scrypt password encoding. The RFC-compliant encoding format uses the new SCRYPT_RFC7914 identifier to distinguish it from the earlier encoding format using the SCRYPT identifier. SCRYPT uses the pre-RFC encoding format known as c2NyeXB0.

Learn more in Scrypt in the PingOne API documentation.

New PingOne Protect

The User-Based Risk Behavior predictor now includes an option to have PingOne Protect attempt to detect compromised user accounts and take this into account when calculating the risk level for the predictor.

New PingOne Authorize

By default, combining algorithms stop evaluating once a final decision is reached. The new Evaluate All option overrides this behavior, ensuring that all child policies or rules are evaluated. This is useful for scenarios like fraud control, where full evaluation is required for auditing, analysis, and more precise control over when policy statements are generated, without affecting the final decision.

Learn more in Combining algorithms.

New PingOne MFA

To cover time synchronization issues, you can now configure the grace period during which the passcode can still be used even after the passcode has been refreshed. You can find details in Editing an application - Native and (Workforce Only) Configuring the PingID mobile application settings.

New PingOne

We’ve enhanced the application configuration and integration process for native mobile applications. The new Integrate tab for native applications provides access to a selection of prefilled code examples, instructions, and sample apps for both iOS and Android. When the required configuration steps are completed for the application, you can select one of the following options in the Language/Framework list on the Integrate tab:

Each snippet contains the Client ID, Redirect URI, and OIDC Discovery Endpoint for the application, and these values update dynamically when you change the application configuration. Additionally, the instructions for each snippet include links to the relevant SDK tutorials that walk you through the steps to complete the integration.

These improvements reduce the risk of copy-paste errors, shorten the time to first sign-on, and encourage a deeper use of DaVinci orchestration by eliminating the need to use custom REST calls.

Learn more by going to Applications > Applications in the PingOne admin console, selecting or creating a native application, and clicking the Integrate tab.

Learn more about configuring native applications in Editing an application - Native.

Improved PingOne

We’ve made some improvements to the Senders UI for clarity and ease of use. Learn more in Senders.

Improved PingOne

Conditional component visibility allows you to create a form in PingOne Forms with components that you can configure to be hidden or shown in a user-facing form based on Boolean values pulled from your DaVinci flow. Learn more in Configuring conditional component visibility.

New PingOne Verify

You can now configure Identity Data in your PingOne Verify policy. Data Matching allows you to compare identity data extracted during verification with an identity record. Based on the results of this comparison, you can define policy logic to determine verification outcomes (pass or fail). Learn more in Creating a verify policy.

New PingOne

OIDC-based applications in PingOne can now request an access token to access multiple custom resources in a single request. This capability simplifies the application authentication and authorization process and reduces the number of requests an application must make. Learn more about the Request scopes to access multiple resources option in Editing an application - OIDC.

Improved Strong Authentication PingID

PingOne now supports multiple MFA policies for Workforce (PingID) environments.

Legacy security key and FIDO2 biometrics authentication methods aren’t supported with multiple MFA policies, so make sure to update any existing MFA policies that don’t yet support FIDO2. Learn more in Configuring an MFA policy for strong authentication.

New PingOne

You can now use a SCIM connection to enable outbound provisioning from PingOne to a ZScaler ZPA and ZScaler ZIA account. Learn more in SCIM certified provisioners.

Improved PingOne

PingOne supports using expressions to retrieve additional attributes from Microsoft Entra when Microsoft is configured as an identity provider in PingOne. PingOne now supports three types of Microsoft Entra attributes:

Learn more in Using expressions to retrieve Microsoft Entra attributes.

New PingOne Protect

You can now create targeted risk policies with PingOne Protect to define risk policies for different targets, including flow types, applications being accessed, and user groups to which the risk policy will apply. During risk evaluations, PingOne Protect evaluates targeted policies in the order displayed in the Targeted Policies list until the target criteria are met for a policy. Learn more in Adding a risk policy.

Improved PingOne

You can now update the appearance of the image on your identity verification pages to better match your company styles and branding. Learn more in Branding and Themes.

