PingOne for Enterprise

Previous AD Connect Releases

April 2020 Release: Version 5.0.3

Resolved issues
Ticket ID Issue

SSD-15239

(AD Connect) Fixed an issue where AD Connect could not be installed on a non-Domain Controller sever.

February 2020: Version 5.0.1

Enhancements
Feature Description

TLS Support

AD Connect 5.0.1 supports TLS 1.2 as we prepare to End of Life TLS 1.0. and 1.1. See TLS 1.0 and TLS 1.1 End of Life in PingOne for Enterprise for more information.

New installations and upgrades to AD Connect 5.0.1 require the installation of Microsoft .NET Framework 4.7.2. See Installing AD Connect for more information.

Fall 2019: Version 4.0.10

Enhancements
Feature Description

Active Directory Global Catalog

(AD Connect only) You can now elect to use the Active Directory Global Catalog for lookups. The option to enable the Global Catalog is in the AD Connect Configuration section of the AD Connect setup (Setup → Identity Repository → Connect to an Identity Repository → AD Connect). See AD Connect final setup for more information.

Summer 2019 Release: Version 4.0.65

Enhancements
Feature Description

Branding

(AD Connect) You can now assign branding for the login and password reset pages. See Assign AD Connect branding and designs for more information.

Fall 2018 Release: Version 4.0.5

Resolved issues
Ticket ID Issue

SSD-10054

(AD Connect) Fixed an issue where AD Connect did not allow duplicate values in an Octet String attribute.

August, 2018: Version 4.0.3

Enhancements
Feature Description

TLS 1.1 and 1.2 now supported

We’ve added support for TLS 1.1 and 1.2. (SSD-8913).

March, 2018: Version 4.0.1

Resolved issues
Ticket ID Issue

SSD-6889

(AD Connect) Fixed an issue where AD Connect was prevented from reconnecting to PingOne if an error was encountered while attempting to connect.

October, 2017: Version 3.0.60

Enhancements
Feature Description

(AD Connect) Added logging of authentication method

We updated AD Connect logging to distinguish the method a user employs to authenticate (such as, IWA or Forms-based). (SSD-6103).

Known issues and limitations
Subject Issue/Limitation

ID-1289

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

July, 2017: Version 3.0.50

Enhancements
Feature Description

Invalid credential errors

Invalid credential errors are now logged at the Debug level, rather than the Error level as previously. (SSD-5372, SSD-5501).

Resolved issues
Ticket ID Issue

PINGONESTG-2489, SSD-5501

(AD Connect with IIS only) Fixed an issue where communication issues with the DC were being masked by other error messages.

Known issues and limitations
Subject Issue/Limitation

ID-1289

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

June, 2017: Version 3.0.49

Enhancements
Feature Description

Invalid credential errors

(AD Connect with IIS only) Invalid credential errors are now logged at the Debug level, rather than the Error level as previously. (SSD-5372).

Resolved issues
Ticket ID Issue

PINGONESTG-2447, SSD-5372

(AD Connect with IIS only) Fixed an issue in AD Connect with IIS where look ups for additional user information were sometimes incorrectly based on the user’s email domain instead of the Windows domain, as expected.

PINGONESTG-2455, SSD-5372

Fixed an issue where AD Connect could unintentionally be configured to strip the email domain from the username before trying to look up the user information based on their email (which would always fail). The Strip Email setting is now disabled for email-based lookup.

Known issues and limitations
Subject Issue/Limitation

ID-1289

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

June, 2017: Version 3.0.47

Enhancements
Feature Description

Debug logging

We’ve improved debug logging (PINGONESTG-2292).

Resolved issues
Ticket ID Issue

PINGONESTG-2413

Fixed an issue where a user’s thumbnail photo attribute wasn’t encoded properly.

Known issues and limitations
Subject Issue/Limitation

ID-1289

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

June, 2017: Version 3.0.44

Resolved issues
Ticket ID Issue

PINGONESTG-2377

Fixed an issue where the photo attribute wasn’t encoded properly.

Known issues and limitations
Subject Issue/Limitation

ID-1289

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

May, 2017: Version 3.0.43

Resolved issues
Ticket ID Issue

SSD-4726

Fixed an issue when using Filter as the lookup method with "Strip mail" disabled. AD Connect was appending the domain name if the user didn’t include it.

