PingOne Advanced Services Release Notes
Review release notes for PingOne Advanced Services.
November 2024
Platform version: 1.19.2.0. Updated November 21, 2024.
In this platform version:
-
PingAccess deploys with version 8.0.4 instead of 8.0.3. You can find details regarding this release in the PingAccess 8.0.4 release notes.
-
PingCentral deploys with version 2.0.2 instead of 2.0.1. You can find details regarding this release in the PingCentral 2.0.2 release notes.
These applications are also included:
The following Amazon EKS platform versions are supported:
-
1.25
-
1.26
-
1.27
-
1.28
-
1.29
-
1.30
Indexed log file retention policy change
Info
With the release of platform version 1.19.0.0, we announced that we’ve replaced Elasticsearch with OpenSearch because OpenSearch provides a larger and more innovative feature set. As part of our continual updates to our Observability platform, starting in version 1.19.2.0, indexed logs will only be available for a rolling 30-day window. Log files older than 30 days will be unavailable and will remain in our internal AWS S3 archive.
Many of you have your own Security Information and Event Management (SIEM) systems and your own ways of storing, indexing, and searching your log files, so you won’t be affected by this change. The same is true if you receive a copy of your logs through a customer endpoint. Your log files can remain on your endpoint systems for the amount of time specified in your retention policies.
Otherwise, this change in policy means that:
-
If you’re upgrading to version 1.19.2.0, your Elasticsearch data will not be directly migrated into OpenSearch. Instead, only new logs will be processed after the upgrade and be available in your new OpenSearch dashboard when the upgrade is complete.
-
If you’re using platform version 1.19.0.0, this change will occur on February 1, 2025. On that day, you’ll notice that your Kibana or OpenSearch dashboards will only display indexed log files for a rolling 30-day window.
If you want to have indexed log files for more than 30 days, we recommend that you add your own customer-managed endpoint, or use your own SIEM system to store and manage your log files.
To set up a SIEM system or customer endpoint, submit a service request through the Support Portal. Learn more about submitting this type of request in Platform service requests > SIEM integration.
September 2024
Platform version: 1.19.1.0. Updated September 11, 2024.
In this platform version:
-
PingFederate deploys with version 11.3.8 instead of 11.3.6. See the PingFederate 11.3.8 release notes for details regarding this release.
-
PingAccess deploys with version 8.0.3 instead of 8.0.1. See the PingAccess 8.0.3 release notes for details regarding this release.
-
OpenSearch and OpenSearch Dashboards were also upgraded from version 2.8.0 to 2.11.1. See OpenSearch and OpenSearch Dashboards 2.11.1 release notes for additional information.
These applications are also included:
Administrators can self-service their administrator SSO accounts
New
You can now set up and configure connections between environments that will allow your administrators to use single sign-on (SSO) to access the PingOne Advanced Services platform and the appropriate admin consoles. See Configuring connections for SSO for details.
May 2024
Platform version: 1.19.0.0. Updated May 6, 2024.
In this platform version:
-
PingAccess deploys with version 8.0.1 instead of 7.07. See the PingAccess 8.0.1 release notes for details regarding this release.
-
PingDirectory deploys with version 10.0.0.2 instead of 9.2.0.4. See PingDirectory 10.0.0.2 release notes for details regarding this release.
-
PingCentral deploys with version 2.0.1 instead of 1.10.1. See PingCentral 2.0.1 release notes for details regarding this release.
These applications are also included:
-
PingDataSync 10.0.0.1
Elasticsearch replaced by OpenSearch
Improved
After careful consideration over several years, PingOne Advanced Services has replaced Elasticsearch with OpenSearch, an open source branch of Elasticsearch. OpenSearch provides a much larger and innovative feature set that enables a better path forward for continuing to provide log indexing, search, alerting, single sign-on (SSO), custom dashboards, and role-based access.
