PingOne for Enterprise

PingOne for Enterprise Release Notes

New features and improvements in PingOne for Enterprise, PingOne for Enterprise for Managed Service Providers, PingOne SSO for SaaS Apps, PingOne SSO for SaaS Apps with Managed Accounts, and AD Connect.

October 2024

AWS IAM Identity Center Provisioner

Improved PingOne for Enterprise

We added the ability to update the nickname attribute for existing provisioned Amazon Web Services (AWS) single sign-on (SSO) users.

Learn more in Amazon Web Services.

PingOne Connector

Fixed PingOne for Enterprise

We fixed a defect that could cause delays in fetching an updated user schema.

The following known limitations apply:

  • Clearing fields on updates is not supported.

  • Multivalued attributes (e.g. emails or addresses) are not supported. Multiple values appear as a single array value in PingOne.

  • Custom attributes are set when the user is initially created and are never updated.

May 2024

SCIM SaaS Provisioner

Fixed PingOne for Enterprise

Fixed a defect that caused a JSON parsing error when non-standard fields are present in the SCIM 2.0 Enterprise User Schema Extension.

The following known limitations apply:

  • User attributes cannot be cleared after they have been set. They can only be updated.

  • Outbound Group Provisioning and Memberships are not supported.

  • Patch updates to SCIM-enabled target applications are not supported.

  • There is a limit of one value per type (such as home, work, or other) for multivalue attributes such as email, phone, and address.

  • Unexpected behavior may occur if the SaaS does not specify either type and primary information, or both type and primary information for multivalue attribute such as such as email, phone, and address. Also, existing SaaS attributes might not be removed during an Update, and the desired value might not be correctly set as primary.

  • SCIM-compliant service providers can implement or interpret SCIM standards differently, which can result in behavior that is not consistent with the intended use of the SCIM SaaS Provsioner.

PingOne Connector

New PingOne for Enterprise

Added support for the Australia region.

The following known limitations apply:

  • Clearing fields on updates is not supported.

  • Multivalued attributes (e.g. emails or addresses) are not supported. Multiple values appear as a single array value in PingOne.

  • Custom attributes are set when the user is initially created, and are never updated.

March 2024

Country data for SSO report

New PingOne for Enterprise

Added a new column to the SSO report listing the country where the SSO event originated.

November 2023

ServiceNow Connector 2.3

New PingOne for Enterprise

Added support for the Utah and Vancouver versions of ServiceNow.

The following known limitations apply:

  • Outbound Group Provisioning and Memberships are not supported.

  • User attributes cannot be cleared after they have been set. They can only be updated.

  • When provisioning to ServiceNow, all user accounts in ServiceNow must have a username (User ID).

    This is not a required field in ServiceNow, but it is required for provisioning to work due to the provisioner using this field to sync with preexisting users in ServiceNow. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), then the accounts will be linked.

    Currently if users exist in ServiceNow without a username that will cause errors in provisioning, resolve this by ensuring every user has this field populated even if they are not intended to be managed by the provisioner.

  • When provisioning users, the username attribute must only contain URL-safe characters.

  • When synchronizing roles with users, the role attribute must contain only URL-safe characters.

  • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the create.

  • Due to limitations with the ServiceNow API, a role can be added to a user, but not removed. This may cause a user’s role in the source datastore to become out-of-sync with the user’s role in ServiceNow.

    For more information, see Enable User Role Removal.

  • When mapping the roles attribute, multiple additional calls to ServiceNow must be made to sync user role. This may impact provisioning performance.

  • For departments that contain the ^ character in the name, the ServiceNow API causes the creation of multiple departments with the same name.

  • For the department and location parameters, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments or locations in ServiceNow (such as Accounting and accounting), PingFederate provisions the user with an empty department or location attribute and logs an error in provisioner.log.

  • The city attribute mapping is not supported for the local repository.

July 2023

Webex Connector 2.3.0

New PingOne for Enterprise

Updated the SiteID configuration field to be optional.

Zoom Connector 1.3.3

New PingOne for Enterprise

Added support for Server-to-Server OAuth applications. This is an alternative method to create a connection to Zoom due to the deprecation of JSON Web Token (JWT) applications.

May 2023

Manual PingOne for Enterprise connections

Info PingOne SSO for SaaS Apps

It is no longer possible to connect a PingOne for Enterprise tenant and a PingOne SSO for SaaS Apps tenant by manually exchanging metadata. This kind of connection was never supported, and can cause duplicate entity ID errors.

You should always use an invited connection to connect your PingOne SSO for SaaS Apps application to PingOne for Enterprise.

April 2023

Info PingOne for Enterprise

The Users by Service search behavior has changed from returning results that contain the search string to returning results that begin with the username.

For more information, see Monitoring service activity.

