PingOne for Enterprise

Previous PingOne for Enterprises releases

February 2022

Enhancements
Feature Description

PingFederate Connection

The latest version of PingFederate available for download through PingOne for Enterprise is 10.3.

You can download later versions of PingFederate from the Ping Identity main download site.

PingOne Connector

  • Fixed an issue that caused an error when trying update the population ID attribute.

See Known Issues and Limitations below for important information.

PingOne for Enterprise Directory

Notification emails sent to administrators when new users self-register now include a link to the Users → User Directory → Users menu where you can approve the new user.

For more information, see Approve new directory users.

December 2021

Enhancements
Feature Description

Azure Conditional Access

Added the MFA_SUBJECT attribute to the Microsoft Azure AD identity repository configuration.

If you’re using PingID for Azure Conditional Access, the MFA_SUBJECT attribute in PingOne for Enterprise can be mapped the same as the username attribute in PingID.

For more information, see Connect to Azure and Configuring PingID MFA for Microsoft Azure AD Conditional Access in the PingID documentation.

Office 365 Connector

Migrated the Office 365 Connector from the Azure AD Graph API 1.6 to the Microsoft Graph API 1.0

See Known Issues and Limitations below.

For more information, see the Office 365 Connector documentation.

SSO Admins

Updated the Account → Administrators page to display all single sign-on (SSO) administrative users.

Previously, SSO admins who were also registered in other PingOne for Enterprise accounts did not display.

For more information, see Assign administrative roles.

Known issues and limitations
Subject Issue/Limitation

Office 365 Connector

  • Opting out of license management for users is not supported. The connector will clear existing licenses even when the attribute is unmapped.

  • Updating mobile attribute requires that the service principal representing the connector be assigned a role with Company Administrator privileges using Powershell. See this KB article for more information.

  • Updating the Password attribute is not supported.

  • User updates containing a manager that has not yet been provisioned or updated by the new version will fail. Older version updates will not have the new extended attribute with their distinguished name (DN) from Active Directory.

  • If the DoBase64Conversion field is switched to false, conflicts or failures will likely result on federated domains containing pre-existing users provisioned by dirsync/V1.0.

  • Only outbound provisioning is supported.

  • Group provisioning is not supported.

  • Automatic licensing of users is not supported.

October 2021

Enhancements
Feature Description

PingOne Connector

  • Changed the North America region to North America (US)

  • Added the North America (Canada) region

See Known Issues and Limitations below for important information.

SSO/SLO

Increased the max-age parameter of the strict-transport-security header for the https://sso.connect.pingidentity.com/sso/ endpoint.

The previous max-age was 1 year. The new max-age is 2 years.

Known issues and limitations
Subject Issue/Limitation

PingOne Connector

  • Clearing fields on updates is not supported.

  • Multivalued attributes such as email or address are not supported. Multiple values appear as a single array on PingOne.

  • Custom attributes are set when the user is initially created, and cannot be updated afterward.

September 2021

Enhancements
Feature Description

Custom Application Categories

Added the ability to create custom application categories.

Custom application categories let you organize applications in ways that work best for your organization.

For more information, see Creating a custom application category.

PingOne Connector

  • Added support for group provisioning

  • Added the ability to select a default MFA device during user creation

  • Added voice as an option for offline device pairing

  • Fixed an issue that prevented all of a user’s authentication methods from being provisioned if any of them were invalid.

  • Fixed an issue that allowed duplicate local attributes to be defined when configuring an adapter.

  • Fixed an issue that could cause an attribute containing an array of objects to be returned in the incorrect format.

  • Fixed an issue that caused password validation to fail intermittently when the user’s access token had expired.

See Known Issues and Limitations below for important information.

Single Logout

Added support for the optional idpid parameter to all single logout (SLO) endpoints.

If you specify the idpid value, the SLO operation is restricted only to sessions with the specified idpid value.

For more information, see PingOne for Enterprise and SLO.

SSO Admins

Updated the Account → Administrators page to display all single sign-on (SSO) administrative users.

Previously, SSO admins who were also registered in other PingOne for Enterprise accounts did not display.

For more information, see Assign administrative roles.

Known issues and limitations
Subject Issue/Limitation

PingOne Provisioner

Clearing fields on updates is not supported.

Multivalued attributes, such as emails and addresses, are not supported. Multiple values appear as a single-array value in PingOne.

Custom attributes are set when the user is initially created. They cannot be updated after they are set.

August 2021

Enhancements
Feature Description

PingOne Provisioner

Added support for custom string attributes.

See Known Issues and Limitations below for important information.

Known issues and limitations
Subject Issue/Limitation

PingOne Provisioner

Clearing fields on updates is not supported.

Multivalued attributes, such as emails and addresses, are not supported. Multiple values appear as a single-array value in PingOne.

Custom attributes are set when the user is initially created. They cannot be updated after they are set.

July 2021

Enhancements
Feature Description

Admin Portal Banner

Added a feature allowing you to display a banner message in the administrative portal.

For more information, see Adding a logo and banner message.

June 2021

Enhancements
Feature Description

Single Logout Flow

Added a feature allowing administrators to choose how PingOne for Enterprise handles single logout (SLO) requests.

PingID Device Administrator Role

Added a new administrative role to manage user PingID Device settings.

For more information, see Assign administrative roles.

Read-Only Administrative Roles

Added a feature allowing you to assign user groups to read-only versions of administrative roles.

Read-only roles allow administrators to access the areas of the admin portal normally allowed by that role, but not to change settings.

Password Policy

Changed the default password requirements for new accounts.

Previous default settings required a minimum password length of 6 characters, with no requirement for special characters.

New default settings require a minimum password length of 8 characters, and a minimum of one special character.

This change only applies to new accounts.

Known issues and limitations
Subject Issue/Limitation

Single Logout Flow

Single logout from the admin portal does not currently support redirect SLO flow.

If you select Redirect SLO flow for your users, your SSO admins should use the Sign Off button at the top right of the admin portal rather than signing off through the PingOne Dock.

May 2021

Enhancements
Feature Description

Admin-API Client

Removed the ability to use special characters in the Client Name and Description fields when creating API clients.

Special characters in these fields can present a security risk.

If you have existing API clients that include special characters, you will be forced to remove the characters the next time you edit the client.

For more information, see Creating an Admin-API client.

Password Policy Customization

Added a feature giving PingOne for Enterprise for Managed Service Providers administrators the ability to permit their customer accounts to customize password policies.

April 2021

Enhancements
Feature Description

Admin-API Client

Removed the ability to use special characters in the Client Name and Description fields when creating API clients.

Special characters in these fields can present a security risk.

If you have existing API clients that include special characters, you will be forced to remove the characters the next time you edit the client.

For more information, see Creating an Admin-API client.

Password Policy Customization

Added a feature giving PingOne for Enterprise for Managed Service Providers administrators the ability to permit their customer accounts to customize password policies.

March 2021

Enhancements
Feature Description

OAuth Access Token

Increased the allowed number of trusted origins for OAuth access token Cross-Origin Resource Sharing. The previous limit was 10. The current limit is 100.

For more information, see Configuring your OAuth settings.

PingOne for Customers Provisioner

Added a new provisioner for PingOne for Customers.

This provisioner includes:

  • Authoritative IdP attribute

  • Default nicknames for email and SMS

For more information see PingOne Integration Kit.

Self-Service Password Reset

Reduced the lifetime of self-service user password reset from the sign on screen.

Previously the password reset link was valid for 3 days. Currently the password reset link is valid for 24 hours.

Known issues and limitations
Subject Issue/Limitation

PingOne for Customers Provisioner

  • Clearing fields on updates is not supported.

December 2020

Enhancements
Feature Description

Aquera Provisioner

Added a new provisioner for Aquera Connector. This is the initial release for this provisioner.

This provisioner includes:

  • Support for user provisioning

  • Support for SCIM core and enterprise attributes

  • Support for bearer token and HTTP basic authentication

  • configuration options for deprovisioning actions

For more information, see Overview of the Aquera Connector.

SCIM SaaS Provisioner

Fixed application/JSON headers for SCIM 1.1 requests.

Added logic to avoid sending an empty FormattedName attribute.

For more information, see Overview of the SCIM Connector.

ServiceNow Provisioner

Added support for the Orlando and Paris versions of Service Now.

For more information, see Overview of the ServiceNow Connector.

Known issues and limitations
Subject Issue/Limitation

ServiceNow Provisioner

  • Outbound Group Provisioning and Memberships is not supported.

  • Once set, user attributes cannot be cleared, only updated

  • When provisioning to ServiceNow, all user accounts in ServiceNow must have a UserName (User ID). This is not a required field in ServiceNow, but it is required for provisioning to work due to the provisioner using this field to sync with pre-existing users in ServiceNow. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), then the accounts will be linked.Users in ServiceNow without a UserName will cause errors in provisioning. Resolve this by ensuring every user has this field populated, even if they are not intended to be managed by the provisioner.

  • When provisioning users, the UserName attribute must only contain URL-safe characters.

  • When synchronizing roles with users, the role attribute must contain only URL-safe characters.

  • If a new user is created with the same UserName as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information in the creation.

  • Due to limitations with the ServiceNow API, a role can be added to a user but not removed. This may cause a user’s role in the source datastore to become out-of-sync with the user’s role in ServiceNow. For more information, see Enable User Role Removal.

  • When mapping the roles attribute, multiple additional calls to ServiceNow must be made to sync user role. This may impact provisioning performance.

  • For department names that contain the ^ character, the ServiceNow API causes the creation of multiple departments with the same name.

  • For the department object, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments in ServiceNow (such as Accounting and accounting), PingFederate provisions the user with an empty department attribute and logs an error in provisioner.log.