Elasticsearch data will not be directly migrated into OpenSearch. Instead, only new logs will be processed during the upgrade to platform version 1.19.0.0 and will be available in your new OpenSearch dashboards. We retain 13 months worth of raw log files, and can reprocess up to 3 months of these files into OpenSearch to allow indexed searches of limited historical data, upon request.
This change should not affect logs sent to your SIEM systems, such as Splunk. Log processing pipelines for your endpoints will remain the same, and logs sent to these endpoints will remain in a raw format for you to process.
Kibana Data Views have also been expanded. Each log generated by an app will now have its own data view, which makes it much easier to know where your logs are based on the name of the log file generated by the app. Custom dashboards will need to be exported as JSON files before the upgrade, and after the upgrade, imported into OpenSearch Dashboards and updated to reflect the changes in the new data views. The change to the data views might also require that you update the dashboard panels with the name of the new data view that previously contained the logs of interest.
PIngDirectory improvements
Improved
Several improvements were made to PingDirectory:
-
You can now enable database cache sharing for deployments with multiple backend databases. See the PingDirectory 10.0.0.0 release notes for details.
-
When deployed with multiple backend databases, PingDirectory now performs better than before because preloading has been disabled.
-
PingDirectory pod IPs availability and propagation to DNS have been improved for multi-region support.
-
PingDirectory pods graceful shutdown has been improved and now uses an on-premise software-aligned stop-server script to terminate pods.
OnePingLogin
Improved
The PingFederate admin console, PingAccess admin console, ArgoCD, and OpenSearch SSO has been improved to reduce the number of multi-factor authentications.
CAP permissions have also been improved to support additional fine-grained controls over user permissions. Now, users sign on using SSO to access their OpenSearch, PingFederate, or PingAccess environments. The tasks they can perform depend on the administrative roles they are assigned. By default, CAP users will not have any PingFederate or PingAccess roles assigned to them and must submit a service request to request the appropriate roles and permissions.
This authentication experience is configured in the PingAccess and PingFederate authentication settings. Changing these settings to use a non-default token provider might delay support because it introduces additional authentication steps for Ping Identity operations resources to review. |
PingFederate and PingAccess administrator roles provide fine-grained access to features that allow them to perform specific tasks.
PingFederate administrator roles
-
User Admin: Those with this role can add and remove users, change and reset passwords, and install replacement license keys.
-
Admin: Those with this role can configure partner connections and most system settings, but they cannot manage local accounts or handle local keys and certificates.
-
Expression Admin: Those with this role can map user attributes using Object-Graph Navigation Language (OGNL).
Only administrators who have both the Admin role and the Expression Admin role can be granted:
-
The User Admin role. This restriction prevents non-Expression Admins from granting themselves the Expression Admin role.
-
Write access to the file system or directory where PingFederate is installed. This restriction prevents a non-Expression Admin user from placing a
data.zip
file containing expressions into the<pf_install>/pingfederate/server/default/deploy
directory, which would introduce expressions into PingFederate.]
-
-
Crypto Admin: Those with this role manage local keys and certificates.
-
Auditor: Those with this role have view-only privileges.
PingAccess administrator roles
-
Administrator: Those with this role can access all features unless someone is assigned the Platform Administrator role. If that role is assigned, the Administrators can’t update authorization, user, or environment settings, but can access everything else.
-
Platform Administrator: Those with this role can access everything that an Administrator can access, but they can also update authorization, user, and environment settings and configurations. Use this role in conjunction with the Administrator role to prevent accidental lockouts.
-
Auditor: Those with this role have view-only privileges.
March 2024
Platform version 1.18.2.0. Updated May 23, 2024.
Product versions:
-
In this platform version, PingFederate deploys with version 11.3.6 instead of 11.3.5. See the PingFederate 11.3.6 release notes for details regarding this release.
-
PingAccess deploys with version 7.0.7 instead of 7.0.5. See PingAccess 7.0.7 release notes for details regarding this release.