Improved PingOne

We’ve updated the Branding and Themes UI with a new look and feel for a more streamlined experience. This new UI includes search and sort capabilities that make it easier to find the theme you need. It also lets you preview the appearance of your PingOne forms when you switch themes or update theme properties. Learn more in Branding and Themes.

New PingOne

We’ve created the Help Desk Admin role to delegate access for helping end users authenticate with PingOne. Administrators with this role can manage MFA methods and devices for users and reset passwords. This role can be assigned at the environment or population level. Learn more in Built-in PingOne administrator roles.

New PingOne

We’ve expanded to add a new data residency region for Singapore. Customers can now register new PingOne organizations with data residency and processing contained within Singapore. These organizations will use the new .sg domain name. Learn more about regional domains in Organizations.

New PingOne

PingOne now supports OpenID Connect (OIDC) session management, allowing OIDC-based applications in the same browser mode to monitor the user session status. When enabled, PingOne includes the session_state parameter in its authorization response with the session status, such as unchanged, changed, or error. Learn more about OIDC session management in Editing an application - OIDC.

New PingOne MFA

We’ve released version 2.1 of the PingOne MFA mobile SDK. This version includes the following features and enhancements:

Learn more in the documentation for the Android version and the documentation for the iOS version.

New PingOne MFA

You can now use Twilio Verify for sending PingOne notifications. Learn more in Using Twilio Verify with PingOne and in Phone Delivery Settings in the PingOne developer documentation.

New PingOne

In addition to creating and updating key-value pairs, PingOne Languages now includes the ability to delete unwanted or unused keys for a language. Learn more in Deleting translatable keys.

New PingOne Protect SDK

We’ve released a new version of the Signals (PingOne Protect) SDK for web, 5.6.0. You can find details in the SDK Changelog in the PingOne developer documentation.

New PingOne

You can now add custom virtual server IDs to SAML applications. This new capability allows you to identify your server differently when connecting to the same SAML application in various scenarios, such as from different environments or for different populations. Virtual server IDs also provide configuration flexibility and added protection against unauthorized access. Learn more in Editing an application - SAML and Virtual server IDs for SAML applications.

Info PingOne

To adjust to regulatory changes, SMS notifications sent with the default Ping server to users in China now use the Twilio SMS template.

If you use the Ping server for sending PingOne SMS notifications, your users in China will now see notifications branded with Twilio’s name rather than Ping Identity.

New PingOne PingOne SSO

Info PingOne MFA

To enhance security, in cases where multiple authentication policies are defined for accessing an application, PingOne no longer proceeds to the next authentication policy if a user has an MFA device that is unreachable, locked, or blocked.

Improved PingOne Verify

You can now verify users in India using PingOne Verify policies. Indian residents are issued an Aadhaar ID, which is a 12-digit identification number. When you configure Aadhaar verification in PingOne Verify policies, PingOne Verify gains the ability to directly integrate with India’s Aadhaar National Registry. Learn more in Creating a verify policy.

Improved Strong Authentication PingID PingOne MFA

The following improvements are now available in FIDO2 policy:

Learn more in Adding a FIDO policy

Info PingOne MFA

To improve delivery reliability for PingOne SMS notifications sent with the default Ping server, the use of short codes has been expanded.

If you use the Ping server for sending PingOne SMS notifications, and you haven’t customized notification content, your users in the United States and Canada might see notifications coming from a different number than previously.

New Strong Authentication PingOne MFA

OATH token authentication is now available for customer (PingOne MFA) use cases. Learn more in Configuring OATH token authentication

Improved PingOne

We’ve added a new Limit MFA to specific populations setting for environments using the PingOne & External IdP option for Administrator Security. If you select this option, you can select specific populations that will require secondary authentication through PingOne after the initial authentication with the IdP. Users in populations that are not selected will authenticate only once, through the IdP. Learn more in Configuring administrator security.

New PingOne

You can now invite other administrators to register for PingOne. To use this feature, you must use PingOne as your identity provider, have administrator security enabled with PingOne or a hybrid authentication source, and have the appropriate permissions.