SCIM SaaS Provisioner

  • Clearing fields on updates is not supported.

  • Outbound Group Provisioning and Memberships is not supported.

  • Patch updates to SCIM-enabled target applications are not supported.

  • Multivalue attributes such as email, phone, and address have a limit of one value per type, such as home, work, or other.

  • For multivalue attributes such as email, phone, and address, if the SaaS does not specify either type and primary information, or both type and primary information, the provisioner may behave in unexpected ways.

Also, existing attributes on the SaaS might night be removed during an updated, and the desired value might not be correctly set as primary. * SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behavior that is not consistent with the intended use of the SCIM SaaS Provisioner. * The SCIM provisioner will not provision users until the users are updated.

November 2020

Enhancements
Feature Description

Authentication Policy

Added a feature that allows you to choose whether to authenticate SSO admins using their email or their SSO username.

For more information, see Create or update an authentication policy.

Administrator Settings

Added a feature that allows you to change the certificate expiration notification settings for Global and SaaS administrators.

Subscription API

Added a new result status to PingID audit events.

UNSUCCESSFUL_ATTEMPT represents an invalid one-time passcode (OTP) attempt that did not result in failed authentication.

For more information about audit events, see Get the audit events for a Poll subscription.

Known issues and limitations
Subject Issue/Limitation

Single Logout

PingOne for Enterprise’s single logout (SLO) implementation relies on the ability to send cookies within an iframe. Safari now blocks this function by default, which causes SLO to fail in most scenarios.

We are working to accommodate this new behavior.

This issue impacts SLO on the following browsers:

  • Safari 13.1+ on MacOS

  • Safari on iOS and iPadOS 13.4+

  • Any browser where the user has disabled third party cookies

You can solve this problem by enabling third-party cookies in the browser settings.

October 2020

Enhancements
Feature Description

Admin-API Clients

Added a feature that allows you to create Admin-API clients to access subscription endpoints without the need for additional administrator accounts.

For more information, see Creating an Admin-API client

AWS Single Sign-On Provisioner

Added a new provisioner for AWS Single Sign-On. This is the initial release for this provisioner.

This provisioner includes:

  • Included support for user provisioning

  • Included configuration for deprovisioning actions

See Known Issues and Limitations below for important information.

PingOne Directory

Added a feature that directs a user to the specified redirect URL if they click on the registration URL after completing the registration process.

For more information about self-registration, see Allow self registration for new directory users.

Signing Certificates

Added a feature that allows administrators to designate a signing certificate as the default certificate for newly added application connections.

Known issues and limitations
Subject Issue/Limitation

AWS Single Sign-On Provisioner

  • This integration does not support group provisioning

  • Once set, user attributes cannot be cleared, only updated

July 2020

Enhancements
Feature Description

PingOne Directory

Added a feature that allows administrators to enable additional directory attributes for use in attribute mapping for IdP, dock, and application configuration.

For more information, see Manage directory attributes.

PingOne Provisioner

  • Changed name from PingOne for Customers Provisioner to PingOne Provisioner

  • Added the ability to manage PingOne MFA Email and SMS devices

Known issues and limitations
Subject Issue/Limitation

PingOne Provisioner

  • Clearing fields on updates is not supported.

  • Outbound Group Provisioning and Memberships is not supported.

  • Patch updates to SCIM-enabled target applications are not supported.

  • There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address).

  • Unexpected behavior may occur if the SaaS application does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the application may not be removed during an update, and the desired value may not be correctly set as primary.

  • SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behavior that is not consistent with the intended use of the SCIM SaaS provisioner.

July 2020

Enhancements
Feature Description

Concur 1.0.1

  • Fixed an issue that prevented users from being updated in Concur.

  • See Concur Connector Guide for more information.

June 2020

Enhancements
Feature Description

Atlassian Cloud Provisioner

  • Initial release

  • Includes SAML 2.0 support for IdP- and SP-initiated SSO

  • Included support for user provisioning

  • Included configuration for deprovisioning actions

  • See Overview of the Atlassian Cloud Connector for more information.

ServiceNow Connector 2.2

  • Added the ServiceNow URL field and removed the ServiceNow Instance Name field

  • Fixed an issue that caused an error when assigning a role that was not also assigned to the provisioning user account

  • Added support for the Orlando version of ServiceNow

  • See Overview of the ServiceNow Connector for more information

Known issues and limitations
Subject Issue/Limitation

Atlassian Cloud Provisioner

  • Clearing fields on updates is not supported

  • This integration does not support group provisioning

  • Once set, user attributes can only be updated, not cleared

May 2020

Enhancements
Feature Description

Code42 Provisioner

ZScaler Private Access Provisioner

  • Initial release.

  • Included support for user provisioning.

  • Included configuration for deprovisioning actions.

  • See Overview of Zscaler integrations for more information.

Known issues and limitations
Subject Issue/Limitation

Code42 Provisioner

  • User attributes cannot be cleared once set. They can only be updated.

  • This integration does not support group provisioning.

  • Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend not deleting the administrative user and not managing this user through the provisioner.

Zscaler Private Access Provisioner

  • This integration does not support group provisioning.

  • Once set, user attributes can only be updated, not cleared.

  • Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend not deleting the administrative user and not managing this user through the provisioner.

April 2020

Enhancements
Feature Description

AD Connect agent management

Metadata Download URL

Session Idle Timeout

  • Added a setting to the Setup → Dock menu allowing administrators to set the time that a user session can be idle before the session is automatically signed out.

Slack Connecter

  • Added Support for handling rate-limiting responses from Slack.

Zoom Connector 1.0

  • Initial release.

  • Included support for user provisioning.

  • Included support for Zoom attributes.

  • Included support for API key and secret authentication.

  • Included configuration options for deprovisioning actions.

  • See Overview of the Zoom Connector for more information.

Known issues and limitations
Subject Issue/Limitation

Zoom Connector 1.0

  • This integration does not support group provisioning.

  • Once set, user attributes can only be updated, not cleared.

  • Zoom only allows a single value for the Roles attribute.

  • Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group created by the provisioner. We recommend not deleting the administrative user and not managing the user through the provisioner.

  • Due to a limitation in Zoom, if a user’s attributes change at the same they are enabled or disabled, only the disabled status is updated in Zoom. The attributes are updated the next time a change is made to that user.

  • Zoom does not allow users with the admin role to be disabled or deleted. Change the user’s role first.

March, 2020

Enhancements
Feature Description

SCIM Provisioner

  • Added support for the application/scim+json HTTP header type

  • Improved the SCIM URL field in the connection configuration to work either with or without a trailing slash (/) in the URL

Zscaler ZIA Provisioner 1.1

  • Renamed the integration to "Zscaler Internet Access" to match official branding

  • Added the ability to update the username attribute in Zscaler

  • Improved error handling and reporting when encountering a user that does not have an ID

Known issues and limitations
Subject Issue/Limitation

Zscaler ZIA Provisioner 1.1

The following limitations apply:

  • Clearing fields on updates is not supported.

  • Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend not deleting the adminstrative user and not managing this user through the provisioner.

January, 2020

Enhancements
Feature Description

Branding

We’ve expanded the branding options for the PingOne dock as well as the AD Connect and PingOne Directory login screens. We have also added new branding options for intermediate SSO screens including error, SLO, and IdP Discovery screens. Finally we have reorganized the branding screens in the PingOne admin portal. See Assign branding and design for more information.

Resolved issues
Ticket ID Issue

SSD-12791

Fixed an issue to allow non-HTTPS URI redirects in OIDC mobile applications.

November, 2019

Enhancements
Feature Description

OAuth refresh tokens

We’ve added support for OAuth refresh tokens with OpenID Connect applications. See Configuring your OAuth settings and Adding or updating an OIDC application for more information.

Updated provisioner for ServiceNow

We’ve updated the provisioner for Salesforce. The update to this provisioner includes support for:

  • Added support for the London, Madrid, and New York versions of ServiceNow.

  • Added support for mapping users to departments in ServiceNow.

  • Improved user ID validation when updating and deleting users.

  • Removed support for the Jakarta and Istanbul versions of ServiceNow.

This is an update to the existing ServiceNow provisioner (Kingston, Jakarta, Istanbul). It has also been rebranded from "ServiceNow (Kingston, Jakarta, Istanbul)" to "ServiceNow".

See Known Issues and Limitations for important information.

Delegated administration of applications

We’ve added an Application Administrator role and the ability for you to delegate administration of applications to an Application Administrator. See Assign Application Administrator applications for more information.

SLO for OpenID Connect applications

We’ve added single logout (SLO) support for OpenID Connect (OIDC) applications. See the Logout URI when adding an OIDC application, or Adding or updating an OIDC application for more information.

Disable inactive users in PingOne directory

We’ve added the ability for you to disable users who’ve been inactive for an extended period of time. See Disable directory users for more information.

Resolved issues
Ticket ID Issue

IO-5615

(Slack provisioner) Fixed an issue that caused the connector to update the wrong phone number attribute as a result of a change in the Slack API.

SSD-12509

Fixed an issue in Google Chrome where a SameSite=none setting in cookies was affecting SSO.

SSD-12579

Fixed an issue where PingOne directory error messages weren’t displaying single quotes.

Known issues and limitations
Subject Issue/Limitation

ServiceNow provisioner

The following limitations apply:

  • For departments that contain the "^" (caret) character in the name, the ServiceNow API causes the creation of multiple departments with the same name.

  • For the department object, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments in ServiceNow (such as, Accounting and accounting), PingOne provisions the user with an empty department attribute and logs an error in the Dashboard Report.

  • Outbound Group Provisioning and Memberships are not supported.

  • User attributes cannot be cleared once set. They can only be updated.

