PingOne Release Notes

Improved PingOne

As part of our continued efforts to support best practice security measures in PingOne, we have enhanced the multi-factor authentication requirements introduced earlier this year.

The following updates have been made:

Learn more in Administrator security and the PingOne administrators MFA requirement - FAQ.

New PingOne Authorize

We’ve added a retry mechanism to improve handling of 5xx errors caused by transient network or service issues. Use the maxRetries setting in config.js to set the maximum number of retries you want before returning a failed response to the client. The default is 1.

New PingOne

External authentication methods allow Microsoft Entra ID users to leverage external authentication providers for multi-factor authentication (MFA). You can now enable this integration with PingOne authentication policies. Learn more in Entra ID external authentication method.

New PingOne

You can now merge or overwrite memberships when a group with the same name exists on the target. Learn more in Configuring outbound group provisioning.

New PingOneMFA

To help users recognize which application the OTP displayed in their authenticator app is for, the MFA policy configuration page now includes an option called Show application name. Use this option to specify the text that should be displayed alongside the OTP in the authenticator app.

Improved PingOneMFA

To facilitate testing, when you define a FIDO policy in a Sandbox environment in PingOne, you can now set Relying Party ID to localhost.

New PingOne

We’ve released a significant update in the PingOne Administrators environment to streamline the onboarding process for new PingOne administrators. This release introduces a Getting Started experience tailored to address common points of confusion and help new administrators quickly understand and manage their responsibilities within the platform. Learn more in the Introduction to PingOne.

New PingOne Authorize

We’ve released new versions of the following API gateway integration kits:

These versions improve how the integration kits handle rate limiting to achieve more reliable and stable authorization services. Learn more about connecting your API gateway to PingOne Authorize in PingOne Authorize API gateway integrations.

Improved PingOne

The Default MFA status for new users setting on the MFA Settings page is now enabled by default in all new environments. This setting allows just-in-time registration of new multi-factor authentication (MFA) methods for PingOne administrators the first time they sign-on to the admin console. Learn more in Configuring MFA settings.

New PingOne Protect

A new risk predictor called Traffic Anomaly has been added in order to detect traffic anomalies in terms of variables such as users, devices, and sessions.

The Traffic Anomaly predictor will eventually include a variety of rules, some of which you can select to enable or disable. In this initial release of the predictor, PingOne Protect detects situations where there are a large number of risk evaluations requested for a single user within a short period of time, and optionally can also detect situations where the number of users per device during a given period is suspicious.

When a risk level of High is calculated for the Traffic Anomaly predictor, it is recommended that you deny access because the suspicious activity is likely due to malicious behavior.

For details, see Predictors, Configuring predictors, and the Risk Predictors section of the PingOne API documentation.

Improved PingOne Protect

Due to the use of corporate proxies and other network tools, the user’s true IP was often masked by an internal IP, reducing the benefit provided by risk predictors that factor in the IP or user location. To handle such situations, if PingOne Protect encounters an internal IP, it now uses the user IP that is included in the Signals (Protect) SDK payload. This feature requires version 5.2.7 or later of the Signals SDK for Web.

Info PingOne Protect

The User Risk Behavior (organization-wide) predictor has been deprecated. The predictor can still be used in existing PingOne environments, but is not available in new environments.

New PingOne

We’ve released LDAP Gateway client application version 3.2.2, which includes improved support for unauthenticated proxy for LDAP gateway provisioning sync.

New PingOne

We’ve released LDAP Gateway client application version 3.2.0. This version includes:

Learn more about using a web proxy server in LDAP gateways and Starting a gateway instance.

New PingOne Protect

When creating composite risk predictors, you can now include conditions that check what PingOne user groups the user belongs to. For details, see Adding composite predictors and the example in the PingOne API documentation.

New PingOne Protect

You can now add an alert to receive an email notification if PingOne Protect detects a pattern of suspicious traffic that requires your attention. For details on adding alerts, see Adding an alert.

New PingOne Protect

The Bot Detection predictor now has an option that you can select to expand the types of bot activity that PingOne Protect can detect. For details, see Configuring predictors and the Risk Predictors section of the PingOne API documentation.

New PingOne

Learn more: RADIUS gateways.