In the invitation, provide their first and last name, their email address, and specify the administrator roles that you want the administrator to have. You can also set an expiration time on the invitation. The maximum time allowed is 24 hours.

The new administrators receive an email indicating that they were added as an administrator in PingOne. The email contains a registration link and instructs them to click the link, copy the invite code, paste it into the appropriate field, and create a password to complete the registration process.

Learn more about this process in Inviting administrators to register and Accepting the administrator account registration.

The PingOne administrator Getting Started experience has also been updated and now includes this functionality.

Improved PingOne

Production environments can now be deleted, but the environment will be in a recoverable state for 30 days before it is permanently deleted. Sandbox environments are still deleted immediately and are not recoverable. Additionally, you can promote Sandbox environments to Production, but you can no longer demote Production environments to Sandbox.

Learn more in Sandbox and Production environments, Deleting an environment, and Recovering a deleted Production environment.

New PingOne SSO DaVinci PingID

External multi-factor authentication (MFA) allows Microsoft Entra ID users to leverage external authentication providers for MFA. You can now use DaVinci with PingOne SSO and PingID to configure external MFA, formerly known as an external authentication method (EAM), for Entra ID. Learn more in Setting up PingOne SSO, DaVinci, and PingID as the external MFA provider for Microsoft Entra ID.

New Strong Authentication PingOne MFA

You can now enable and configure WhatsApp as an authentication so that your users can receive a one-time passcode (OTP) by WhatsApp message.

This authentication method is available for customer (PingOne MFA) use cases only, and requires you to have your own WhatsApp Business Account.

Learn more in Configuring WhatsApp authentication.

Improved PingOne

The roles on the Built-In Roles tab of the Administrator Roles page are now organized into categories that clearly separate the roles used for single sign-on to other Ping products from the main PingOne roles. These categories are also used throughout the UI to simplify role assignment. Learn more in Administrator Roles.

New PingOne

PingOne can now include the x5t header parameter in access tokens, ID tokens, and JSON Web Token (JWT)-based refresh tokens for OIDC-based applications. This new capabiliity improves interoperability with applications, custom resources, or both that require the x5t parameter in the digital signature verification process. Learn more in Editing an application - OIDC.

New PingOne Authorize

We’ve released version 1.4.0 of the Amazon Web Services integration kit. Now you can extend Amazon CloudFront’s authorization capabilities by deploying the integration kit as a Lambda@Edge function. Integrating PingOne Authorize with CloudFront enables optimized content delivery and globally distributed access control of web applications and APIs. Learn more in Configuring Amazon CloudFront.

Improved Strong Authentication PingID

PingID out-of-the-box (OOTB) registration and authentication flows in DaVinci have been expanded to include:

Improved PingOne

We modernized External IdPs in PingOne with a new look and feel. Learn more in External IdPs.

New PingOne

You can now try out new PingOne features before they’re released and provide feedback directly to Ping from the admin console. You decide which features to enable during the early access period and the environments in which to enable them. You can also opt out of a previously enabled feature during the early access period. Learn more in Managing opt-ins for early access features in PingOne and PingOne Early Access Features.

Improved Strong Authentication PingID

You can now configure PingID mobile app’s number matching feature to require users to enter the correct number manually, rather than selecting from a list of three numbers.

New PingOne

We’ve released LDAP gateway client application version 3.4.0. This version includes:

New PingOne

We’ve added the ability to select a Language for Populations, making it easier to specify the preferred language for a user when building authentication experiences in PingOne DaVinci. Learn more in Managing populations.

PingOne Protect SDK

We’ve released new versions of the PingOne Protect (Signals) SDK:

You can find details in the SDK Changelog.

New PingOne Authorize

We’ve released version 1.2.0 of the ping-auth plugin for Kong Gateway. This version improves security by supporting referenceable shared secrets in Kong.

Learn more in Configuring Kong Gateway for PingOne Authorize integration.

Improved Strong Authentication PingID PingOne MFA

When configuring an MFA policy, you can now specify the maximum number of times authentication can fail when using a FIDO2 device, before the user is blocked. You can also specify the amount of time the user is blocked from authenticating with that device.