  • When provisioning to ServiceNow, all user accounts in ServiceNow must have an assigned username (User ID) value. This is not a required field in ServiceNow. However, because the provisioner must use this field to sync with pre-existing users in ServiceNow, it is required for provisioning to function. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), the accounts will be linked. Currently, if users exist in ServiceNow without an assigned UserName value, this will cause errors in provisioning. In this case, you can resolve the issue by ensuring every user has an assigned UserName, even if they are not intended to be managed by the provisioner.

  • When provisioning users, the username attribute must contain only URL-safe characters.

  • When synchronizing roles with users, the role attribute must contain only URL-safe characters.

  • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information assigned.

  • Due to limitations with the ServiceNow API, a role can be added to a user but not removed, which may cause a user’s role in the source data store to become out of sync with the user’s role in ServiceNow. For more information, see Adding the Ping Identity provisioning role in ServiceNow.

  • When mapping the roles attribute, multiple calls to ServiceNow must be made to sync the user role information. This may impact provisioning performance.

September, 2019

Enhancements
Feature Description

Adding OIDC applications

We’ve updated the selection and configuration of OIDC applications, streamlining this process based on the type of OIDC application connection you want to add. See Adding or updating an OIDC application for more information.

Encryption certificates

We’ve added management of encryption certificates to the certificate management page (Setup → Certificates). You can choose the encryption certificate used for an application. See Update an encryption certificate for more information.

Administrators and SSO

We’ve updated the Administrators page so that when an assigned administrator first signs on (SSO) to the admin portal, they’re automatically added to the list of administrators displayed on the Account → Administrators page. See Assign administrative roles for more information.

Browser extension updated

The browser extension (used for Basic SSO password vaulting) has been updated to version 2.54.9. This update included a fix for an unexpected prompt to restart the browser extension.

Updated provisioner for Salesforce

We’ve updated the provisioner for Salesforce. The update to this provisioner includes support for:

  • Provisioning to Salesforce Community Cloud (customer, partner, and custom communities).

  • Provisioning to custom Salesforce domains.

  • Version 46.0 of the Salesforce REST API.

  • Configuring options to manage permission sets by merging or overwriting.

  • Additional salesforce attributes.

  • Improved error handling and reporting for cases where users in the target application do not have an ID.

  • Improved error handling and reporting for cases where groups are updated or deleted but do not exist in the target application.See Known Issues and Limitations for important information.

Resolved issues
Ticket ID Issue

(Browser extension) Staging-8549

Fixed an issue where users were unexpectedly prompted to restart the browser extension.

IO-5467

Fixed an issue that prevented users with certain special characters from being provisioned to Salesforce.

SSD-12043

Fixed an issue where the SAML_SUBJECT attribute was not appearing in the attributes dropdown list in Advanced Attribute Mapping mode.

Known issues and limitations
Subject Issue/Limitation

Salesforce provisioner

The following limitations apply:

  • The provisioner cannot clear user attributes once they have been set.

  • This provisioner does not support custom attributes.

  • The Salesforce provisioner does not support hard deleting users in Salesforce. When users are enabled/disabled or deleted in your user store, the user will only be soft deleted (enabled/disabled) accordingly in Salesforce.

  • The username attribute must be in an email format.

  • The alias attribute can be no more than 8 characters.

  • Group provisioning is not supported.

  • Deprovisioning:

    • When deprovisioning a Salesforce customer or partner user, the provisioning connector does not unlink the user from the associated contact.

    • If a customer or partner user is unlinked in Salesforce from the associated contact, any changes to the user in the data store will cause the provisioner to create a new user in Salesforce and link it to the existing contact.

    • Guest users in Salesforce cannot be frozen. If Freeze users instead of Disable is selected in your provisioning options, the guest user will not be disabled or frozen.

  • Salesforce Communities:

    • The provisioner can link users to "customer" and "partner" business accounts, but not to "person" accounts. See Accounts in the Salesforce documentation.

July, 2019

Enhancements
Feature Description

PingOne directory user passwords

We’ve updated the PingOne directory user password process for new users. Now after you create a new user, the user must change their assigned password when they first sign on. See Add directory users for more information.

Updated provisioner for WebEx®

We’ve updated the provisioner for WebEx. The update to this provisioner includes:

  • Fixed an issue that prevented users with special characters from being provisioned to WebEx.

  • Improved error handling and reporting for cases where users in the target application do not have an ID.

  • Improved error logging security.

  • Fixed an issue that caused a user to be recreated when the provisioning engine tried to delete or disable a user that was already deleted in WebEx.See Known Issues and Limitations for important information.

Updated provisioner for Amazon Web Services

We’ve updated the provisioner for Amazon Web Services (AWS). The update to this provisioner includes:

  • Support for the AWS 2.0 API.

  • Support for the Password and PasswordResetRequired attributes.

  • Support for updating the UserName attribute.

  • Improved error-handling and reporting behavior.See Known Issues and Limitations for important information.

PingFederate Bridge

PingFederate Bridge is now the default PingFederate identity bridge for PingOne. It’s a light-weight version of PingFederate designed for quick and easy configuration with PingOne. See .pingidentity.com/pingfederatebridge/pf93///[Introduction to PingFederate Bridge] and Connect to PingFederate for more information.

Admin portal SSO for multiple groups

You can now assign multiple groups to administrative roles for the purpose of SSO to the PingOne admin portal from the PingOne dock. We’ve also created a new page for this assignment: Setup → Dock → Admin Portal SSO. See Configure SSO from the dock to the admin portal for more information.

Ping directory branding

We’ve added the ability for you to brand PingOne directory pages for your organization. See Assign directory branding and designs for more information.

SSO reports

You can now apply filtering to SSO reports based on specific applications. See Run a predefined report or Run a custom report for more information.

Supported languages

PingOne UI components now support the use of more languages. See PingOne for Enterprise language support for more information.

Known issues and limitations
Subject Issue/Limitation

WebEx provisioner

The following limitations apply:

  • The provisioner cannot re-enable user meeting types that have been disabled through the Webex administration console. If the provisioner tries to update the user’s meeting types in this scenario, it can cause all meeting types for that user to be disabled.

  • The WebEx ID attribute is not updateable in PingOne.

  • The MeetingType attribute is limited to one value in PingOne (not a multivalued attribute).

  • Due to API Limitations, WebEx doesn’t allow a user to be created in a suspended state. WebEx will automatically activate the user after it is created.

Amazon Web Services provisioner

The following limitations apply:

  • Group Provisioning is not supported.

  • Deprovisioning:

    • AWS does not support disabled users. These users are deleted instead.

  • Attributes:

    • When a user is created with a passwordResetRequired value other than "true" or "TRUE", the provisioning connector sets the value to "false" in AWS.

    • Clearing fields on updates is not supported.

June, 2019

Enhancements
Feature Description

PingFederate Bridge

PingFederate Bridge is now the default PingFederate identity bridge for PingOne. It’s a light-weight version of PingFederate designed for quick and easy configuration with PingOne. See .pingidentity.com/pingfederatebridge/pf93///[Introduction to PingFederate Bridge] and Connect to PingFederate for more information.

Admin portal SSO for multiple groups

You can now assign multiple groups to administrative roles for the purpose of SSO to the PingOne admin portal from the PingOne dock. We’ve also created a new page for this assignment: Setup → Dock → Admin Portal SSO. See Configure SSO from the dock to the admin portal for more information.

Ping directory branding

We’ve added the ability for you to brand PingOne directory pages for your organization. See Assign directory branding and designs for more information.

SSO reports

You can now apply filtering to SSO reports based on specific applications. See Run a predefined report or Run a custom report for more information.

Supported languages

PingOne UI components now support the use of more languages. See PingOne for Enterprise language support for more information.

Basic SSO option

We’ve added an option for you to enable Basic SSO on the Setup → Dock → Configurations page in the admin portal. When enabled, you’ll use the browser extension to add apps for Basic SSO. See Basic SSO (password vaulting) for more information.

Basic SSO browser extension new field available

We’ve updated the browser extension used for Basic SSO apps to support an additional field for use when training the browser extension to sign on to a Basic SSO app. The additional (third) field is optional and is supplied for those apps that require sign-on information in addition to the user name and password fields.

Resolved issues
Ticket ID Issue

IO-5262

(Provisioning) Fixed an issue where disabling users in the user source without a synchronized user in a target SaaS could result in a new user being created in the SaaS. The affected PingOne apps are:

  • Amazon Web Services

  • Box

  • Concur

  • Dropbox

  • Egnyte

  • Github

  • Google

  • Lucidchart

  • Office 365

  • Ping IDaaS Directory Provisioner

  • PingOne for Customers Provisioner

  • Ping IDaaS Generic Scim Provisioner

  • Salesforce

  • ServiceNow Jakarta

  • Slack

  • WebEx

  • Workplace by Facebook

  • Zendesk

  • Zscaler

SSD-11699

Fixed an issue in PingOne directory where a user having the same email address could not be recreated being deleted.

May, 2019

Enhancements
Feature Description

Basic SSO option

We’ve added an option for you to enable Basic SSO on the Setup → Dock → Configurations page in the admin portal. When enabled, you’ll use the browser extension to add apps for Basic SSO. See Basic SSO (password vaulting) for more information.

Basic SSO browser extension new field available

We’ve updated the browser extension used for Basic SSO apps to support an additional field for use when training the browser extension to sign on to a Basic SSO app. The additional (third) field is optional and is supplied for those apps that require sign-on information in addition to the user name and password fields.

Updated provisioner for PingOne for Customers

We’ve updated the provisioner for PingOne for Customers. This provisioner is intended for existing PingOne for Enterprise accounts using either PingOne directory or AD Connect who want to migrate their users to PingOne for Customers. The update to this provisioner includes:

  • Fixed an issue that prevented users with empty attributes from being provisioned to PingOne for Customers.