Improved PingOne

When adding a new single page application, PingOne creates the application with the following new defaults to align with current security best practices:

Existing single page applications will not be updated to use the new defaults. You can update the settings for new and existing single page applications as needed. Learn more in Editing an application - Single page.

New PingOne MFA

For MFA, the PingOne API now includes an option to use dynamic linking to attach a unique identifier to the registration of a FIDO device.

For details, see the FIDO2 devices data model table under MFA devices in the PingOne API documentation.

New PingOne

As part of our ongoing commitment to enterprise security and supporting best practices, multi-factor authentication (MFA) is now mandatory for PingOne administrators in organizations created after July 18, 2024. If your organization was created before July 18, 2024, you will be able to opt in for this requirement on a per-environment basis in the coming months. A message in the admin console will indicate when the early access period begins. In 2025, this requirement will be enabled in all organizations, for all environments. Learn more in Administrator security and the PingOne administrators MFA requirement - FAQ.

New PingOne Protect

It is now possible to have the device data in the Signals SDK payload converted to a signed JWT, to ensure that the content has not been tampered with.

When defining a Suspicious Device predictor in your PingOne environment, you can specify that any risk policies containing the predictor will require that the Signals SDK payload use the signed JWT option, with the signature being verified before proceeding with risk evaluation.

Currently, the option of providing the SDK payload as a signed JWT can be enabled in the initialization code for the SDK or via the option that has been added to the skrisk component used in DaVinci flows.

For details, see Configuring predictors, the documentation for the web version of the Signals SDK, the Risk Predictors section of the PingOne API documentation, and the documentation for the PingOne Protect DaVinci connector.

New PingOne Verify

We’ve added a new feature for Verify policies, Enable AAMVA. This allows verification of ID information against the issuing agency database. Learn more in Creating a Verify Policy.

New PingOne

We’ve created the Application Owner role to limit administrator access to specific applications. Use this role to provide application developers with access only to the applications they manage. This role provides no other administrator permissions in PingOne. Learn more in Administrator Roles and Managing user roles.

Improved PingOne

To ensure consistent terminology throughout the product, two user interface (UI) updates have been made:

Learn more in Administrator Roles and Managing user roles.

New PingOne Verify

We’ve added a new feature for Verify policies, Fail expired IDs. This allows users to fail verification when an ID expires. Learn more in Creating a Verify Policy.

New PingOne

We’ve released LDAP Gateway client application version 3.1.2. This version includes:

Learn more in LDAP gateways and the new Best practices for configuring Active Directory for LDAP gateways.

New PingOne Protect

When creating risk evaluations, you can now provide additional detail about the context of the flow by specifying a flow subtype in addition to the flow type. For details, see the description of the new flow.subtype field in the PingOne API documentation.

New PingOne Protect

A new endpoint, riskFeedback, has been added to the PingOne API to allow you to provide feedback on the accuracy of specific risk evaluations that were carried out. Each such call can include feedback for up to 100 risk evaluations, and for each evaluation you can specify a feedback category and a reason for including the evaluation in that category. For details, see Providing feedback for risk evaluations in the API documentation.

Improved PingOne

We’ve updated the Populations UI into corresponding sections to easily help navigate through various configurations. Admins can now see details attached to a population within the populations UI, along with the ability to navigate to corresponding configurations in Password Policy and External IdP when needed. Learn more in Managing populations.

Improved PingOne

We’ve extended support for cross-origin resource sharing (CORS) to additional endpoints in PingOne. CORS allows devices on one domain to access resources on another domain. Learn more in Cross-origin resource sharing and in the Cross-origin resource sharing section of the PingOne API documentation.

New PingOne MFA

For MFA, the PingOne API now includes an option to use dynamic linking to attach a unique identifier to a FIDO transaction. For details, see Create a request property JWT and Device authentications data model in the PingOne API documentation.

Improved PingOne MFA

We’ve added the option to allow the user to add a device nickname during the pairing flow. After successfully pairing the device, a popup window is shown, asking them if they want to define a device nickname. If the user does not edit the text field, the default nickname is applied.

For more information, see Adding an MFA policy.

Improved PingOne

When creating or editing a form in User Experience → Forms, you can now add a social login button from the Toolbox. For details, see Form toolbox.