SSD-5013

Fixed an issue where, under certain conditions, errors were being displayed without the proper styling.

PINGONESTG-2341

Fixed issue where static resources weren’t loaded correctly on some pages.

Known issues and limitations
Subject Issue/Limitation

ID-1289

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

April, 2017: Version 3.0.42

Resolved issues
Ticket ID Issue

PINGONESTG-2251

Fixed an issue with filter-based authentication where disabling the Strip Email resulted in appending the Windows domain to usernames during the lookup.

Known issues and limitations
Subject Issue/Limitation

ID-1289

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

March, 2017: Version 3.0.38

Enhancements

Support for TLS v1.1 & v1.0 following Salesforce removal of TLS v1.0 support

From March 4, 2017, Salesforce is no longer supporting TLS v1.0. To minimize impact for PingOne customers that use PingOne to connect to Salesforce via delegated authentication for AD Connect with IIS, we’ve put together information and instructions. These show you how to ensure your IIS deployment running AD Connect for IIS supports the updated version of TLS (TLS v1.1 or v1.2).

Resolved issues
Ticket ID Issue

SSD-4121

(AD Connect) Fixed an issue where concurrent SSO requests using IWA were resulting in network collisions.

ID-1357

Fixed an issue that was causing some users to get an HTTP Error 400 when attempting to SSO to ZScalar from AD Connect.

Known issues and limitations
Subject Issue/Limitation

ID-1289

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

January 2017: Version 3.0.37

Known issues and limitations
Subject Issue/Limitation

SSD-3870

If you import more than one signing certificate with the same subject name into the IIS host for AD Connect, you must first remove expired certificates with the same subject name directly through IIS Manager. If this is not done you may experience problems when removing an expired certificate and updating it with a new one.

SSD-4139

Fixed an issue where a user’s middle name attribute could not be used in a SAML assertion.

August 16, 2016: Version 3.0.31

Resolved issues
Ticket ID Issue

ID-5623

Fixed an issue where AD Connect was providing PingOne with the computer name, rather than the fully qualified domain name (FQDN).

August 30, 2016: Version 3.0.32

Resolved issues
Ticket ID Issue

ID-5826

Fixed an issue where the connection to PingOne can intermittently be lost under certain conditions.

ID-5838

When you use a custom theme.zip with AD Connect with IIS, the favicon is placed in the root directory. This prevents the custom theming from handling the state properly.

August 9, 2016: Version 3.0.22-→

Enhancements

AD Connect installer

We’ve added the ability to define a verification certificate as part of the AD Connect installation process. During installation, you have the option to:

  • Create a new self-signed certificate.

  • Select an existing certificate.

  • Upload a certificate file.The options available vary depending on whether you are performing a new installation or an upgrade.

May 17, 2016: Version 3.0.22

Enhancements

New configuration parameter for AD Connect

We’ve add the Subject Attribute parameter to the AD Connect Configuration section when installing or reconfiguring AD Connect. Use this parameter to choose the value to use for SAML_SUBJECT. The possible values are sAMAccountName and userPrincipalName.

Resolved issues
Ticket ID Issue

ID-361

Fixed an issue where AD Connect wasn’t sending the address attributes in the SCIM User object if the StreetAddress attribute wasn’t set.

Known issues and limitations
Subject Issue/Limitation

Provisioning

For a single PingOne account, if you have two AD domains with two provisioners, do not modify groups on one domain while the other domain’s provisioner is restarting. This can cause unpredictable behaviour to occur. Ticket ID: IX-315.

April 26, 2016: Version 3.0.20

Enhancements

New configuration parameter for AD Connect

We’ve add the Subject Attribute parameter to the AD Connect Configuration section when installing or reconfiguring AD Connect. Use this parameter to choose the value to use for SAML_SUBJECT. The possible values are sAMAccountName and userPrincipalName.

Resolved issues
Ticket ID Issue

ID-5012

Fixed an issue where users had no access to applications until the AD Connect Configuration service was restarted.

ID-4705

Fixed an issue where PingID needed to be re-enabled after upgrading AD Connect.