These applications are also included:
Platform version: 1.18.1.0. Updated March 27, 2024.
In this platform version, PingFederate deploys with version 11.3.5 instead of 11.3.3. See the PingFederate 11.3.5 release notes for details regarding this release.
These applications are also included:
December 2023
Platform version: 1.18.0.0
In this platform version:
-
PingFederate deploys with version 11.3.3 instead of 11.1.8. See the PingFederate 11.3.3 release notes for details regarding the release.
-
The PingDirectory suite of products deploys with version 9.2.0.4 instead of 9.2.0.2. See the PingDirectory 9.2.0.4 release notes for details regarding the release.
These applications are also included:
PingDirectory
Improved
Several improvements were made to PingDirectory:
-
Backend priming no longer occurs when PingDirectory is started, which decreases PingDirectory startup time.
-
PingDirectory restarts have also been enhanced with increased health checking to reduce the chance of data inconsistencies within the cluster.
-
Backup and restore now occurs within its own
PersistentVolume
. See About backing up and restoring data in the PingDirectory Server Administration Guide for details regarding these processes.
PingFederate
Improved
Kerberos authentication will no longer support RC4 encryption due to the use of the new 11.0.21 JDK version (which does not support this weak cipher). Any use of RC4 will need to be replaced with AES256 encryption.
Parsing improvement
Improved
Multi-line logs generated from server.log
(PingFederate) now appear in Kibana as a single document.
ElasticSearch
Improved
A horizontal pod autoscaler was added and Logstash performance has improved. The number of warm nodes available has also been increased, which has improved performance and survives AZ failures.
Grafana
Improved
User authorization now displays in separate customer and internal teams views. Logging and alert metrics are also now available, but only to internal Ping Identity teams.
Storage class provisioner and EBS volume type changes
Improved
The StorageClass provisioner was changed to CSI, and the EBS volume type was changed to GP3, which will improve performance and stability.
Log file handling
Info
Our legacy logging mode (sending log files to Cloudwatch) has been removed, and log files are now sent to our internal ELK (Elasticsearch, Logstash, Kibana) stack or to a customer endpoint.
Kibana (1.18 only)
Info
Kibana logs older than 90 days must be dropped for the migration to the new StorageClass provisioner.
However,
raw PROD logs from this time period are still available in S3
but can be restored to Kibana via a service request after the upgrade.
When searching indexes, results contain the same fields and data, regardless of which index is chosen.
For example, pf-audit*
andlogstash*
return the same results.
October 2023
Platform version: 1.17.3.0.
The PingDirectory suite of products deploys with version 9.2.0.2 instead of 9.2. See the PingDirectory 9.2.0.2 release notes for details regarding the release.
These applications are also included:
September 2023
Platform version: 1.17.2.0.
PingFederate deploys with version 11.1.8 instead of 11.1.7. See the PingFederate 11.1.8 release notes for details regarding the release.
These applications are also included:
July 2023
Platform version: 1.17.1.0.
PingFederate deploys with version 11.1.7 instead of 11.1.5. See the PingFederate 11.1.7 release notes for details regarding the release.
These applications are also included:
March 2023
Platform version: 1.17.0.0.
PingDirectory deploys with version 9.2 instead of 9.0.0.2. See the PingDirectory 9.2 release notes for details regarding the release.
These applications are also included:
Dashboard consolidation
Improved
The PingOne Advanced Services dashboard has been enhanced. Not only does it provide a consolidated view of key indicators, metrics, and data regarding the health of your infrastructure, but you can now access all of your environments from this location instead of using separate URLs.
November 2022
Platform version: 1.16.5.0.
These applications are included:
Provision and deprovision users for SaaS applications
New
Using PingOne Advanced Services, PingFederate administrators can now provision and deprovision users to the following software as a service (SaaS) applications:
-
Slack
-
Udemy
-
Zscaler
-
SCIM
-
PingOne MFA
In a multi-region deployment, SaaS provisioning is deployed to a single region, which is your primary region, and will not be deployed to your secondary region. |
September 2022
Platform version: 1.16.2.0.