Learn more in Configuring an MFA policy for strong authentication.

Info PingOne

As part of our continued efforts to support best practice security measures in PingOne, we’ll be using Cloudflare instead of Amazon CloudFront as our custom domain ingress infrastructure. This change is being deployed in a phased approach and affects you only if you use custom domains. Learn more about custom domains in Setting up a custom domain.

New PingOne

ID tokens now include a new claim called p1.mfa_device_id, the ID of the device that was used to authenticate. You can find more information about the content of ID tokens in ID Token claims.

New PingOne PingID PingOne Protect

For workforce contexts, risk evaluations can now include the new PingID device trust predictor if your users install the PingID device trust agent on their computers. This predictor requires a PingID and PingOne Protect license.

Learn more in Using the PingID device trust agent, PingID device trust predictor, and the Risk Predictors section in the PingOne Protect API documentation.

Improved PingOne MFA

When determining what language should be used for a notification sent to a user, PingOne now takes into account the language preference information included in the Accept-Language header sent by the browser. You can find a full description of the logic used for choosing a language in Runtime logic for content selection in the API documentation.

New PingOne MFA

You can now use the PingOne API to implement "remember me" functionality in your web applications so that users do not have to authenticate when accessing applications from a remembered browser during the period specified, which can be from one hour to 90 days.

If you include this option, use the new Remember Me Configurations section when defining MFA policies to specify which policies should allow the option. For instructions on implementing this feature, see Remembered Devices.

New PingOne

We’ve added a new Display Environment Overview permission that controls access to the Overview page for the environment. This permission is included in all built-in administrator roles in PingOne, but you can remove it from custom roles to restrict access to this page. This permission affects visibility in the admin console only and doesn’t affect API access. Learn more about built-in and custom roles in Administrator Roles.

Improved PingOne

If a population doesn’t have a selected theme, the population now uses the active theme for the environment. This update ensures that preferred branding is displayed to users when building authentication experiences in PingOne DaVinci. Learn more in Managing populations.

New PingOne MFA

You can now define up to three custom providers to use for SMS/voice notifications. After you’ve defined the providers, you can specify in your notification policies the order of provider preference to use in different geographical locations.

Improved PingOne

As part of our continued efforts to support best practice security measures in PingOne, we’ve made the following updates to enhance the multi-factor authentication (MFA) requirements introduced earlier this year:

Improved PingOne

To reduce administrative and development tasks, PingOne now always includes the organization ID and environment ID in its access tokens. The claims are included in access tokens as org and env, respectively. If your organization’s processes require the organization ID, environment ID, or both, you can now retrieve this information by reading the JSON Web Token (JWT)-based access tokens or sending introspection requests and reviewing the results.

Improved PingOne Protect

PingOne Protect now detects replay attacks that use an intercepted valid payload from the Signals SDK.

Improved PingOne

When adding a new native application, PingOne creates the application with the following new defaults to align with current security best practices:

Existing native applications won’t be updated to use the new defaults. You can update the settings for new and existing native applications as needed. Learn more in Editing an application - Native.

New PingOne Credentials

You can now add PingID as a digital wallet to issue verifiable credentials. Learn more in Creating a credential. You can find end user documentation in Manage and share Credentials in the PingID End User Guide.

New PingOne

The LinkedIn external identity provider (IdP) now uses an OpenID Connect (OIDC)-based connection to allow your users to sign on to an application with LinkedIn. The legacy OAuth 2.0-based IdP connection for LinkedIn has been deprecated. Existing applications using the legacy IdP will continue to work, but new applications default to the new OIDC-based connection. Learn more in Adding an identity provider - LinkedIn.

New PingOne PingOne Authorize

We’ve released Authorize gateway version 1.0.0. To reduce authorization latency when you have demanding performance requirements, you can now deploy authorization policies managed in PingOne to Authorize gateway instances located on-premise or in your private cloud. In highly regulated environments, this also ensures data privacy by keeping sensitive data for authorization decisions within your secure trust boundary. Learn more in Authorize gateways.