Known issues and limitations
Subject Issue/Limitation

Provisioning

For a single PingOne account, if you have two AD domains with two provisioners, do not modify groups on one domain while the other domain’s provisioner is restarting. This can cause unpredictable behaviour to occur. Ticket ID: IX-315.

March 15, 2016: Version 3.0.14

Enhancements

None

(None to report for this release.)

Resolved issues
Ticket ID Issue

ID-4668

Fixed an issue where the AD Connect for IIS installation wasn’t finding the required .NET version, although it was installed.

ID-4650

Fixed an issue where provisioning for AD Connect was failing.

Known issues and limitations

Subject Issue/Limitation

Provisioning

For a single PingOne account, if you have two AD domains with two provisioners, do not modify groups on one domain while the other domain’s provisioner is restarting. This can cause unpredictable behaviour to occur. Ticket ID: IX-315.

January 22, 2016: Version 3.0.12

Enhancements

None

(None to report for this release.)

Resolved issues
Ticket ID Issue

ID-4010

Fixed an issue where SSO wasn’t working unless you restarted the AD Connect Configuration Service.

Known issues and limitations

Subject Issue/Limitation

Provisioning

For a single PingOne account, if you have two AD domains with two provisioners, do not modify groups on one domain while the other domain’s provisioner is restarting. This can cause unpredictable behaviour to occur. Ticket ID: IX-315.

January 12, 2016: Version 3.0.10

Enhancements

None

(None to report for this release.)

Resolved issues
Ticket ID Issue

ID-3995

Fixed an issue where you weren’t able to select the Provisioner Only option using a mouse or trackpad.

Known issues and limitations

Subject Issue/Limitation

Provisioning

For a single PingOne account, if you have two AD domains with two provisioners, do not modify groups on one domain while the other domain’s provisioner is restarting. This can cause unpredictable behaviour to occur. Ticket ID: IX-315.

October 15, 2015: Version 3.0.8

Enhancements

None

(None to report for this release.)

Resolved issues
Ticket ID Issue

ID-3613

Fixed an issue where the installation instructions in the header of the screen to select the installation type weren’t being displayed properly.

ID-3501

Fixed the naming of the AD Connect with IIS selection on the installation type screen.

September 16, 2015: Version 3.0

Enhancements

Group Hierarchy Support

We’ve added a configuration option to enable support for nested Active Directory groups. When this option is enabled, the nested groups will inherit the SSO permissions of their parent group or groups. See Installing AD Connect for instructions.

Auto-Update Changes

You can now use auto-update if your current installation is version 3.0 or higher. All prior versions of AD Connect require a manual update. See Updating AD Connect for instructions.

.NET Requirements

Microsoft Net 4.5.2 Framework is now required. The framework installation file is packaged with the AD Connect and AD Connect with IIS distributions.

Resolved issues
Ticket ID Issue

ID-2277

Fixed issue where the option to require a password on an initial login wasn’t enabled by default.

ID-2222

Fixed display of popup window to authorize an AD Connect update.

ID-2117

Fixed error when configuring IdP using a new account.

ID-2074

Fixed error when switching to edit mode from the settings summary page after previously exiting edit mode without making any changes.

Known issues and limitations

Subject Issue/Limitation

AD Connect application requests redirected to the PingOne dock (ID-1441)

If you are using AD Connect and experiencing an issue where your application requests are being redirected to the PingOne dock when you aren’t using the dock, enable the stateless option for AD Connect:

  1. Ensure that you’re using AD Connect version 2.1.14 or higher. See Updating AD Connect for upgrade instructions.

  2. Open the installation_pathPing Identity\AdConnect\SSO\web.config file in a text editor.

  3. Under the <appSettings> section, add the following entry:

    <add key="stateless" value="true" />
  4. Save the web.config file. Your changes will take affect immediately.

August 21, 2015: Version 2.1.17

Enhancements

None

(None to report for this release).

Resolved issues
Ticket ID Issue

ID-2277

Fixed issue where the option to require a password on an initial login wasn’t enabled by default.

ID-2222

Fixed display of popup window to authorize an AD Connect update.

ID-2117

Fixed error when configuring IdP using a new account.