  • Removed support for obsolete scopes from the provisioner.See Known Issues and Limitations for important information.

Resolved issues
Ticket ID Issue

BE-2752

(Browser extension) Fixed an issue where the browser extension wasn’t properly replaying an app in Chrome resulting in the Login button not functioning.

SSD-11636

Fixed an issue where a CSR response could not be uploaded to PingOne.

SSD-11595

Fixed an issue where the PingOne attribute mapping for PingFederate defaulted to sub instead of SAML_SUBJECT as expected.

SSD-11570

Fixed an issue where the activation key for a PingOne 30 day trial account was not accepted by PingFederate.

SSD-11351

Fixed an issue where a routing for a PingFederate connection was being retained to a Ping data center that was no longer being used.

Known issues and limitations
Subject Issue/Limitation

PingOne for Customers provisioner

The following limitations apply:

* Clearing fields on updates is not supported. * Outbound Group Provisioning and Memberships is not supported. * Patch updates to SCIM-enabled target applications are not supported. * There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address). * Unexpected behavior may occur if the SaaS application does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the application may not be removed during an update, and the desired value may not be correctly set as primary. * SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behaviour that is not consistent with the intended use of the SCIM SaaS provisioner.

April, 2019

Enhancements
Feature Description

PingOne registration page

We’ve updated the UI for the registration page, administrator login, and password recovery. Most importantly, we’ve added the selection of the PingOne data center to use for the new account. See Registering a PingOne for Enterprise account for more information.

Identity repository setup

We’ve updated the UI for identity repository setup and added an attribute mapping option enabling you to configure the attribute mapping from the identity provider to the standard set of PingOne SSO attributes.

Microsoft include::pingone_for_enterprise:partial$p14e_p1refs_azure.adoc[tags=Azure]identity bridge

We’ve added an identity bridge for Azure, with the option to synchronize groups from your Azure tenant to PingOne for Enterprise. See Connect to Azure for more information.

Microsoft ADFS identity bridge

We’ve added an identity bridge for Active Directory Federation Services (ADFS). See Connect to ADFS for more information.

Group assignment

You can now authorize groups for application access as part of the application setup for SAML, OIDC, or Application Catalog applications.

Pingone directory self-registration

If you’re using PingOne directory as your identity repository, you can now assign the email domains that can be used for self-registration. If you choose not to assign the email domains, then all domains can be used for self-registration. See Allow self registration for new directory users for more information.

Cross-origin resource sharing (CORS) for OpenID Connect

If you’re integrating OpenID Connect (OIDC) applications with PingOne, you can now configure one or more trusted origins to enable cross-origin resource sharing (CORS). See Configuring your OAuth settings for more information.

SAML response signing

If you’re integrating SAML applications with PingOne, you can now configure whether PingOne for Enterprise signs the SAML assertion or the SAML response that is sent to the application during SSO. See Adding or updating a SAML application for more information.

Resolved issues
Ticket ID Issue

SSD-10739

(Ping directory) Fixed an issue where a user was invited and confirmed the email activation, but the user wasn’t provisioned to Ping directory until another user was created or invited.

SSD-11230

Fixed an issue where the SAML response signing selection for existing connections defaults to signing the assertion.

March, 2019

Enhancements
Feature Description

SCIM SaaS provisioner

We’ve updated the provisioner for SCIM SaaS applications. This provisioner includes:

  • Configuration options for the Unique User Identifier (userName or workEmail) which is used to search for users in the target application.See Known Issues and Limitations for important information.

Known issues and limitations
Subject Issue/Limitation

PingOne for Customers provisioner

The following limitations apply:

  • Clearing fields on updates is not supported.

  • Outbound Group Provisioning and Memberships is not supported.

  • Patch updates to SCIM-enabled target applications are not supported.

  • There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address).

  • Unexpected behavior may occur if the SaaS application does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the application may not be removed during an update, and the desired value may not be correctly set as primary.

  • SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behaviour that is not consistent with the intended use of the SCIM SaaS provisioner.

February, 2019

Enhancements
Feature Description

New provisioner for PingOne for Customers

We’ve added a new provisioner for PingOne for Customers. This provisioner is intended for existing PingOne for Enterprise accounts using either PingOne directory or AD Connect who want to migrate their users to PingOne for Customers. This provisioner includes:

* Support for user provisioning. * Support for user attributes: Username, Email, Population ID, Account ID, City, Country, External ID, First Name, Force Change Password, Full Name, Honorific Prefix, Honorific Suffix, Job Title, Last Name, Locale, Middle Name, Mobile Phone, Nickname, Password, Preferred Language, Primary Phone, Profile Image, State/Region, Street Address, Timezone, User Type and ZIP Code.See Known Issues and Limitations for important information.

Resolved issues
Ticket ID Issue

SSD-10517

Fixed an issue where user provisioning to PingOne directory failed when switching to the PingOne directory from either a PingFederate or AD Connect identity bridge.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation

PingOne for Customers provisioner

The following limitations apply:

  • Clearing fields on updates is not supported.

January, 2018

Enhancements
Feature Description

OpenID Connect custom scopes

We’ve added OAuth configuration settings for OpenID Connect applications to enable you to define custom scopes or to modify existing scopes with custom or standard claims. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Configure the access token].

PingOne redirect URI

We’ve updated the PingOne redirect URI to include a verification code unique to your account. The redirect URI used by your OpenID Connect provider for PingOne must include the verification code for SSO to be successful. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Connect to OpenID Connect].

Audit & Report administrator

We’ve added a dedicated administrator role for working with the audit event streaming and polling capabilities. The Audit & Report administrator is restricted to accessing the PingOne Dashboard and the Reporting and Subscriptions pages. The Audit & Report administrator can also access the API for polling audit events when audit subscriptions are configured as polling subscriptions. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Assign administrative roles] and .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Managing reports and subscriptions].

SSO reporting

We’ve added new report types and predefined reports for SSO transactions. For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Report types] and .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Report event information].

Resolved issues
Ticket ID Issue

SSD-10353

Fixed an issue where access to the PingOne admin portal generated an error when the PingOne authentication policy applied multi-factor authentication for SSO to the admin portal.

SSD-10402

Fixed an issue that occurred while adding a new SAML application. The signing certificate selected during the configuration process was not being used for the signing certificate download link displayed on the summary page at the end of the configuration process. Instead, the download link used the default signing certificate.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

December, 2018

Enhancements
Feature Description

OpenID Connect custom scopes

We’ve added OAuth configuration settings for OpenID Connect applications to enable you to define custom scopes or to modify existing scopes with custom or standard claims. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Configure the access token].

PingOne redirect URI

We’ve updated the PingOne redirect URI to include a verification code unique to your account. The redirect URI used by your OpenID Connect provider for PingOne must include the verification code for SSO to be successful. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Connect to OpenID Connect].

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

November, 2018

Enhancements
Feature Description

OpenID Connect query parameters

We’ve updated the OpenID Connect repository configuration to enable you to specify additional query parameters for the authentication request PingOne sends to the OpenID Connect provider. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Connect to OpenID Connect].

PingOne dock and SSO session lifetimes

We’ve updated the PingOne dock to use the same session lifetime as the SSO session. The PingOne dock and SSO session can now be set to as low as 15 minutes. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Configure the dock when using an identity bridge].

Turkish language support

We’ve updated the PingOne user interface to include support for Turkish. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[PingOne language support].

Resolved issues
Ticket ID Issue

SSD-9795

Fixed an issue where users who are members of a large number of groups were unable to use SafeNet for multi-factor authentication.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

October, 2018

Enhancements
Feature Description

include::partial$p14e_p1refs_github.adoc[tags=Github]provisioner

We’ve a new provisioner for Github applications. This provisioner includes:

  • Added support for user provisioning.

  • Added support for user attributes: Username, Email, First Name, Last Name and External ID.See Known Issues and Limitations for important information.

Administrative auditing (reports and subscriptions)

Administrative auditing is now available PingOne for Enterprise, PingID and PingOne SSO for SaaS Apps. You can utilize the administrative audit events through both the Reports and the Subscriptions facilities .

PKCE support for OpenID Connect (OIDC)

We’ve added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters]

For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters].

SLO for OIDC identity providers

We’ve added single logout (SLO) support for PingOne for Enterprise OIDC identity providers (IdPs). You can specify the end-session URL through the well-known metadata of the OpenID Connect provider (end_session_endpoint), or when you configure the PingOne connection for the OIDC IdP. When SLO is triggered, PingOne redirects the user logout process to the end-session URL for the OIDC IdP.

Automatic IdP Discovery

We’ve added automatic IdP discovery for all PingOne for Enterprise managed applications (applications managed by your account, rather than a service provider). For these applications, we no longer require that you specify the idpid for SP-initiated (SAML) requests or OIDC authorization requests.

SAML assertion available in reports

For SAML applications, we’ve added an enhancement to reports for you to display the SAML assertion for a failed SSO audit event included in a report. You can click on the failure code to display a popup containing the SAML assertion.

PingOne directory enhancements

We’ve added features to PingOne directory allowing you to:

  • Configure the reply-to email address used for PingOne Directory user invitations. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Allow self registration for new directory users].

  • Enable or disable the password expiry and password lockout notification emails sent to PingOne Directory users. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Allow self registration for new directory users].

include::partial$p14e_p1refs_faw.adoc[tags=faw]provisioner

We’ve updated the provisioner for Workplace by Facebook applications. This provisioner includes:

  • Improved error handling and reporting when Workplace by Facebook users contain no ID.

  • Improved check connection call by not retrieving a list of users.See Known Issues and Limitations for important information.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation

Github provisioner

The following limitations apply:

  • Clearing fields on updates is not supported.