This feature is in limited release. Contact Ping support to request access to this feature.

New PingOne Mobile SDK

Version 1.10.1 of the PingOne MFA mobile SDK for iOS has been released.

This version contains a single bug fix. For details, see Release notes - iOS version.

New PingOne Authorize

We’ve made it easier to assign application roles to users. Now you can assign application roles on the Users page, in addition to assigning users to roles when you create an application role. Learn more in Managing user roles.

Improved PingOne

The user interface (UI) for Alerts in PingOne has been updated with a new look and feel. You can now add a name for alerts and search/sort by alert name.

New PingOne

We’ve added a new .com.au domain for our Australia region that reflects Australian data residency. Organizations created for our Australia region after May 6, 2024 will use the new .com.au domain name. Organizations created before that date must continue to use the .asia domain name. Learn more about regional domains in Introduction to PingOne.

New PingOne

We’ve added two new event types for PingOne gateways configured to use the Kerberos protocol for authentication:

You can review these events in the PingOne Audit log. Learn more in Event types.

New PingOne

When adding or editing a Microsoft 365 application, you can now configure the Subject NameIdentifier Format format value and also configure a mapping for the value to a PingOne attribute. Learn more in Adding Microsoft 365 to PingOne.

New PingOne Authorize

Now you can include a permissions claim in access tokens created for your APIs and custom resources. This enables you to retrieve and enforce permissions for application features and API resources developed by your organization. Learn more in Application permissions.

Improved PingOne

The tel and sms protocols are now supported in HTML footers used in customize themes. Learn more in Customizing a theme.

New PingOne

We’ve made it easier to add custom properties to groups in PingOne Directory. Now you can simply add metadata properties as key-value pairs in the user interface for creating or updating groups. Learn more in Creating a group.

New PingOne Verify

The Verify dashboard shows identity verification transaction activity for your organization. Learn more in Verify dashboard.

Improved PingOne

Previously, when uploading or downloading a language pack in User Experience → Languages, you could only download the translatable keys for each module. Now, you can download or upload the complete language pack.

Learn more in Downloading a language bundle and Uploading a language bundle.

New PingOne Verify

You can now configure a document authentication provider in your verify policy. Learn more in Creating a verify policy.

New PingOne Verify

We’ve added two new features for Verify policies: Government ID Retry Attempts and Selfie Retry Attempts. This allows users to retake pictures of a government ID or selfie if the previous image had a quality problem.

Learn more about government ID retry and selfie retry in Creating a verify policy.

New PingOne

The requirement of responding to a verification email when adding a "sender" email address made it difficult to add an address that does not have an inbox. Now, when you create a trusted email domain, PingOne creates an additional text record that reflects the association of the domain with the specific PingOne environment. If you add this new record to your DNS, any sender email address belonging to the domain is set to active status as soon as you create it, with no need for a verification email.

New PingOne

Branding and Themes now have unique Theme IDs for themes that can be copied and pasted directly into the PingOne Forms connector. A unique theme name will also be generated by default to prevent having duplicate themes in the environment.

Learn more in PingOne Forms connector.

New PingOne MFA

We’ve added the ability to aggregate all FIDO2 devices associated with a user’s account during authentication. This simplifies authentication, as the user is presented with a single FIDO2 authentication method representing all of their paired FIDO2 devices, rather than seeing each device listed separately. If the user chooses to authenticate with the aggregated FIDO2 authentication method, the OS of the accessing device selects the most appropriate method for them to use to authenticate.

Learn more at Adding a FIDO policy.

Improved PingOne

We’ve updated the Environments page to include search and sort capabilities that make it easier to find the environment you need. We’ve also added the ability to upload a custom icon to make an environment stand out visually in the list. Additionally, you can now view and edit environment details without leaving the Environments page. The Environment Properties page has also been updated, providing a consistent experience. Learn more at Getting started with PingOne and Environment properties.

Improved PingOne

We’ve improved the process for integrating an existing PingID account with PingOne. PingOne now performs more comprehensive validations during the integration process, enabling Administrators to fix issues and ensure license compliance before starting the integration. Learn more at Integrating a PingID account with a new PingOne environment.