ServiceNow Tokyo

Improved PingOne for Enterprise

Added support for the Tokyo version of ServiceNow.

The following known limitations apply:

  • Outbound Group Provisioning and Memberships are not supported.

  • User attributes cannot be cleared after they have been set. They can only be updated.

  • When provisioning to ServiceNow, all user accounts in ServiceNow must have a username (User ID).

    This is not a required field in ServiceNow, but it is required for provisioning to work due to the provisioner using this field to sync with preexisting users in ServiceNow. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), then the accounts will be linked.

    Currently if users exist in ServiceNow without a username that will cause errors in provisioning, resolve this by ensuring every user has this field populated even if they are not intended to be managed by the provisioner.

  • When provisioning users, the username attribute must only contain URL-safe characters.

  • When synchronizing roles with users, the role attribute must contain only URL-safe characters.

  • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the create.

  • Due to limitations with the ServiceNow API, a role can be added to a user, but not removed. This may cause a user’s role in the source datastore to become out-of-sync with the user’s role in ServiceNow.

    For more information, see Enable User Role Removal.

  • When mapping the roles attribute, multiple additional calls to ServiceNow must be made to sync user role. This may impact provisioning performance.

  • For departments that contain the ^ character in the name, the ServiceNow API causes the creation of multiple departments with the same name.

  • For the department and location parameters, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments or locations in ServiceNow (such as Accounting and accounting), PingFederate provisions the user with an empty department or location attribute and logs an error in provisioner.log.

March 2023

Email communications

Info PingOne for Enterprise, PingOne SSO for SaaS Apps

Updated our email communications to change the product name from "PingOne" to "PingOne for Enterprise".

This change affects both PingOne for Enterprise and PingOne SSO for SaaS Apps licenses, and will include all emails from Ping, including certificate expiration and password expiration messages.

Email templates that you have customized for your customer accounts are not affected by this change.

If you have any email filters in place, update them to reflect this change.

February 2023

PingID license management for customer accounts

New PingOne for Enterprise

Added the ability to manage PingID licensing for your PingOne for Enterprise for Managed Service Providers customer accounts.

This feature is in limited release. To request access to this feature, open a support case.

For more information, see Administer customer accounts.

Google Workspace Connector 3.2.1

Improved PingOne for Enterprise

  • Added support for the addressFormatted user attribute.

    addressFormatted is a full and unstructured postal address. This single-string attribute can include any values like: PO Box, city, state/province, ZIP/postal code, or country/region.

  • Fixed an issue that caused new users not to be provisioned with group membership.

  • Fixed an issue that caused users not to be disabled by a disable deprovision action.

For more information, see the Google Workspace Provisioner documentation.

December 2022

Improved messaging for expired user invitations

Improved PingOne for Enterprise

Updated the messaging for the following PingOne for Enterprise Directory invited user scenarios:

If an invited user clicks on an expired invitation link, they are redirected to the PingOne for Enterprise sign-on page with an error message directing them to request a new invitation from an administrator. For more information, see Add directory users.

If an invited user has not yet been approved, and they try to use the Forgot Password link, they will see an error message that their account is still awaiting approval.

SCIM SaaS Provisioner 1.5

Improved PingOne for Enterprise

Added the homeEmail and otherEmail attributes.

The following known limitations apply:

  • Clearing fields on updates is not supported.

  • Outbound Group Provisioning and Memberships are not supported.

  • Patch updates to SCIM-enabled target applications are not supported.

  • There is a limit of one value per type (such as home, work, or other) for multivalue attributes such as email, phone, and address.

  • Unexpected behavior may occur if the SaaS does not specify either type and primary information, or both type and primary information for multivalue attribute such as such as email, phone, and address. Also, existing SaaS attributes might not be removed during an Update, and the desired value might not be correctly set as primary.

  • SCIM-compliant service providers can implement or interpret SCIM standards differently, which can result in behavior that is not consistent with the intended use of the SCIM SaaS Provsioner.

For more information, see the SCIM Provisioner documentation.

Zoom Connector 1.2

Improved PingOne for Enterprise

We added a feature to restore the user’s Zoom license when the user is re-enabled.

The following known issues apply:

  • The Zoom Provisioner does not support group provisioning.

  • User attributes cannot be cleared once set. They can only be updated.

  • Zoom only allows a single value for the Roles attribute.

  • Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend not deleting the administrative user and not managing this user through the provisioner.

  • Zoom does note allow attribute updates for users with a "disabled" status. To update attributes, re-enable the user first.

  • Zoom does not allow users with the admin role to be disabled or deleted. Change the user’s role first.

For more information, see the Zoom Provisioner documentation.

November 2022

Export a report of applications by group access

Improved PingOne for Enterprise

You can now export a .csv report of configured applications and the user groups assigned to access them. This can be useful for filtering purposes if you have a large number of active applications.