  • Enabling a previously deleted user in GitHub will trigger a create operation.

  • When a user is deleted from GitHub they are removed from the organization. The user will still have a GitHub account but no access to the organization’s resources.

  • Due to GitHub API limitations, provisioning with multiple threads or making more than 5000 requests per hour may trigger GitHub’s abuse detection mechanism, rate-limiting, or both. This will prevent requests from being completed. For more information, see .github.com/v3///[Github rate-limiting].

Workplace by Facebook provisioner

The following limitations apply:

  • Clearing fields on updates is not supported.

  • Due to API limitations with matching a user’s manager using the display name, if multiple matches occur the first match will be used. This could be an issue if multiple employees in the Workplace by Facebook account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

  • Due to LDAP limitations, when you update a manager’s name it does not update their Distinguished Name (DN). The provisioner uses the distinguished name to match a manager in Workplace by Facebook and may not find the correct match. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

  • Due to SaaS API limitations, adding a manger may require a search of all Workplace by Facebook users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

September, 2018

Enhancements
Feature Description

PKCE support for OpenID Connect (OIDC)

We’ve added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters] For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters].

SLO for OIDC identity providers

We’ve added single logout (SLO) support for PingOne for Enterprise OIDC identity providers (IdPs). You can specify the end-session URL through the well-known metadata of the OpenID Connect provider (end_session_endpoint), or when you configure the PingOne connection for the OIDC IdP. When SLO is triggered, PingOne redirects the user logout process to the end-session URL for the OIDC IdP.

Automatic IdP Discovery

We’ve added automatic IdP discovery for all PingOne for Enterprise managed applications (applications managed by your account, rather than a service provider). For these applications, we no longer require that you specify the idpid for SP-initiated (SAML) requests or OIDC authorization requests.

PingOne directory enhancements

We’ve added features to PingOne directory allowing you to:

  • Configure the reply-to email address used for PingOne Directory user invitations. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Allow self registration for new directory users].

  • Enable or disable the password expiry and password lockout notification emails sent to PingOne Directory users. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Allow self registration for new directory users].

include::partial$p14e_p1refs_faw.adoc[tags=faw]provisioner

We’ve updated the provisioner for Workplace by Facebook applications. This provisioner includes:

  • Improved error handling and reporting when Workplace by Facebook users contain no ID.

  • Improved check connection call by not retrieving a list of users.See Known Issues and Limitations for important information.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation

Workplace by Facebook provisioner

The following limitations apply:

  • Clearing fields on updates is not supported.

  • Due to API limitations with matching a user’s manager using the display name, if multiple matches occur the first match will be used. This could be an issue if multiple employees in the Workplace by Facebook account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

  • Due to LDAP limitations, when you update a manager’s name it does not update their Distinguished Name (DN). The provisioner uses the distinguished name to match a manager in Workplace by Facebook and may not find the correct match. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

  • Due to SaaS API limitations, adding a manger may require a search of all Workplace by Facebook users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

August, 2018

Enhancements
Feature Description

Users by Service

We’ve added support for first and last name values for provisioned users on the Users → Users By Service page.

PingOne directory user registrations

We’ve added the ability for you to specify a reply-to email address for user registrations on the Setup → Directory → Registration page.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

July, 2018

Enhancements
Feature Description

OpenID Connect applications

PingOne for Enterprise and PingOne SSO for SaaS Apps now support the OpenID Connect (OIDC) protocol for application integration using code, implicit or hybrid flows. You can customize access tokens for your account or per application. Client authentication is done using client secrets.

For PingOne for Enterprise, you can make PingOne OIDC applications available on the PingOne dock. The applications are also selectable in access and authentication policies.

Updated provisioner for Evernote®

We have updated the provisioner for Evernote applications. The update includes:

* Support for user attributes: Display Name and External ID. * Support for the Evernote SCIM 2.0 API. * Removed support for hard delete (feature deprecated by Evernote). * Removed support for reactivating a disabled user (feature deprecated by Evernote).

See Known Issues and Limitations for important information.

Updated SCIM SaaS provisioner

We have updated the provisioner for SCIM SaaS applications. The updates include:

* Fixed issue where SCIM v2 requests included SCIM v1.1 schema URN’s. * Fixed issue where the NO_CONTENT HTTP response code was not being handled. * Fixed issue where the SERVER_ERROR HTTP response code was not being handled. * Fixed issue where the user’s active status was not updated correctly on update requests. * Fixed issue where SCIM v2 error descriptions were not logged correctly. * Fixed issue where an empty return body on a user PUT operation caused a JSON parsing exception.

See Known Issues and Limitations for important information.

New provisioner for Lucidchart®

We have added a new provisioner for the Lucidchart applications. This provisioner includes:

* Support for user provisioning. * Support for these user attributes: Username, Display Name, Email, External ID, First Name, Last Name and Roles.

See Known Issues and Limitations for important information.

Updated provisioner for Office 365™

We have updated the provisioner for Office 365 applications. The update includes:

* Support for hard-deleting users.

See Known Issues and Limitations for important information.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation

Evernote provisioner

The following limitations apply:

* Clearing fields on updates is not supported. * Provisioning disabled users from an LDAP user repository to Evernote is not supported. * Due to Evernote API limitations, a deactivated user cannot be reactivated using SCIM. * Due to Evernote API limitations, new users cannot be created with the same username as a previously deactivated user.

SCIM SaaS provisioner

The following limitations apply:

* Clearing fields on updates is not supported. * Outbound Group Provisioning and Memberships is not supported. * Patch updates to SCIM-enabled target applications are not supported. * There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address). * Unexpected behavior may occur if the SaaS application does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the application may not be removed during an update, and the desired value may not be correctly set as primary. * SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behaviour that is not consistent with the intended use of the SCIM SaaS provisioner.

Lucidchart provisioner

The following limitations apply:

* Clearing fields on updates is not supported. * Due to Lucidchart API limitations, there will be a performance impact to creating users when mapping External ID or Roles. Both External ID and Role may fail to be added to a user on the initial create. If this happens, an error will be logged and the update to External ID and Roles will be retried up to three times. * Due to Lucidchart API limitations, attempting to update a user immediately after creating them may result in user not found exceptions. This is due to a delay in Lucidchart between creating a user and being able to modify the user. Failed attempts to update the user will be re-attempted up to three times.

Office 365 provisioner

The following limitations apply:

* Opting out of license management for users is not supported. The provisioner will clear existing licenses even when the attribute is unmapped. * Updating the mobile attribute requires that the service principal representing the provisioner (where the user gets the client key and secret) be assigned a role with Company Administrator privileges (using Powershell). See this KB article for more information. * Updating the Password attribute is not supported. * User updates containing a manager that has not yet been provisioned or updated by the new version will fail, because the manager will not have the new extended attribute holding their distinguished name from Active Directory. * If the DoBase64Conversion field is switched to “false”, expect conflicts or failures on federated domains containing pre-existing users provisioned by dirsync or V1.0. * Only outbound provisioning is supported. * Group provisioning is not supported. * Automatic licensing of users is not supported.

June, 2018

Enhancements
Feature Description

New provisioner for Zscaler®

We have added a new provisioner for the Zscaler applications. This provisioner includes:

* Support for user provisioning. * Support for these user attributes: Username, Display Name, Department, Email, External ID, First Name and Last Name.

See Known Issues and Limitations for important information.

Audit subscriptions

We have added UI for you to configure subscriptions to audit events. You can now display a list of your audit subscriptions, create new Push or Poll subscriptions, and edit or delete existing subscriptions.

See Reports and subscriptions for more information.

Service provider SAML encryption

We have added an option for you to configure encryption of the assertion in the outbound SAML response sent from PingOne to the service provider (SP). This functionality is available only for non-multiplexed SAML applications. You can assign the encryption algorithm to use. You can also upload your own certificate to use for encryption. NOTE: For enhanced security we will sign the SAML response rather than the assertion in the SAML response when encryption is enabled.

See Add and configure a new SAML applicationfor more information.

Service provider SAML encryption

We have added an option for you to configure encryption of the assertion in the outbound SAML response sent from PingOne for an application. You can assign the encryption algorithm to use. You can also upload your own certificate to use for encryption. NOTE: For enhanced security we will sign the SAML response rather than the assertion in the SAML response when encryption is enabled.

See Add or update a SAML-enabled application for more information.

Updated navigation design

We have updated the design of the top-level navigation for the PingOne admin portal. There is no functional or behavioural impact. This is solely a style change.

Resolved issues
Ticket ID Issue

SSD-8111

Fixed an issue where the Target Resource URL was limited to 128 characters.

SSD-8413

Fixed an issue where changing the PingOne for Enterprise Target Resource URL for an application supplied by a service provider (SP) to the same Target Resource value as set by the SP resulted in the setting change failing.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation

Zscaler provisioner

The following limitations apply:

* Clearing fields on updates is not supported. * Due to a Zscaler limitation, a user’s username cannot be updated. * Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend that this administrative user is not managed through the provisioner and is not deleted.

May, 2018

Enhancements
Feature Description

ServiceNow provisioner (Kingston, Jakarta, Istanbul)

We’ve added new capabilities for the ServiceNow applications:

  • Configuration options for the create/read/update/delete (CRUD) capabilities.

  • Configuration options for provisioning disabled users.

  • Support for Istanbul, Jakarta, and Kingston.

See Known Issues and Limitations for important information. This is a new ServiceNow provisioner. We’ve rebranded the existing provisioner from ServiceNow to "ServiceNow (Fuji)".

Box provisioner

We’ve added new capabilities for the Box applications:

  • An option to create personal folders on user creates.

  • An option to force delete users with managed content.

See Known Issues and Limitations for important information.