PingFederate deploys with PingFederate 11.1.5 instead of version 11.1.0. See the PingFederate 11.1.5 release notes for details regarding this release.
These applications are also included:
Kerberos gateway is also now supported.
Password policy added for topology administrators
Fixed
Having a password policy specifically for topology administrators prevents them from being affected when password expiration policies are applied to non-administrator accounts.
PingFederate dashboard revisions
Fixed
PingFederate Failed SSO and Failed Authentication dashboards have been revised to adjust to PingFederate 11.1 changes.
-
The Failed SSO dashboard will not contain data if the Fail Authentication on Account Lockout option is disabled in PingFederate, which is the default.
-
The Failed Authentication dashboard will not distinguish between SSO authentication requests and other types of authentication requests.
Additional time series data now available
Improved
Up to 13 months of Prometheus time series data is now available for you to compare current performance metrics with historical data to better understand their environments. Contact your Ping Identity representative for additional information about this option.
July 2022
Platform version: 1.16.1.1.
These applications are included:
Use PingCentral to configure PingFederate and PingAccess environments
New
PingCentral is now deployed with PingFederate and PingAccess environments. All of your development environments, (development, testing, staging, and production) will be configured for you and accessible from PingCentral.
Use PingFederate Admin API to create password credential validator and LDAP client manager
Fixed
You can now use the PingFederate Admin API to create the PingDirectory password credential validator and the LDAP client manager instead of using static XML. If the credential validator or client manager already exists, they will not be overwritten.
Hot and warm Elasticsearch index tiers added
Improved
Elasticsearch index lifecycle management (ILM) policies have been created, and a hot-warm-cold architecture has been implemented to improve performance and resiliency.
The indexer handles indexed data in a way that ages the data through several states. When the data is first indexed, it’s added to a hot data tier and remains there for 90 days. Data nodes that are not actively written to are moved to a warm data tier, where they remain for 180 days. Data not accessed for more than 180 days is not indexed.
Health check services added
Improved
Health check services, which provide operational status and performance data, were recently added to monitor internal APIs and clusters.
Configurable log-streaming pipeline added
Improved
You can now use a variety of different security analytics services and customize the ways log data is streamed. You can filter streamed data by application, log, and keywords, and modify JSON files. Available security analytics services include:
-
Customer S3 bucket
-
Customer Cloudwatch ingestion
-
Syslog
-
IBM QRadar
-
ArcSight
-
Azure Sentinel
May 2022
Platform version: 1.16.1.0.
These applications are included:
Synchronize all of your data sources into one source of truth
New
The PingDataSync Server is now available to synchronize the data from your on-premise and cloud-based data sources into PingDirectory, a high-performance, extensible LDAP directory that serves as the single source of identity truth.
PingOne LDAP gateway connectivity
New
PingOne LDAP gateway connectivity is now supported in the PingOne Advanced Services Simple Network option, which is significantly less time-consuming to deploy than the Advanced Network option that used to be required for LDAP connectivity.
RADIUS ports are now configured by default
Improved
Having these ports configured by default eliminates the need for our partners and professional services teams to manually configure them after deployment.
PingFederate thread usage auto-tuning enhanced
Improved
The PingFederate server thread usage auto-tuning feature has been enhanced to improve the user experience and reduce the need for manual tuning.
March 2022
Platform version: 1.16.0.1.
These applications are included:
Web application firewall offers additional protection
Security
A Signal Sciences Web Application Firewall (WAF) was added to the platform to protect environments against vulnerabilities and mitigate DoS and DDoS attacks.
Log4j and Log4Shell security fixes
Security
This release contains several updates that address and remediate Log4j and Log4Shell vulnerabilities.
Updated Nginx ingress controller
Improved
The Nginx ingress controller was updated to the latest version, which provides access to the latest network security and performance functionality.