ID-2074

Fixed error when switching to edit mode from the settings summary page after previously exiting edit mode without making any changes.

Known issues and limitations

Subject Issue/Limitation

AD Connect application requests redirected to the PingOne dock (ID-1441)

If you are using AD Connect and experiencing an issue where your application requests are being redirected to the PingOne dock when you aren’t using the dock, enable the stateless option for AD Connect:

  1. Ensure that you’re using AD Connect version 2.1.14 or higher. See Updating AD Connect for upgrade instructions.

  2. Open the installation_pathPing Identity\AdConnect\SSO\web.config file in a text editor.

  3. Under the <appSettings> section, add the following entry:

    <add key="stateless" value="true" />
  4. Save the web.config file. Your changes will take affect immediately.

July 21, 2015: Version 2.1.15

Enhancements

None

(None to report for this release).

Resolved issues
Ticket ID Issue

ID-1306

Fixed a misleading error message when attempting to communicate with PingOne.

Known issues and limitations

Subject Issue/Limitation

AD Connect application requests redirected to the PingOne dock (ID-1441)

If you are using AD Connect and experiencing an issue where your application requests are being redirected to the PingOne dock when you aren’t using the dock, enable the stateless option for AD Connect:

  1. Ensure that you’re using AD Connect version 2.1.14 or higher. See Updating AD Connect for upgrade instructions.

  2. Open the installation_pathPing Identity\AdConnect\SSO\web.config file in a text editor.

  3. Under the <appSettings> section, add the following entry:

    <add key="stateless" value="true" />
  4. Save the web.config file. Your changes will take affect immediately.

March 16, 2015: Version 2.1.10

Enhancements

None

(None to report for this release).

Resolved issues
Ticket ID Issue

ID-246

Fixed an issue where the distinguishedName include::pingone_for_enterprise:partial$p14e_p1refs_ad.adoc[tags=AD]attribute wasn’t being sent for provisioning.

ID-242

Fixed an issue where the attribute were being converted to all lowercase.

February 25, 2015: Version 2.1.9

Enhancements

ID-53

We’ve added immutableId to the SCIM user object map in AD Connect outbound provisioning.

Resolved issues

Ticket ID Issue

None

(None to report for this release.)

January 10, 2015: Version 2.1.4

Enhancements

include::pingone_for_enterprise:partial$p14e_p1refs_365.adoc[tags=365]Active Profiles

We’ve added support for Office 365 active profiles.

Password Functionality

We’ve added the ability to reset passwords for AD Connect.

Resolved issues

Ticket ID Issue

None

(None to report for this release.)

October 28, 2014: Version 2.0.45

Enhancements

None

(None to report for this release.)

Resolved issues

Ticket ID Issue

PINT-524

Fixed exception when selecting CA signed certificate during installation.

October 7, 2014: Version 2.0.44

Enhancements

None

(None to report for this release.)

Resolved issues

Ticket ID Issue

Various

Minor fixes.

August 26, 2014: Version 2.0.42

Enhancements

Resolved issues

Ticket ID Issue

PINT-277

Fix an issue where the subject is missing when the user principal name (UPN) isn’t specified for the user.

July 17, 2014: Version 2.0.39

Enhancements

Authentication Lookup Parameters

We’ve added support for configuration of authentication lookup parameters (such as attribute name and filter).

June 24, 2014: Version 2.0.34

Enhancements

New AD Connect

AD Connect is now available without an IIS dependency. You now have the option to install "AD Connect" or "AD Connect with IIS".

IWA Support

We’ve added the option to use Integrated Windows Authentication (IWA) with AD Connect.

SAML_SUBJECT Value Changed

The SAML_SUBJECT value is changed to userPrincipalName rather than sAMAccountName as in previous AD Connect versions. You need to update your application attribute mappings if SAML_SUBJECT is a source value for any of your application connections.

SCIM Events

We’ve added support for resending of user SCIM events on group monitoring changes.

SCIM Attributes

We now send only required SCIM attributes during provisioning.

PingOne URL

The new PingOne configuration URLs are now used.

Certificate DN Parsing

We’ve improved certificate DN parsing for AD Connect with IIS.

Auto-Update

We’ve improved the workflows for auto-update.