PingOne Advanced Services Release Notes

New

You can now set up and configure connections between environments that will allow your administrators to use single sign-on (SSO) to access the PingOne Advanced Services platform and the appropriate admin consoles. See Configuring connections for SSO for details.

Improved

After careful consideration over several years, PingOne Advanced Services has replaced Elasticsearch with OpenSearch, an open source branch of Elasticsearch. OpenSearch provides a much larger and innovative feature set that enables a better path forward for continuing to provide log indexing, search, alerting, single sign-on (SSO), custom dashboards, and role-based access.

Elasticsearch data will not be directly migrated into OpenSearch. Instead, only new logs will be processed during the upgrade to platform version 1.19.0.0 and will be available in your new OpenSearch dashboards. We retain 13 months worth of raw log files, and can reprocess up to 3 months of these files into OpenSearch to allow indexed searches of limited historical data, upon request.

This change should not affect logs sent to your SIEM systems, such as Splunk. Log processing pipelines for your endpoints will remain the same, and logs sent to these endpoints will remain in a raw format for you to process.

Kibana Data Views have also been expanded. Each log generated by an app will now have its own data view, which makes it much easier to know where your logs are based on the name of the log file generated by the app. Custom dashboards will need to be exported as JSON files before the upgrade, and after the upgrade, imported into OpenSearch Dashboards and updated to reflect the changes in the new data views. The change to the data views might also require that you update the dashboard panels with the name of the new data view that previously contained the logs of interest.

Improved

Several improvements were made to PingDirectory:

Improved

The PingFederate admin console, PingAccess admin console, ArgoCD, and OpenSearch SSO has been improved to reduce the number of multi-factor authentications.

CAP permissions have also been improved to support additional fine-grained controls over user permissions. Now, users sign on using SSO to access their OpenSearch, PingFederate, or PingAccess environments. The tasks they can perform depend on the administrative roles they are assigned. By default, CAP users will not have any PingFederate or PingAccess roles assigned to them and must submit a service request to request the appropriate roles and permissions.

PingFederate and PingAccess administrator roles provide fine-grained access to features that allow them to perform specific tasks.

PingFederate administrator roles

PingAccess administrator roles

New

Administrators can now upload and download user reports.

New

You can now access Prometheus metrics through a private link or VPN.

Improved

Several improvements were made to PingDirectory:

Improved

Kerberos authentication will no longer support RC4 encryption due to the use of the new 11.0.21 JDK version (which does not support this weak cipher). Any use of RC4 will need to be replaced with AES256 encryption.

Improved

Multi-line logs generated from server.log (PingFederate) now appear in Kibana as a single document.

Improved

A horizontal pod autoscaler was added and Logstash performance has improved. The number of warm nodes available has also been increased, which has improved performance and survives AZ failures.

Improved

Now leverages IMDSv2 security instead of IMDSv1.

Improved

User authorization now displays in separate customer and internal teams views. Logging and alert metrics are also now available, but only to internal Ping Identity teams.

Improved

The StorageClass provisioner was changed to CSI, and the EBS volume type was changed to GP3, which will improve performance and stability.

Info

Our legacy logging mode (sending log files to Cloudwatch) has been removed, and log files are now sent to our internal ELK (Elasticsearch, Logstash, Kibana) stack or to a customer endpoint.

Info

Kibana logs older than 90 days must be dropped for the migration to the new StorageClass provisioner. However, raw PROD logs from this time period are still available in S3 but can be restored to Kibana via a service request after the upgrade. When searching indexes, results contain the same fields and data, regardless of which index is chosen. For example, pf-audit* andlogstash* return the same results.

Info

Argo CD is now only deployed to the one per-region customer hub managing the development, staging, testing, and production environments.

Improved

The PingOne Advanced Services dashboard has been enhanced. Not only does it provide a consolidated view of key indicators, metrics, and data regarding the health of your infrastructure, but you can now access all of your environments from this location instead of using separate URLs.

Improved

The PingOne Advanced Services user interface has also been updated to more closely match the look and feel of PingOne, which smooths the transition between the two.

New

Using PingOne Advanced Services, PingFederate administrators can now provision and deprovision users to the following software as a service (SaaS) applications:

Improved

You can now access up to 13 months of performance data that will help you better understand the activities occurring within your PingOne Advanced Services environments.

Improved

PingFederate patch versions are now automatically updated in PingOne Advanced Services.

Fixed

Having a password policy specifically for topology administrators prevents them from being affected when password expiration policies are applied to non-administrator accounts.

Fixed

PingFederate Failed SSO and Failed Authentication dashboards have been revised to adjust to PingFederate 11.1 changes.

Improved

Up to 13 months of Prometheus time series data is now available for you to compare current performance metrics with historical data to better understand their environments. Contact your Ping Identity representative for additional information about this option.

Improved

The number of active users in each environment now displays on Grafana dashboards.

New

PingCentral is now deployed with PingFederate and PingAccess environments. All of your development environments, (development, testing, staging, and production) will be configured for you and accessible from PingCentral.

Fixed

You can now use the PingFederate Admin API to create the PingDirectory password credential validator and the LDAP client manager instead of using static XML. If the credential validator or client manager already exists, they will not be overwritten.

Improved

Elasticsearch index lifecycle management (ILM) policies have been created, and a hot-warm-cold architecture has been implemented to improve performance and resiliency.

The indexer handles indexed data in a way that ages the data through several states. When the data is first indexed, it’s added to a hot data tier and remains there for 90 days. Data nodes that are not actively written to are moved to a warm data tier, where they remain for 180 days. Data not accessed for more than 180 days is not indexed.

Improved

Health check services, which provide operational status and performance data, were recently added to monitor internal APIs and clusters.

Improved

You can now use a variety of different security analytics services and customize the ways log data is streamed. You can filter streamed data by application, log, and keywords, and modify JSON files. Available security analytics services include:

New

The PingDataSync Server is now available to synchronize the data from your on-premise and cloud-based data sources into PingDirectory, a high-performance, extensible LDAP directory that serves as the single source of identity truth.

New

PingOne LDAP gateway connectivity is now supported in the PingOne Advanced Services Simple Network option, which is significantly less time-consuming to deploy than the Advanced Network option that used to be required for LDAP connectivity.

Improved

Having these ports configured by default eliminates the need for our partners and professional services teams to manually configure them after deployment.

Improved

The PingFederate server thread usage auto-tuning feature has been enhanced to improve the user experience and reduce the need for manual tuning.

Improved

Now, not only can you request custom password policies through a service request form, but you can also request them through the admin portal.

Improved

The PingFederate and PingAccess tenant dashboards now display Java Virtual Machine (JVM) metrics, which you can use to optimize system performance.

Security

A Signal Sciences Web Application Firewall (WAF) was added to the platform to protect environments against vulnerabilities and mitigate DoS and DDoS attacks.

Security

This release contains several updates that address and remediate Log4j and Log4Shell vulnerabilities.

Improved

The Nginx ingress controller was updated to the latest version, which provides access to the latest network security and performance functionality.

Improved

NewRelic agent, Kibana, ElasticSearch, Logstash were updated to the latest versions available.

New

The OpenToken Adapter Kit was added to the PingFederate default profile.