PingOne Advanced Services

PingOne Advanced Services Release Notes

Review release notes for PingOne Advanced Services.

November 2024

Platform version: 1.19.2.0. Updated November 21, 2024.

In this platform version:

These applications are also included:

The following Amazon EKS platform versions are supported:

  • 1.25

  • 1.26

  • 1.27

  • 1.28

  • 1.29

  • 1.30

Indexed log file retention policy change

Info

With the release of platform version 1.19.0.0, we announced that we’ve replaced Elasticsearch with OpenSearch because OpenSearch provides a larger and more innovative feature set. As part of our continual updates to our Observability platform, starting in version 1.19.2.0, indexed logs will only be available for a rolling 30-day window. Log files older than 30 days will be unavailable and will remain in our internal AWS S3 archive.

Many of you have your own Security Information and Event Management (SIEM) systems and your own ways of storing, indexing, and searching your log files, so you won’t be affected by this change. The same is true if you receive a copy of your logs through a customer endpoint. Your log files can remain on your endpoint systems for the amount of time specified in your retention policies.

Otherwise, this change in policy means that:

  • If you’re upgrading to version 1.19.2.0, your Elasticsearch data will not be directly migrated into OpenSearch. Instead, only new logs will be processed after the upgrade and be available in your new OpenSearch dashboard when the upgrade is complete.

  • If you’re using platform version 1.19.0.0, this change will occur on February 1, 2025. On that day, you’ll notice that your Kibana or OpenSearch dashboards will only display indexed log files for a rolling 30-day window.

If you want to have indexed log files for more than 30 days, we recommend that you add your own customer-managed endpoint, or use your own SIEM system to store and manage your log files.

To set up a SIEM system or customer endpoint, submit a service request through the Support Portal. Learn more about submitting this type of request in Platform service requests > SIEM integration.

September 2024

Platform version: 1.19.1.0. Updated September 11, 2024.

In this platform version:

These applications are also included:

Administrators can self-service their administrator SSO accounts

New

You can now set up and configure connections between environments that will allow your administrators to use single sign-on (SSO) to access the PingOne Advanced Services platform and the appropriate admin consoles. See Configuring connections for SSO for details.

May 2024

Platform version: 1.19.0.0. Updated May 6, 2024.

In this platform version:

These applications are also included:

Elasticsearch replaced by OpenSearch

Improved

After careful consideration over several years, PingOne Advanced Services has replaced Elasticsearch with OpenSearch, an open source branch of Elasticsearch. OpenSearch provides a much larger and innovative feature set that enables a better path forward for continuing to provide log indexing, search, alerting, single sign-on (SSO), custom dashboards, and role-based access.

Elasticsearch data will not be directly migrated into OpenSearch. Instead, only new logs will be processed during the upgrade to platform version 1.19.0.0 and will be available in your new OpenSearch dashboards. We retain 13 months worth of raw log files, and can reprocess up to 3 months of these files into OpenSearch to allow indexed searches of limited historical data, upon request.

This change should not affect logs sent to your SIEM systems, such as Splunk. Log processing pipelines for your endpoints will remain the same, and logs sent to these endpoints will remain in a raw format for you to process.

Kibana Data Views have also been expanded. Each log generated by an app will now have its own data view, which makes it much easier to know where your logs are based on the name of the log file generated by the app. Custom dashboards will need to be exported as JSON files before the upgrade, and after the upgrade, imported into OpenSearch Dashboards and updated to reflect the changes in the new data views. The change to the data views might also require that you update the dashboard panels with the name of the new data view that previously contained the logs of interest.

PIngDirectory improvements

Improved

Several improvements were made to PingDirectory:

  • You can now enable database cache sharing for deployments with multiple backend databases. See the PingDirectory 10.0.0.0 release notes for details.

  • When deployed with multiple backend databases, PingDirectory now performs better than before because preloading has been disabled.

  • PingDirectory pod IPs availability and propagation to DNS have been improved for multi-region support.

  • PingDirectory pods graceful shutdown has been improved and now uses an on-premise software-aligned stop-server script to terminate pods.

OnePingLogin

Improved

The PingFederate admin console, PingAccess admin console, ArgoCD, and OpenSearch SSO has been improved to reduce the number of multi-factor authentications.

CAP permissions have also been improved to support additional fine-grained controls over user permissions. Now, users sign on using SSO to access their OpenSearch, PingFederate, or PingAccess environments. The tasks they can perform depend on the administrative roles they are assigned. By default, CAP users will not have any PingFederate or PingAccess roles assigned to them and must submit a service request to request the appropriate roles and permissions.

This authentication experience is configured in the PingAccess and PingFederate authentication settings. Changing these settings to use a non-default token provider might delay support because it introduces additional authentication steps for Ping Identity operations resources to review.

PingFederate and PingAccess administrator roles provide fine-grained access to features that allow them to perform specific tasks.

PingFederate administrator roles

  • User Admin: Those with this role can add and remove users, change and reset passwords, and install replacement license keys.

  • Admin: Those with this role can configure partner connections and most system settings, but they cannot manage local accounts or handle local keys and certificates.