New PingOne

We’ve updated the RADIUS Gateway client application to version 1.1.1. This version has a lighter footprint, improves security, and reduces dependencies. RADIUS Gateway 1.1.1 supports Java 17.0.8 or later.

Improved PingOne

We’ve streamlined the user interface for viewing and assigning roles. This update reduces scrolling and clarifies the context in which the user or group has roles assigned. Learn more at Managing user roles and Managing group roles.

New PingOne

We’ve added the ability for PingOne to always update PingOne user attribute changes from an external directory on every successful authentication through the LDAP Gateway client. Learn more about enabling user attribute updates in Adding a user type.

Improved PingOne

The descriptions for the Password Check Succeeded and Password Check Failed audit events in PingOne have been enhanced to include more information for users signing on through a PingOne gateway and to improve the troubleshooting experience, as described in the following table:

Learn more about audit events in Event types.

Improved PingOne

The User Updated audit event in PingOne has been enhanced to include information about most user attributes that were changed, added, or removed during the update. Learn more about auditing events in Event types. Learn more about user attributes.

New PingOne

You can now enable Proof Key for Code Exchange (PKCE) for custom OIDC identity providers in PingOne. PKCE helps to secure communication with the provider and can prevent authorization code interception attacks. Learn more at Adding an identity provider - OIDC.

New PingOne Protect

The use of disposable email addresses is a common characteristic of fraudulent activity. PingOne Protect now has a risk predictor to detect the use of disposable email addresses during registration.

You can add the predictor to your risk policies, and you can also define a specific course of action if the result.recommendedAction field in the risk evaluation response indicates the use of a disposable email address.

Info PingOne Protect

For risk evaluations that use a risk policy with the New Device predictor, the API response now includes a field that represents the date and time that the device was last seen. For details, see Risk Evaluations in the API documentation.

New PingOne Authorize

We’ve added the following new API Access Management event types:

You can review these events in the PingOne Audit log or create webhooks to ensure management of API Services is working correctly. Learn more in Viewing API Access Management events in your PingOne environment audit log.

New PingOne

We’ve added support for the device authorization grant type, which you can use to enable users to authorize access to a protected resource on a device with limited user input capabilities, such as a smart TV, using a browser on a second device, such as a smartphone or computer.

For more information, see Device authorization and Editing an application - Device authorization.

New PingOne MFA

To cover situations where a user did not receive the one-time passcode (OTP) that was sent for pairing a device, the PingOne API now provides a request for resending the OTP. For details, see Resend Pairing OTP in the API documentation.

Improved PingOne MFA

The user interface for configuring senders for email and SMS/voice has been updated to be more streamlined and intuitive.

Improved PingOne MFA

When you generate a User Devices report, the report now include a field called fidoUserVerification, which indicates whether user verification has been performed successfully with a FIDO device during registration or authentication. For more information on user verification, see Adding a FIDO policy.

New PingOne MFA

We’ve added the User Devices chart to the PingOne MFA dashboards. The User Devices chart is comprised of the following two charts (in the drill-down view):

You can filter the results by primary or secondary device, and OS version (Android or iOS).

For more information, see User devices and app version charts.

New PingOne

OIDC-based applications and custom resources in PingOne now support client secret JWT and private key JWT for token introspection endpoint authentication method. OIDC applications also now support asymmetric request object signing algorithms. You must provide either the JSON Web Key Set (JWKS) itself or the URL where PingOne can retrieve the JWKS to use private key JWT for authentication and for an OIDC application to send asymmetrically signed request objects.

For more information, see Token endpoint authentication methods, Editing an application, and Editing a resource.

New PingOne Protect

To further enhance its ability to prevent account takeover, PingOne Protect now has a dedicated risk predictor to handle Adversary-in-the-Middle attacks.

AitM is a variant of Man-in-the-Middle attacks in which a malicious actor uses a reverse proxy to position themselves between a user and an online service in order to obtain user credentials and session tokens. This type of attack circumvents the protection usually provided by OTP-based multi-factor authentication, and of late has become a common technique in phishing attempts.

For details, see Configuring predictors and Risk Predictors in the API documentation.

