May 2024

Platform version: 1.19.0.0. Updated May 6, 2024.

In this platform version:

PingAccess deploys with version 8.0.1 instead of 7.07. You can find details regarding this release in the PingAccess 8.0.1 release notes.
PingDirectory deploys with version 10.0.0.2 instead of 9.2.0.4. You can find details regarding this release in the PingDirectory 10.0.0.2 release notes.
PingCentral deploys with version 2.0.1 instead of 1.10.1. You can find details regarding this release in the PingCentral 2.0.1 release notes.

These applications are also included:

Elasticsearch replaced by OpenSearch

Improved

After careful consideration over several years, PingOne Advanced Services has replaced Elasticsearch with OpenSearch, an open source branch of Elasticsearch. OpenSearch provides a much larger and innovative feature set that enables a better path forward for continuing to provide log indexing, search, alerting, single sign-on (SSO), custom dashboards, and role-based access.

Elasticsearch data will not be directly migrated into OpenSearch. Instead, only new logs will be processed during the upgrade to platform version 1.19.0.0 and will be available in your new OpenSearch dashboards. We retain 13 months worth of raw log files, and can reprocess up to 3 months of these files into OpenSearch to allow indexed searches of limited historical data, upon request.

This change should not affect logs sent to your SIEM systems, such as Splunk. Log processing pipelines for your endpoints will remain the same, and logs sent to these endpoints will remain in a raw format for you to process.

Kibana Data Views have also been expanded. Each log generated by an app will now have its own data view, which makes it much easier to know where your logs are based on the name of the log file generated by the app. Custom dashboards will need to be exported as JSON files before the upgrade, and after the upgrade, imported into OpenSearch Dashboards and updated to reflect the changes in the new data views. The change to the data views might also require that you update the dashboard panels with the name of the new data view that previously contained the logs of interest.

PingDirectory improvements

Improved

Several improvements were made to PingDirectory:

You can now enable database cache sharing for deployments with multiple backend databases. You can find details in the PingDirectory 10.0.0.0 release notes.
When deployed with multiple backend databases, PingDirectory now performs better than before because preloading has been disabled.
PingDirectory pod IPs availability and propagation to DNS have been improved for multi-region support.
PingDirectory pods graceful shutdown has been improved and now uses an on-premise software-aligned stop-server script to terminate pods.

OnePingLogin

Improved

The PingFederate admin console, PingAccess admin console, ArgoCD, and OpenSearch SSO has been improved to reduce the number of multi-factor authentications.

CAP permissions have also been improved to support additional fine-grained controls over user permissions. Now, users sign on using SSO to access their OpenSearch, PingFederate, or PingAccess environments. The tasks they can perform depend on the administrative roles they are assigned. By default, CAP users will not have any PingFederate or PingAccess roles assigned to them and must submit a service request to request the appropriate roles and permissions.

This authentication experience is configured in the PingAccess and PingFederate authentication settings. Changing these settings to use a non-default token provider might delay support because it introduces additional authentication steps for Ping Identity operations resources to review.

PingFederate and PingAccess administrator roles provide fine-grained access to features that allow them to perform specific tasks.

PingFederate administrator roles

User Admin: Those with this role can add and remove users, change and reset passwords, and install replacement license keys.
Admin: Those with this role can configure partner connections and most system settings, but they cannot manage local accounts or handle local keys and certificates.

Expression Admin: Those with this role can map user attributes using Object-Graph Navigation Language (OGNL).

Only administrators who have both the Admin role and the Expression Admin role can be granted:

The User Admin role. This restriction prevents non-Expression Admins from granting themselves the Expression Admin role.
Write access to the file system or directory where PingFederate is installed. This restriction prevents a non-Expression Admin user from placing a data.zip file containing expressions into the <pf_install>/pingfederate/server/default/deploy directory, which would introduce expressions into PingFederate.]

Crypto Admin: Those with this role manage local keys and certificates.
Auditor: Those with this role have view-only privileges.

PingAccess administrator roles

Administrator: Those with this role can access all features unless someone is assigned the Platform Administrator role. If that role is assigned, the Administrators can’t update authorization, user, or environment settings, but can access everything else.
Platform Administrator: Those with this role can access everything that an Administrator can access, but they can also update authorization, user, and environment settings and configurations. Use this role in conjunction with the Administrator role to prevent accidental lockouts.
Auditor: Those with this role have view-only privileges.