  • Expression Admin: Those with this role can map user attributes using Object-Graph Navigation Language (OGNL).

    Only administrators who have both the Admin role and the Expression Admin role can be granted:

    • The User Admin role. This restriction prevents non-Expression Admins from granting themselves the Expression Admin role.

    • Write access to the file system or directory where PingFederate is installed. This restriction prevents a non-Expression Admin user from placing a data.zip file containing expressions into the <pf_install>/pingfederate/server/default/deploy directory, which would introduce expressions into PingFederate.]

  • Crypto Admin: Those with this role manage local keys and certificates.

  • Auditor: Those with this role have view-only privileges.

PingAccess administrator roles

  • Administrator: Those with this role can access all features unless someone is assigned the Platform Administrator role. If that role is assigned, the Administrators can’t update authorization, user, or environment settings, but can access everything else.

  • Platform Administrator: Those with this role can access everything that an Administrator can access, but they can also update authorization, user, and environment settings and configurations. Use this role in conjunction with the Administrator role to prevent accidental lockouts.

  • Auditor: Those with this role have view-only privileges.

March 2024

Platform version 1.18.2.0. Updated May 23, 2024.

Product versions:

These applications are also included:

Platform version: 1.18.1.0. Updated March 27, 2024.

In this platform version, PingFederate deploys with version 11.3.5 instead of 11.3.3. See the PingFederate 11.3.5 release notes for details regarding this release.

These applications are also included:

December 2023

Platform version: 1.18.0.0

In this platform version:

These applications are also included:

Delegated Admin

New

Administrators can now upload and download user reports.

Prometheus

New

You can now access Prometheus metrics through a private link or VPN.

PingDirectory

Improved

Several improvements were made to PingDirectory:

  • Backend priming no longer occurs when PingDirectory is started, which decreases PingDirectory startup time.

  • PingDirectory restarts have also been enhanced with increased health checking to reduce the chance of data inconsistencies within the cluster.

  • Backup and restore now occurs within its own PersistentVolume. See About backing up and restoring data in the PingDirectory Server Administration Guide for details regarding these processes.

PingFederate

Improved

Kerberos authentication will no longer support RC4 encryption due to the use of the new 11.0.21 JDK version (which does not support this weak cipher). Any use of RC4 will need to be replaced with AES256 encryption.

Parsing improvement

Improved

Multi-line logs generated from server.log (PingFederate) now appear in Kibana as a single document.

ElasticSearch

Improved

A horizontal pod autoscaler was added and Logstash performance has improved. The number of warm nodes available has also been increased, which has improved performance and survives AZ failures.

Fluent Bit

Improved

Now leverages IMDSv2 security instead of IMDSv1.

Grafana

Improved

User authorization now displays in separate customer and internal teams views. Logging and alert metrics are also now available, but only to internal Ping Identity teams.

Storage class provisioner and EBS volume type changes

Improved

The StorageClass provisioner was changed to CSI, and the EBS volume type was changed to GP3, which will improve performance and stability.

Log file handling

Info

Our legacy logging mode (sending log files to Cloudwatch) has been removed, and log files are now sent to our internal ELK (Elasticsearch, Logstash, Kibana) stack or to a customer endpoint.

Kibana (1.18 only)

Info

Kibana logs older than 90 days must be dropped for the migration to the new StorageClass provisioner. However, raw PROD logs from this time period are still available in S3 but can be restored to Kibana via a service request after the upgrade. When searching indexes, results contain the same fields and data, regardless of which index is chosen. For example, pf-audit* andlogstash* return the same results.

Argo CD

Info

Argo CD is now only deployed to the one per-region customer hub managing the development, staging, testing, and production environments.

October 2023

Platform version: 1.17.3.0.

The PingDirectory suite of products deploys with version 9.2.0.2 instead of 9.2. See the PingDirectory 9.2.0.2 release notes for details regarding the release.

These applications are also included:

September 2023

Platform version: 1.17.2.0.

PingFederate deploys with version 11.1.8 instead of 11.1.7. See the PingFederate 11.1.8 release notes for details regarding the release.

These applications are also included:

July 2023

Platform version: 1.17.1.0.

PingFederate deploys with version 11.1.7 instead of 11.1.5. See the PingFederate 11.1.7 release notes for details regarding the release.

These applications are also included:

March 2023

Platform version: 1.17.0.0.

PingDirectory deploys with version 9.2 instead of 9.0.0.2. See the PingDirectory 9.2 release notes for details regarding the release.

These applications are also included:

Dashboard consolidation

Improved

The PingOne Advanced Services dashboard has been enhanced. Not only does it provide a consolidated view of key indicators, metrics, and data regarding the health of your infrastructure, but you can now access all of your environments from this location instead of using separate URLs.

User interface updates

Improved

The PingOne Advanced Services user interface has also been updated to more closely match the look and feel of PingOne, which smooths the transition between the two.

November 2022

Platform version: 1.16.5.0.