If you have an existing Box application, to take advantage of the new features you will need to click through to the last page and save the application.
Resolved issues
Ticket ID Issue

SSD-7486

Fixed an issue when adding a new SAML application where changes to the signing algorithm were not being retained after saving the changes.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation

ServiceNow provisioner (Kingston, Jakarta, Istanbul)

The following limitations apply:

  • Outbound Group Provisioning and Memberships are not supported.

  • User attributes cannot be cleared once set. They can only be updated.

  • When provisioning to ServiceNow, all user accounts in ServiceNow must have an assigned username (User ID) value. This is not a required field in ServiceNow. However, because the provisioner must use this field to sync with pre-existing users in ServiceNow, it is required for provisioning to function. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), the accounts will be linked. Currently, if users exist in ServiceNow without an assigned UserName value, this will cause errors in provisioning. In this case, you can resolve the issue by ensuring every user has an assigned UserName, even if they are not intended to be managed by the provisioner.

  • When provisioning users, the username attribute must contain only URL-safe characters.

  • When synchronizing roles with users, the role attribute must contain only URL-safe characters.

  • If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information assigned.

  • Due to limitations with the ServiceNow API, a role can be added to a user but not removed, which may cause a user’s role in the source data store to become out of sync with the user’s role in ServiceNow. For more information, see Enable User Role Removal.

  • When mapping the roles attribute, multiple calls to ServiceNow must be made to sync the user role information. This may impact provisioning performance.

Box provisioner

The following limitations apply:

  • Clearing fields on updates is not supported.

  • The login attribute cannot be updated through provisioning.

  • The Inactive Status Default user attribute has no effect if the Box connector is configured to delete (hard-delete) users instead of disable (soft-delete) users when de-provisioning. Additionally, deleting a user in an LDAP repository will always set the status for the user as "inactive" in the Box application.

  • Outbound Group Provisioning and Memberships are not supported.

  • A Box API limitation prevents login credentials from being updated by the provisioner when the character case differs. For example, "USER@TEST.COM", cannot be updated to "user@test.com". When the case differs, the Box API omits the login from the API operation. So, in an update operation, when the case differs, the login is omitted, but any other attributes that may have changed are provisioned and updated.

  • Due to Box API requirements, only primary, validated email addresses can be used to sync users.

  • Enabling Personal Folder functionality will diminish initial synchronization provisioning performance.

April, 2018

Enhancements
Feature Description

OpenID Connect identity repository

We’ve added support for OpenID Connect identity repositories. You can now authenticate users through any OpenID provider. See Connect to OpenID Connect for more information.

Force MFA option

If you have an authentication policy in place for your PingOne account, when you add an application to PingOne, you now have the option to require that each time a user accesses the application, they must use multi-factor authentication (MFA).

New attribute mapping settings

When you add an application to PingOne and use advanced attribute mapping to map your identity provider attributes to service provider attributes, you will now find settings for random and hash functions. The hash function takes a literal string or attribute value. The random function generates a random string of a specified length. Both functions optionally hash the string using the selected algorithm (MD5, SHA-1, SHA-256) and encode the string using the selected encoder (hex, base64).

Resolved issues
Ticket ID Issue

SSD-6937

Fixed an issue where the signing algorithm for a non-multiplexed application wasn’t updating the signing algorithm for the connection.

SSD-6763

Fixed an issue where administrative SSO to the PingOne admin portal for newly assigned administrators was failing when multi-factor authentication (MFA) for the admin portal was required in the authentication policy.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

March, 2018

Resolved issues
Ticket ID Issue

SSD-6751

Fixed an issue where the restAuthUsername value wasn’t always set when the integration page was loaded.

SSD-6627

Fixed an issue where Basic SSO apps were being counted towards the application limit even though the setting to allow Basic SSO was disabled (the default).

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

January - February, 2018

Enhancements
Feature Description

include::partial$p14e_p1refs_faw.adoc[tags=faw]provisioner

We’ve updated the Workplace by Facebook provisioner to add support for additional user attributes. See Known Issues and Limitations for important information. NOTE: If you’ve been using the Workplace by Facebook application (formerly known as Facebook at Work), you will need to edit the application by clicking through to the last page and saving the application. You will then be able to take advantage of the new provisioner features.

Resolved issues
Ticket ID Issue

SSD-6604

Fixed an issue where you were unable to edit or delete duplicate groups.

SSD-6599

Fixed an issue where the PingOne was using the NA region authenticator for multi-factor authentication, rather than the proper regional authenticator for the PingOne account.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation

Workplace by Facebook provisioner

The following limitations apply:

  • Clearing fields on updates is not supported.

  • Due to API limitations with matching a user’s manager using the display name, if multiple matches occur, the first match will be used. This may be an issue if multiple employees in the Workplace by Facebook account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the Manager attribute to a manager’s email address.

  • Due to LDAP limitations, when you update a manager’s name it does not update their Distinguished Name (DN). The provisioner uses the DN to match a manager name in Workplace by Facebook, so may not find the correct match. To avoid this, you can use a custom attribute mapping to link the Manager attribute to a manager’s email address.

  • Due to SaaS API limitations, adding a manger may require a search of all Workplace by Facebook users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the Manager attribute to a manager’s email address.

December, 2017

Enhancements
Feature Description

Multi-factor authentication for the PingOne admin portal

We’ve added a feature on the Authentication Policy page in the admin portal to enable and require PingID multi-factor authentication (MFA) for PingOne administrators who access the PingOne admin portal. Included is an option to specify an administrator who can access the admin portal without requiring MFA.

SAML signature signing algorithm for SSO

We’ve added the ability for you to configure the signature signing algorithm for all authentication requests, assertion signing and single logout (SLO) between PingOne and SAML identity providers and between PingOne and SAML service providers. PingOne will continue to support the SHA-1 algorithm, but now allows you to select SHA-256, SHA-384 and SHA-512. New SAML connections default to SHA-256. See Connect to PingFederate for more information.

If you’re using PingFederate version 8.0 or greater, you will be automatically updated to use SHA-256 for authentication requests at a future date, with no interruption to SSO.

SAML signature signing algorithm

We’ve added the ability for you to configure the signature signing algorithm for all assertion signing to PingOne. PingOne will continue to support the SHA-1 algorithm, but now allows you to select SHA-256, SHA-384 and SHA-512. New SAML connections default to SHA-256. See Adding or updating a SAML-enabled application for more information.

Session revocation for PingOne directory

We’ve implemented a session revocation service for the PingOne directory workflows: user deletion, user disablement and password reset. When you perform these workflows for a PingOne Directory user, the session revocation service will now terminate the PingOne session associated with that user and prevent them from performing new SSO requests through PingOne. See Delete directory users for a description. NOTE: The session revocation service does not perform SLO to SaaS applications that the user may have in an active session.

PingFederate summary information

We’ve added configuration summary information on the Identity Repository Settings page for identity repositories using PingFederate 8.0 or greater.

New provisioner for Jive®

We’ve added a new provisioner for Jive applications. This provisioner includes:

  • Added support for user provisioning.

  • Added support for the user attributes: userName, givenName, familyName, workEmail, password, locale, timeZone, workPhone, externalContributor, federated and location.

See Known Issues and Limitations for important information.

Deprecated features
Feature Description

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Known issues and limitations
Subject Issue/Limitation

Jive provisioner

The following limitations apply:

  • Clearing fields on updates is not supported.

  • Outbound Group Provisioning and Memberships is not supported.

  • Due to a Jive limitation, a user’s username cannot be updated.

  • Due to a Jive limitation, the externalContributor attribute cannot be updated.

  • Due to a Jive limitation, when a user is created their email address must be unique. However, after creation their email address can be updated to match that of an existing user.

  • Deleting the administrative user that is set up for provisioning can lead to undesired consequences, because the provisioner makes the admin user the owner and member of each group that is created by the provisioner. We recommend that this admin user is not managed through the provisioner and is not deleted.

November, 2017

October, 2017

Enhancements
Feature Description

include::partial$p14e_p1refs_slack.adoc[tags=Slack]provisioner

We’ve have added support for additional user attributes. See Known issues and limitations for important information. NOTE: Existing customers must edit their existing Slack application, click through to the end page and save to take advantage of the new features

SCIM SaaS provisioner

We’ve added a new provisioner for SCIM SaaS applications. This provisioner includes:

  • Support for SCIM 1.1 and 2.0

  • Support for user provisioning

  • SCIM core and enterprise attributes

  • Support for Basic Authentication, OAuth 2 Bearer Token and OAuth 2 Client Credentials Authentication

  • SCIM Overrides (Filter Expression, Authorization Header Type, Users API Path)

See Known issues and limitations for important information.

Ping IDaaS Directory provisioner

We’ve added a new provisioner for Ping IDaaS Directory.

See Known issues and limitations for important information.

Resolved issues
Ticket ID Issue

SSD-6063

Fixed an issue where you were unable to preview the PingOne dock.

SSD-5879

Fixed an issue where the number of connections displayed on the My Applications page for applications was incorrect when an application was disabled.

SSD-3780

Fixed an issue where no warning or confirmation prompt was displayed when saving an Attribute Policy that had no associated connection.

SSD-3838

Fixed an issue where the dropdown list on the search bar automatically displayed when opening the PingOne dock using include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]10.

SSD-3838

Fixed an issue when using include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]and clicking the search bar, where an application description wasn’t being displayed after clicking the down arrow.

. Known issues and limitations

Subject Issue/Limitation

Slack provisioner

  • Clearing fields on updates is not supported.

  • Outbound Group Provisioning and Memberships is not supported.

  • Due to an API limitation, a user name cannot be updated.

  • Due to an API limitation, users cannot be created in a deactivated state. For example, if a user is disabled in your user store it will not be created in Slack by the provisioner.