Improved PingOne Protect

For the individual charts included in the PingOne Protect dashboard (other than Risk Heat Map) the event details table now includes all risk evaluation events, even those where all the risk predictors in the policy indicated low risk.

Improved PingOne Protect

The bot detection predictor is now taken into account when categorizing IPs as risky.

On the Risky IP chart, when you click View Details to see why an IP was categorized as high-risk, you may see bot detection given as a reason.

New PingOne

PingOne now supports outbound group provisioning. Use PingOne provisioning to sync groups along with its memberships out of PingOne to a connected software as a service (SaaS) application. For more information, see Outbound group provisioning.

New PingOne Authorize

With the new Gateway service, you can retrieve user profile information stored in on-premise and external LDAP directories, such as PingDirectory or Microsoft Active Directory, for use in authorization policies. User data is cached for improved performance. For more information, see Authorization services.

Improved PingOne

After you update a client secret in PingOne, you must ensure that any applications or resources that use the secret are updated. Previously, if there was lag time between when a new client secret was generated and when application or resource owners updated the application or resource to use the new secret, errors could occur because the old secret was invalidated immediately. Now you can choose to retain the previous client secret for up to 30 days, giving application or resource owners time to update the secret without end users experiencing errors in the meantime. Additionally, you can immediately revoke the previous client secret at any time during the retention period if it is no longer needed.

Multiple client secret support applies only to OIDC-based applications and custom resources at this time. You can use the PingOne admin console or the PingOne API to generate a new client secret and define a retention period for the previous secret. For more information, see Rotating the client secret for an application and Rotating the client secret for a resource.

New PingOne

You can now use the optional policy request parameter to specify which policy to use for the Application Portal application. The authentication policy defines the sign-on requirements for accessing the Application Portal. For more information, see Applying authentication policies to the Application Portal.

New PingOne

Version 5.2.10 of the PingOne Signals SDK for web has been released.

This version contains performance improvements for initialization of the SDK.

New PingOne Authorize

Managing permissions in your custom applications is now as easy as checking a box. Now you can:

For more information, see Application permissions.

New PingOne MFA

We’ve added the following features to allow PingID users to manage their devices from the PingOne MyAccount page, rather than the PingID Devices page:

New PingOne MFA

You can now view and export reports that list the details of MFA devices, such as the username and user ID associated with the device, using a number of device-related filters. For example, you can generate a report listing all email devices or a report containing all of the devices whose phone number starts with a certain country code. Results can be exported in csv or json format.

For details, see User Devices report.

New PingOne Protect

When composing a composite predictor, you can now include user name and user ID as criteria. You can use this feature to assign a different risk level for user names or user IDs that contain specific strings, for example, a specific domain name.

For details, see Adding composite predictors and the Risk Predictors section in the API documentation.

Improved PingOne

We’ve added support for cross-origin resource sharing (CORS) to PingOne. CORS allows devices on one domain to access resources on another domain. Configure CORS settings to enable your OIDC or SAML application to access third-party resources, such as cross-origin images, scripts, and stylesheets. For more information, see Cross-origin resource sharing.

New PingOne Mobile SDK

Version 1.11 of the PingOne MFA mobile SDK for Android has been released.

This version contains a number of bug fixes.

See Release notes - Android version.

Improved PingOne Mobile SDK

The sample app for the PingOne MFA mobile SDK has been updated to demonstrate support of passkeys. This applies to both the Android and iOS versions of the sample app.

Improved PingOne Authorize

Now you can extend Kong’s authorization capabilities with an integration kit that supports Kong Konnect. This integration allows you to centrally manage your authorization requirements using PingOne Authorize’s external policy evaluation service, controlling access to APIs with simple rules and fine-grained policies. For more information, see Integrating PingOne Authorize with Kong Konnect.

Improved PingOne Authorize

We’ve made it easier to add runtime authorization controls to your existing PingOne configuration. In PingOne, a resource represents your API for OAuth authorization purposes. Now you can assign existing PingOne resources to API services, adding runtime API Access Management controls around your previously modeled APIs. For more information, see Defining your API in PingOne Authorize.

New PingOne

You can now filter groups by external source, such as an external identity provider or LDAP Gateway, and by population. For more information, see Searching for groups.