For more information, see Exporting a report of applications by group.

September 2022

Managed accounts certificate notifications

Improved PingOne for Enterprise, PingOne SSO for SaaS Apps

If you have a PingOne for Enterprise for Managed Service Providers or PingOne SSO for SaaS Apps with Managed Accounts license, you can now enable your administrators to receive email notifications when your customer accounts have certificates that are about to expire or have expired.

August 2022

Custom application and customer connection secrets

New PingOne SSO for SaaS Apps

You can now generate client secret values for each application and customer connection API connection.

This ability improves security over using a single set of client credentials for all connections.

This feature is currently in limited release. To request access to this feature, open a support case.

PingOne for Enterprise Directory self-registration

Improved PingOne for Enterprise

You can now configure how long the email invitation remains valid for new self-registering PingOne for Enterprise Directory users.

You can set the duration between 1 hour and 168 hours. The default duration is 24 hours.

Custom Entity ID

Info PingOne SSO for SaaS Apps

The ability to define a custom entity ID for applications that are enabled through PingOne SSO for SaaS Apps is now available to all customers.

If a custom entity ID is in use by a non-multiplexed connection, it cannot be changed.

For more information, see Add or update other applications.

July 2022

ServiceNow Connector 2.3

Improved PingOne for Enterprise

Added support for the Rome and San Diego versions of ServiceNow.

The following known issues apply:

  • Outbound Group Provisioning and Memberships are not supported.

  • User attributes cannot be cleared once set. They can only be updated.

  • When provisioning to ServiceNow, all user accounts in ServiceNow must have a username (User ID). This is not a required field in ServiceNow, but it is required for provisioning to work due to the provisioner using this field to sync with pre-existing users in ServiceNow. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), then the accounts will be linked. Currently, if users exist in ServiceNow without a username that will cause errors in provisioning. You can resolve this by ensuring every user has the username field populated even if they are not intended to be managed by the provisioner.

  • When provisioning users, the username attribute must only contain URL-safe characters.

  • When synchronizing roles with users, the role attribute must contain only URL-safe charcters.

  • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the create.

  • Due to limitations with the ServiceNow API, a role can be added to a user, but not removed, which may cause a user’s role in the source datastore to become out-of-sync with the user’s role in ServiceNow. For more information, see Adding the Ping Identity provisioning role in ServiceNow.

  • When mapping the roles attribute multiple additional calls to ServiceNow must be made to sync user role. This may impact provisioning performance.

  • For departments that contain the ^ character in the name, the ServiceNow API causes the creation of multiple departments with the same name.

  • For the department and location objects, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments or locations in ServiceNow (such as Accounting and accounting), PingFederate provisions the user with an empty department or location attribute and logs an error in provisioner.log.

March 2022

PingID admins multi-factor authentication (MFA) bypass

New PingOne for Enterprise

Added an optional permission to allow PingID Device Administrators to grant temporary MFA bypass to users.

To enable this permission, go to Account → Administrators → Permissions and select Allow Bypass.

For more information, see Administrative roles.

Google Workspace Provisioner improvements

Improved PingOne for Enterprise

Added the following improvements to the Google Workspace Provisioner:

  • Added the ability to disable and delete users

  • Added the ability to provision disabled users

  • Added the ability to remove user actions

  • Added support for Google Admin SDK 1.32.1

The following known issues apply:

  • User attributes cannot be cleared once set.

  • Google does not properly handle creating users with an invalid addressCountry value.

  • The Provisioner sends the value of work for the Organization type. However Google does not retain this value. and as a result the Organization type has no value.

  • Google treats certain user attributes as complex data sets:

    • Address (address* attributes)

    • Organization (org* attributes)

    • Phone (work* attributes)

    Any unmapped or empty fields within a complex data set will be cleared in the corresponding Google account.

New report type

New PingOne for Enterprise

Added a new report type for PingOne for Enterprise for Managed Service Providers accounts.

The SSO Summary by Customer report displays unique users and SSO transactions for each of your customer accounts.

For more information, see PingOne for Enterprise report types.

New report type

New PingOne for Enterprise

The SSO User Summary report displays a list of all unique users who have used SSO during the defined period.

This feature is currently in limited release. To request access to this feature, open a support case.

For more information, see PingOne for Enterprise report types.

Application integration testing change

Info PingOne SSO for SaaS Apps

Changed the tenant used to generate test users from PingFederate to PingOne for Enterprise Directory.

Test user IDs and passwords will no longer automatically populate on the test IdP login site. You can find a complete list of test user IDs and their passwords in the documentation.

REST application customization

New PingOne SSO for SaaS Apps

Added an option to allow your customers to customize the Default Application URL and Error URL when they configure your REST application from the application catalog.

For more information, see Add or update other applications.