Improved PingOne Authorize

You can now send additional parameters in HTTP service requests. For HTTP services authenticated with the Client Credentials grant type, use the Custom OAuth Parameters setting to add custom key-value pairs to the token endpoint request. This level of customization is useful when integrating with authorization servers that enforce specific configuration constraints. Learn more in Connecting an HTTP service.

Improved PingOne Authorize

We’ve refreshed the Authorization Dashboard to improve your user experience. You can track authorizations and decision counts by date, and view the average execution time for services, in addition to the maximum execution time. Learn more in Authorization Dashboard.

New PingOne PingOne Authorize

You can now force step-up authentication when users access sensitive resources through APIs. When authenticated users try to access more sensitive resources, such as salary data, health records, or premium content, you can require a higher level of authentication and also set limits on the amount of time allowed since the last authentication event.

Use the new Respond with authentication step-up challenge statement template to implement step-up authentication challenges in policies that protect API services and operations.

Learn more in Step-up authentication for APIs and Statement templates.

New Strong Authentication PingOne MFA PingID

We’ve added the ability to create a new PingID account and manage it from a PingOne environment. Many features that were previously managed by the legacy PingID admin portal (on the Configuration tab and the Device and Pairing tab) can now be managed in PingOne.

Administrators can also take advantage of additional functionality available in PingOne including:

A small number of features are still managed by the legacy PingID admin console, such as PingID policy.

Fixed STAGING-25145 PingOne

For PingID accounts that are integrated with PingOne environments, we’ve fixed an issue in the legacy PingID admin portal that was preventing the Device Authorization app from showing in the PingID policy applications list.

New PingOne

We’ve added the ability to configure Alternative Identifiers for Populations, making it easier to determine a user’s population based on an identifier value in a DaVinci flow. Additionally, populations can now specify a Theme, making it easier to determine the preferred branding for a user when building authentication experiences in PingOne DaVinci. Learn more in Managing populations.

Improved PingOne MFA

You can now define a user presence timeout value for FIDO2 devices. The User Presence Timeout field defines the amount of time the user has to perform a user presence gesture with their FIDO device before the request expires. Learn more in Adding a FIDO policy.

Improved PingOne

The Reset Password capability in the DaVinci LDAP connector is now compatible with Active Directory. Learn more in LDAP Connector.

New PingOne

The User demographic dashboard shows a summary of user demographic profiles and activity for the selected environment. Learn more in User Demographics Dashboard.

New PingOne

We’ve enhanced the application configuration process for OpenID Connect (OIDC) applications. The new Integrate tab provides access to prefilled code examples, instructions, and sample apps for testing connections. Initial support is available for Node.js Express and the Ping SDK for JavaScript. Learn more in Integrate PingOne with a Node.js Express app or Integrate Ping SDK for JavaScript with PingOne.

Improved PingOne Verify

You can now manually approve a user’s ID from the transaction log. Learn more in Manually approving a user’s ID.

New PingOne

PingOne now supports using the flowPolicyId HTTP request parameter to indicate the authentication policy for PingOne to use when authenticating users to a SAML application. You can include the flowPolicyId HTTP request parameter in the Initiate Single Sign-On URL to specify a PingOne authentication policy or a DaVinci flow policy. Learn more in Editing an application - SAML.

New PingOne Verify

Use language localization to configure one or more languages and modify text fields of PingOne Verify text that is presented to end users in notification and agreements. Learn more in Configuring PingOne Verify language localization.

New PingOne Protect

When you promote a staging policy to production, the staging policy will now be automatically deleted from your list of risk policies. You can no longer unlink PingOne Protect staging policies from a production policy. Learn more in Creating and managing staging policies.

New PingOne Protect SDK

We’ve released new versions of the PingOne Protect (Signals) SDK:

You can find details in the SDK Changelog.

New PingOne

PingOne now supports the offline_access scope for OIDC-based applications. Add offline_access as an allowed scope to enable an application to use the Refresh Token grant type to access previously approved resources when the user is not present and on a per-request basis. This allows the application to drive the decision to request a refresh token based on whether or not it needs a refresh token. Learn more in Editing an application.