New PingOne

To simplify user configuration after you add a large number of users to PingOne, you can now set a default identity provider for a population. This setting applies to any users in the population who do not have Authoritative Identity Provider defined in the their user profile, and applies only as long as the user remains in the population. This setting does not affect the Authoritative Identity Provider setting on the user profile. For more information, see Managing populations.

New PingOne Verify

PingOne Verify now supports inspection type for government ID. Inspection type determines the type of inspection performed on government-issued documents and offers automatic, manual, and step-up to manual options. For more information, see Creating a verify policy.

Improved PingOne

We’ve released LDAP Gateway client application version 3.0.4. This version improves performance, and requires Java 17.0.8 (or later) or Java 21 LTS (or later). For more information, see LDAP gateways.

New PingOne MFA

When you customize the template for the message that is sent to notify a user when a new device is paired for their account, you can now include a variable called report.fraud. If you include this variable, the message will include a link that the user can click to report fraudulent pairing attempts. PingOne records these reports and you can view them in the Audit log. The event type for these reports is Fraud Reported.

Info PingOne MFA

We’ve added a warning message to MFA policy to ensure administrators are aware that using the Ping sender account for SMS and Voice calls incurs charges. The popup message also appears when switching from a custom sender account to Ping’s sender account. To discourage the use of less secure authentication methods when creating a new MFA policy, the Voice authentication method is not selected by default.

New PingOne Verify

The PingOne Neo Verify User Data endpoint and its only call, Read User Verification Data, are deprecated. The endpoint and request will be removed December 2024. For more information, see User Data and GET Read User Verification Data.

New PingOne

The PingOne RADIUS Gateway Docker images have moved to the Docker Hub. If you are running the PingOne RADIUS Gateway as a Docker container, ensure that you update your Docker commands, replacing the old image location with the new location at:

For example, the Docker run command for the latest version is:

If you have implemented any automated solutions, you should also update them to the new Docker Hub location.

Improved PingOne

We’ve released LDAP Gateway client application version 3.0.1. This version improves security and performance, and requires Java 17.0.8 (or later) or Java 21 LTS (or later). Java 8 and Java 11 are no longer supported. For more information, see LDAP gateways.

Improved PingOne

We’ve added the PingID Policy evaluation capability to the RADIUS Gateway connector. For information, see RADIUS Gateway connector.

Improved PingOne

We’ve added the PingID Policy evaluation capability to the PingID connector. For information see PingID connector.

Improved PingOne

We’ve incorporated extensive feedback from customers, partners, and user testing sessions into a new and improved PingOne sidebar navigation experience. The new structure makes it easier to discover new capabilities and manage your everyday configuration tasks. The documentation has been organized to reflect the new experience.

While we think the new sidebar will be more intuitive and easier to use, we’ve created a PingOne sidebar navigation crosswalk to help you get oriented quickly.

Improved PingOne

In an effort to simplify the login experience, we’ve removed region selection when signing on to PingOne and consolidated environments associated with an administrator’s email address across all regions. Any environment with an expired license will also be flagged. See Accessing the PingOne admin console.

Info PingOne Protect

The following types of risk predictors can now have only one instance per environment:

The remaining predictor types can still have up to fifteen instances per environment.

Improved PingOne

For inbound provisioning using the Workday provisioning connector, the polling interval has been reduced from 4 hours to 15 minutes. For more information, see Inbound and outbound provisioning.

New PingOne Authorize

Now you can use OAuth 2.0 Client Credentials grants to authenticate HTTP service connections. This grant type allows the decision service to obtain and manage access tokens for service connections, eliminating the need for static tokens stored in attributes. As part of this update, the OAuth authentication type has been renamed Bearer Token. For more information, see Connecting an HTTP service.

New PingOne Authorize

To improve policy testing, we’ve added the capability to test statement processing. Using built-in statements processed by the API Access Management HTTP Access Policy Service, you can simulate API requests and responses and examine the resulting statement transformations. For more information, see Testing statement processing.

New PingOne Authorize

To improve your policy authoring experience, we’ve made it easier to access user profile information from PingOne Directory. The Trust Framework now includes built-in user name, email, primaryPhone, and username attributes ready for use in policies without any additional configuration. For more information, see Built-in attributes.