  • For more information on Slack provisioning limitations, see the .slack.com/scim//[Slack API documentation].

SCIM SaaS provisioner

  • Clearing fields on updates is not supported.

  • Outbound Group Provisioning and Memberships is not supported.

  • Patch updates to SCIM enabled target applications are not supported.

  • There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address).

  • Unexpected behavior may occur if the SaaS does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the SaaS may not be removed during an Update, and the desired value may not be correctly set as primary.

  • SCIM-compliant service providers may implement or interpret the SCIM standards differently which can result in behaviour that is not consistent with the intended use of the SCIM SaaS Provisioner.

Ping IDaaS Directory provisioner

  • Clearing fields on updates is not supported.

  • Outbound Group Provisioning and Memberships is not supported.

  • The password, external id, profilePhotoUrl, profileThumbnailUrl, role, certificates and entitlements attributes cannot be mapped from the source. A default literal value can be used for setting values in the target PingOne tenant.

Multiplexing and manual connections

When configuring a manual connection to an application, currently it is possible to select for multiplexing not to be used for non-SAML applications. Multiplexing is used for all non-SAML applications.

September, 2017

Enhancements
Feature Description

Deleting a customer account

We’ve added a confirmation dialog box when you choose to delete a customer account. (SSD-5867)

Resolved issues
Ticket ID Issue

SSD-5735

Fixed an issue where changing the application category for a PingOne for Enterprise managed application did not update the application category on the PingOne dock.

SSD-5603, 5604

Updated Ping logo, icon and favicon.

August, 2017

Enhancements
Feature Description

include::partial$p14e_p1refs_msedge.adoc[tags=MsEdge]support

You can now use the Microsoft Edge browser (minimum EdgeHTML version: 15.15063) with the PingOne dock and the PingOne browser extension.

PingOne directory phoneNumbers attribute

We’ve expanded the phoneNumbers multivalued attribute to include more subattributes. See PingOne for Enterprise Directory attributes for the list of subattributes you can use.

PingID Standalone upgrade supported

Customers with an existing PingID Standalone account can now upgrade to a PingOne for Enterprise account (SSD-5464).

Resolved issues
Ticket ID Issue

SSD-5536

Fixed an issue where the legacy UI was being displayed for Service User administrators.

SSD-5297, SSD-3839

(PingOne directory) Fixed an issue where the UI wasn’t operating as expected when entering email addresses to share a certificate (Setup → Certificates, expand the details for a certificate and click Share).

SSD-5345

Fixed an issue where the dropdown lists for setting attribute mappings in the Dock → Configuration page wasn’t being displayed.

SSD-5633

Fixed an issue when configuring a new custom SAML application where the list of attributes available for attribute mapping wasn’t loading properly until you saved and refreshed the page.

July, 2017

Enhancements
Feature Description

Administrators page

We’ve redesigned the Account → Administrators page for clarity and ease of use.

Users By Service Bypass option

We’ve removed the Unlimited Time setting for the Bypass option for Users By Service for all administrators except Global Administrators. You must now be a Global Administrator to enable the Bypass option for a user for an unlimited time. (SSD-4983)

include::partial$p14e_p1refs_msedge.adoc[tags=MsEdge]support

You can now use the Microsoft Edge browser (version 40) to access the PingOne admin portal.

Resolved issues
Ticket ID Issue

SSD-5358

Fixed an issue on the My Applications page in the admin portal where the Request Ping Identity add a new application to the application catalog selection did not reference the proper URL.

SSD-5307

Fixed an issue when adding a new private SAML application where the setting for the Force Re-authentication option wasn’t being saved correctly.

BE-2344

(Browser extension) Fixed an issue where the locale setting for the browser extension didn’t match the locale setting for the PingOne dock.

June, 2017

Enhancements
Feature Description

PingOne universal certificate

A new PingOne universal certificate is now available. You need to update to the new PingOne universal certificate if you’re using either PingFederate or a Third-Party SAML provider as your identity bridge and your configuration requires either:

  • Signed AuthN requests.

  • SAML single logout (SLO), either IdP-initiated or SP-initiated.

You do not need to update the PingOne universal certificate if you’re using an identity repository other than PingFederate or Third-Party SAML.

PingOne encryption certificate

We now include the PingOne encryption certificate in the PingOne metadata available when you’re configuring a PingFederate or Third-Party SAML identity bridge. We’ve also added the option to separately download the PingOne encryption certificate if you intend to manually configure the IdP settings (rather than using the PingOne metadata).

Custom entity IDs

When configuring a PingFederate or Third-Party SAML identity bridge, you can now select to enable account-specific entity IDs and specify a custom entity ID for your account. We will validate the ID to ensure that it is unique across all PingOne accounts.

include::pingone_for_enterprise:partial$p14e_p1refs_gapps.adoc[tags=GApps]provisioner

We’ve updated the Google Apps for Work provisioner as follows:

  • Improved exception handling and reporting

  • Added support for Google Admin SDK v1.22.0

  • Updates to the password and includeInGlobalAddressList attributes

include::partial$p14e_p1refs_zendesk.adoc[tags=Zendesk]provisioner

We’ve updated the Zendesk provisioner as follows:

  • Added Support for updating user emails

PingOne universal certificate

A new PingOne universal certificate is now available. If you’re using multiplexing, or using manually configured customer connections, you’re using the PingOne universal certificate. In this case, it is imperative that you edit the application configuration to update the PingOne universal certificate. See Update the PingOne SSO for SaaS Apps universal certificate for instructions.

PingOne encryption certificate

When you’re adding a customer connection manually, we’ve added the option to separately download the PingOne encryption certificate.

IdP discovery

When you edit a customer connection, you need only specify the domain or domains used for customer email addresses and we will use this information to discover the IdP for the connection. We’ve added the option to set the current connection as the default IdP connection used for all of your applications.

We’ve also updated the IdP Discovery popup window to display the application logo and your corporate logo (if you’ve configured this).

Testing application integration

For security reasons, we’ve disabled connections to the PingOne Test IdP by default. This connection is enabled only when you select to test your application. We also ensure that you can disable the connection when you’re done testing.

Resolved issues
Ticket ID Issue

SSD-4485

Fixed an issue where selecting to use the PingOne universal certificate for a Third-Party SAML identity bridge configuration, then changing to use the PingOne directory as the identity repository, caused the Renewal Certificate to be selected for use rather than the PingOne universal certificate.

SSD-4450

Fixed an issue that resulted in configuration updates not being used during SSO.

SSD-4298

Fixed an issue where the Upload link was being displayed on top of the company logo icon when registering for a new account.

SSD-3777

Fixed an issue where the Signoff button was being displayed after closing the browser tab for an impersonated session, then going to the PingOne admin portal (the impersonated session) from the PingOne dock.

SSD-3721

Fixed an issue on the My Devices page where pressing the Enter key did not correspond to clicking the Save button.

April-May, 2017

Enhancements
Feature Description

include::partial$p14e_p1refs_box.adoc[tags=Box]and include::partial$p14e_p1refs_webex.adoc[tags=WebEx]provisioners

We’ve improved handling of look-up by Secondary ID, for instances when look-up by Primary ID fails to return a user.

Corporate branding

We’ve added an Account → Branding page for you to assign branding to be used for your organization’s account.

Corporate branding

We’ve removed the Setup → General page and moved the account branding setting to a new Account → Branding page. On this page, you can assign branding to be used for your organization’s account.

User support message

The user support message setting that appeared on the (now removed) Setup → General page is displayed as one of the settings on the Setup → Dock page.

The user support message is displayed to your users when they click the Need Help? link in the dock.

Resolved issues
Ticket ID Issue

SSD-4300

Fixed an error message that was displaying repeatedly.

SSD-4659

Fixed an error message displayed when attempting to SSO to an application without the appropriate permissions.

SSD-4671

Fixed an issue where Application Catalog icons weren’t being displayed consistently.

SSD-3167

Fixed an issue where Support Admins (Read-Only) were unable to view the Users tab when impersonating an account using PingOne directory as the identity repository.

SSD-4661

Fixed an issue where the QR code wasn’t being displayed when selecting to add a new device in the PingOne dock.

SSD-4511

Removed the (non-editable) corporate logo field from the Account → Company page. The corporate logo assignment is on the Account → Branding page.

SSD-4687

Fixed an issue where selecting "Other" as the country on the Company page resulted in an error.

SSD-4806

Fixed an issue where an error was thrown when mapping an advanced attribute using "As Literal", entering data, then clicking Save before the preview field updated.

SSD-4844

Fixed an issue where the expiry date for the PingOne universal certificate shown after setting up an identity repository was different (by one day) from the expiry date shown in for the certificate in the list on the Setup → Certificates page.

SSD-4915

Fixed an issue on the Company page when the country is France. The dropdown list for State/Province/Region displayed a second entry for "Limousin", rather than an entry for "Lorraine".

SSD-4425

Fixed an issue where the Company ID value was no longer displayed in the PingOne dock. The Company ID value is now displayed on the bottom of the navigation pane in the dock.

SSD-5064, 5065

Fixed an issue where attempting to SSO to the admin portal from the PingOne dock fails when the prior SSO request was from the dock to PingFederate.

SSD-3773

Fixed an issue where a customer password reset was not also triggering the display of the license agreement if the license agreement had been updated.

BE-2192

Fixed an issue where an error wasn’t being displayed when attempting to launch a Basic SSO application in the PingOne dock (without refreshing the page) after the application had been removed from the My Applications list.

BE-2228

Fixed an issue where the PingOne browser extension training wizard wasn’t able to complete for the Cloudpay Community application.

BE-2228

Fixed issues where the PingOne browser extension training wizard wasn’t able to complete for a number of applications.

BE-2268

Fixed an issue where the PingOne browser extension for include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]was affecting the ability to load intranet sites.