These applications are included:

Provision and deprovision users for SaaS applications

New

Using PingOne Advanced Services, PingFederate administrators can now provision and deprovision users to the following software as a service (SaaS) applications:

  • Slack

  • Udemy

  • Zscaler

  • SCIM

  • PingOne MFA

In a multi-region deployment, SaaS provisioning is deployed to a single region, which is your primary region, and will not be deployed to your secondary region.

Performance metrics

Improved

You can now access up to 13 months of performance data that will help you better understand the activities occurring within your PingOne Advanced Services environments.

PingFederate patches now automatically updated

Improved

PingFederate patch versions are now automatically updated in PingOne Advanced Services.

September 2022

Platform version: 1.16.2.0.

PingFederate deploys with PingFederate 11.1.5 instead of version 11.1.0. See the PingFederate 11.1.5 release notes for details regarding this release.

These applications are also included:

Kerberos gateway is also now supported.

Password policy added for topology administrators

Fixed

Having a password policy specifically for topology administrators prevents them from being affected when password expiration policies are applied to non-administrator accounts.

PingFederate dashboard revisions

Fixed

PingFederate Failed SSO and Failed Authentication dashboards have been revised to adjust to PingFederate 11.1 changes.

  • The Failed SSO dashboard will not contain data if the Fail Authentication on Account Lockout option is disabled in PingFederate, which is the default.

  • The Failed Authentication dashboard will not distinguish between SSO authentication requests and other types of authentication requests.

Additional time series data now available

Improved

Up to 13 months of Prometheus time series data is now available for you to compare current performance metrics with historical data to better understand their environments. Contact your Ping Identity representative for additional information about this option.

Active user numbers now available

Improved

The number of active users in each environment now displays on Grafana dashboards.

July 2022

Platform version: 1.16.1.1.

These applications are included:

Use PingCentral to configure PingFederate and PingAccess environments

New

PingCentral is now deployed with PingFederate and PingAccess environments. All of your development environments, (development, testing, staging, and production) will be configured for you and accessible from PingCentral.

Use PingFederate Admin API to create password credential validator and LDAP client manager

Fixed

You can now use the PingFederate Admin API to create the PingDirectory password credential validator and the LDAP client manager instead of using static XML. If the credential validator or client manager already exists, they will not be overwritten.

Hot and warm Elasticsearch index tiers added

Improved

Elasticsearch index lifecycle management (ILM) policies have been created, and a hot-warm-cold architecture has been implemented to improve performance and resiliency.

The indexer handles indexed data in a way that ages the data through several states. When the data is first indexed, it’s added to a hot data tier and remains there for 90 days. Data nodes that are not actively written to are moved to a warm data tier, where they remain for 180 days. Data not accessed for more than 180 days is not indexed.

Health check services added

Improved

Health check services, which provide operational status and performance data, were recently added to monitor internal APIs and clusters.

Configurable log-streaming pipeline added

Improved

You can now use a variety of different security analytics services and customize the ways log data is streamed. You can filter streamed data by application, log, and keywords, and modify JSON files. Available security analytics services include:

  • Customer S3 bucket

  • Customer Cloudwatch ingestion

  • Syslog

  • IBM QRadar

  • ArcSight

  • Azure Sentinel

May 2022

Platform version: 1.16.1.0.

These applications are included:

Synchronize all of your data sources into one source of truth

New

The PingDataSync Server is now available to synchronize the data from your on-premise and cloud-based data sources into PingDirectory, a high-performance, extensible LDAP directory that serves as the single source of identity truth.

PingOne LDAP gateway connectivity

New

PingOne LDAP gateway connectivity is now supported in the PingOne Advanced Services Simple Network option, which is significantly less time-consuming to deploy than the Advanced Network option that used to be required for LDAP connectivity.

RADIUS ports are now configured by default

Improved

Having these ports configured by default eliminates the need for our partners and professional services teams to manually configure them after deployment.

PingFederate thread usage auto-tuning enhanced

Improved

The PingFederate server thread usage auto-tuning feature has been enhanced to improve the user experience and reduce the need for manual tuning.

Custom password policies are now available through the admin portal

Improved

Now, not only can you request custom password policies through a service request form, but you can also request them through the admin portal.

JVM metrics are now available for PingFederate and PingAccess

Improved

The PingFederate and PingAccess tenant dashboards now display Java Virtual Machine (JVM) metrics, which you can use to optimize system performance.

March 2022

Platform version: 1.16.0.1.

These applications are included:

Web application firewall offers additional protection

Security

A Signal Sciences Web Application Firewall (WAF) was added to the platform to protect environments against vulnerabilities and mitigate DoS and DDoS attacks.

Log4j and Log4Shell security fixes

Security

This release contains several updates that address and remediate Log4j and Log4Shell vulnerabilities.

Updated Nginx ingress controller

Improved

The Nginx ingress controller was updated to the latest version, which provides access to the latest network security and performance functionality.

Updated dashboard and monitoring tools

Improved

NewRelic agent, Kibana, ElasticSearch, Logstash were updated to the latest versions available.

Added OpenToken Adapter

New

The OpenToken Adapter Kit was added to the PingFederate default profile.