March, 2017

Enhancements
Feature Description

Directory settings permissions

We’ve expanded Identity Repository administrators permissions to include access to view and modify the directory settings when the identity repository is PingOne directory.

API Provisioning

From March 4th 2017 Salesforce is no longer supporting TLS 1.0 protocol. PingOne has been updated to support OAuth for Provisioning communication to accommodate this change. See How to Migrate the Salesforce Provisioner for instructions.

JIT Provisioning (just-in-time) is not impacted by this change.

Resolved issues
Ticket ID Issue

SSD-3822

Fixed an error message displayed when uploading an IdP metadata file that is missing necessary information for SP-initiated SSO.

SSD-3695

Fixed an issue where the phone number wasn’t being passed to the authentication provider (PingID).

February, 2017

Enhancements
Feature Description

PingOne reporting

We’ve added a new SSO summary report to the list of predefined reports included in the PingOne admin portal reporting. This report shows the number of unique users that are actively using PingOne, and which applications they are logging in to. It also shows the total number of SSO events for each application.

Password change

We’ve enhanced security to ensure that if a user fails to enter the correct password three times when changing their password on the User Profile page, they are automatically logged out.

Salesforce provisioner

We’ve updated the Salesforce provisioner with the following changes and enhancements:

  • Support for approximately 150 additional user attributes.

  • Support for Salesforce REST v37.0 API.

  • Support for OAuth Authentication with the OAuth Configuration Service (OCS).

  • Support for custom subdomains.

  • You now have the option to freeze user accounts, rather than deactivating them.

  • Improved exception handling and reporting.

  • Support for Salesforce disabling TLS 1.0.

Resolved issues
Ticket ID Issue

SSD-4473

Fixed an issue that was preventing an MSP administrator from impersonating an account to which only disabled administrators has access.

BE-2130

Fixed an issue that was preventing the browser extension welcome message from displaying correctly in some browsers.

SSD-4316

Fixed an issue that was prompting a user to activate OAuth when creating a connection for which provisioning was not selected.

SSD-4289

Fixed a security issue with an MSP administrator’s ability to impersonate customer accounts.

SSD-4282

Fixed an issue that was preventing error message popups from closing correctly in the PingOne admin portal.

BE-2080/BE-1940

Fixed an issue that was preventing characters from displaying correctly when training an app, if the language is not English.

IO-2027

We’ve improved the handling of different letter case logins and aliases for the Box provisioner.

IO-2243

Fixed an issue with the Microsoft Office 365 provisioner that was causing an error when trying to retrieve a user during provisioning.

IO-2242

Fixed an issue with the WebEx provisioner’s handling of the timezones not listed in WebEx’s timezone encoding list.

Known issues and limitations
Subject Issue/Limitation

Salesforce provisioner

  • User attributes cannot be cleared once they have been set.

  • You cannot delete permission set assignments.

  • Custom attributes are not supported.

  • If you enable/disable or delete a user in your user store, the Salesforce provisioner can only disable the corresponding user in Salesforce as it cannot perform a hard delete of the user entry in Salesforce.

  • Username attribute must be entered in email format only.

  • Alias attribute entries can be a maximum of 8 characters in length.

January, 2017

Enhancements
Feature Description

Certificate Management

PingOne will now inform you if a verification certificate that has been configured on a connection is invalid when the connection is being edited.

Reporting

We’ve added the ability to navigate back to the Users by Service page if you clicked on the Latest Activity link for a user on the Users by Service page.

Resolved issues
Ticket ID Issue

SSD-4040

Fixed an issue when filtering dashboard metrics, where filtering by "today" would return 0 results. Also fixed an issue with the mouse over popup on chart data that spanned a DST boundary where the time reported was offset by +1/-1 hour.

SSD-4064

Fixed an issue where viewing latest activity for a user on the Users by Service page was redirecting to the old report logging UI.

SSD-4144

Fixed an issue that was preventing the first and last name from being displayed in the PingOne dock when using PingOne directory.

SSD-4116

Fixed an issue that was preventing an administrator from accessing report entries if they occurred in a timezone and at a time that was considered the next day for the local timezone. Administrators can now select up to one day in the future for the end date of a report filter.

SSD-4071

Fixed an issue that was preventing the propagation of SLO settings changed on an application in a PingOne for SaaS Apps account from being applied to all connections to that application.

SSD-4078

Fixed an issue that was limiting the value that can be entered in each field on the Password Policy page to three digit numbers (i.e. a maximum value of 999). This limit is now removed.

SSD-4037

Fixed an issue that was not clearing the filter criteria from the previous report, when running a predefined report in the Reporting tab.

SSD-3718

The dropdown box used to select fields when running a report has been fixed so that it now displays field names alphabetically.

SSD-3794/SSD-3784

Fixed an issue when impersonating an account via the PingOne dock that was causing the navigation window to resize incorrectly.

ID-5209

Fixed an issue that was marking the SAML_SUBJECT as an optional field when creating an application connection, rather than mandatory.

BE-2050

The browser extension can now handle language-based variations of the Eventzilla URL.

BE-1943

Fixed an issue that was preventing the browser extension from detecting the Password and Sign In button for the Office 365 app.

BE-1883

Fixed an issue displaying French language text when signing on to the browser extension.

BE-2003/BE-2005/BE-1995

Fixed an issue that was preventing the browser extension from loading correctly after changing the privacy key on a different browser or machine.

December, 2016: Minor Release

Enhancements
Feature Description

PingOne admin portal

We’ve made the following enhancements to the PingOne admin portal:

  • You can now use any Top Level Domain (TLD) URL as a connection configuration URL, in addition to those that are defined by Internet Assigned Numbers Authority (IANA).

  • We’ve increased the number of records you can download from the report log, and added a progress bar to the Reports tab. You can now download up to 500,000 records to a .csv file.

Application catalog

We’ve added support for the StartMeeting cloud application.

Reporting

The report log has been updated and enhanced.

  • You can now run detailed reports from the PingOne admin portal. PingOne provides a number of predefined reports, and also gives you the ability to run your own custom ad hoc report. You can view the results directly in the PingOne admin portal, or export the results in .csv format.

  • We’ve also added the ability to view SSO activity per application, via the API.

Resolved issues
Ticket ID Issue

BE-2003/BE-1995

Fixed an issue that was preventing the browser extension from loading correctly after changing the privacy key on a different browser or machine.

BE-1994

Fixed an issue that was preventing the sign in popup from being displayed in the PingOne dock following a browser refresh.

SSD-3630

Fixed an issue that was preventing the system from saving the correct value for the Account Specific Entity ID field and the Sign AuthRequest field when uploading metadata for a third party SAML identity repository configuration.

ID-5966

Fixed an issue when checking whether the Entity ID is unique during identity repository configuration.

ID-6344

Fixed an issue that was categorizing identity provider connections associated with a signing certificate incorrectly.

SSD-3572

Fixed an issue that was preventing the removal of the Identity Bridge Logout URL value assigned in PingOne.

SSD-3543

Fixed an issue where during configuration of an Invited PingOne SSO account, attempting to download a metadata file or a signing certificate generated an error.

November, 2016: Minor Release

Enhancements
Feature Description

Administrator capabilities

A global or support administrator impersonating a customer account can now delete the last administrator on the account.

PingOne admin portal

We’ve added the ability for a Managed Service Provider (MSP) to delete a custom email template in the PingOne admin portal.

PingOne admin portal

We’ve reduced the idle timeout for an admin session to 15 minutes.

We’ve added the ability for a Managed Service Provider (MSP) to delete a custom email template in the PingOne admin portal.

Certificate Management

We’ve made the following enhancements:

  • We’ve provided admins the ability to remove a verification certificate from a PingOne application connection.

  • We’ve added the ability to promote a secondary verification certificate to a primary verification certificate when editing an application connection or a third party SAML identity repository.

  • Primary and secondary certificates now display the common name and expiry date for the certificate.

Workplace by Facebook™

We’ve renamed this feature (formerly known as Facebook at Work), and removed the suppressEmail attribute.

Box Provisioner

We’ve added support for updating user emails in Box Provisioner. NOTE: Existing customers must remove their existing Box applications and then add the application connection to take advantage of the new feature.

Resolved issues
Ticket ID Issue

SSD-3501

Fixed an issue that was preventing a customer from creating an account when receiving an email invitation from a Managed Service Provider (MSP) administrator in PingOne.

SSD-3497/SSD-3394

Fixed an issue that was preventing the use of "?" and "/" characters in advanced attribute mapping.

SSD-3480

Fixed an issue that was preventing the validation error message from appearing when importing invalid metadata into the PingOne.

SSD-3464

Fixed an issue that was causing an exception error when trying to save an application with an invalid ACS URL in PingOne.

SSD-3441

Fixed an issue that was displaying the administrator role incorrectly when sending an invitation to a new administrator to become the administrator of an existing PingOne account.

ID-5882

Fixed an issue that was causing PingOne to automatically insert default values into optional attribute mapping fields that were purposefully left blank.

BE-1892

Fixed issues with the following apps, and enabled them in the Application Catalog:

  • Glassdoor

  • Wells Fargo CEO portal

  • 8x8 Virtual Office

  • 8x8 Account Manager

ID-6039

We’ve hidden the ability to add primary and secondary verification certificates when creating an SAML 1.1 application connection, as verification certificates are not supported in SAML v1.1.

ID-6266

Fixed an issue that was preventing a newly created certificate from appearing in the Certificate List when using Internet Explorer v10 and v11.

ID-5714

The Single Logout Endpoint, Single Logout Response Endpoint, and Single Logout Binding Type fields have been removed from SAML v1.1 managed applications. SAML v1.1 does not support Single Logout Endpoints.

SSD-3421

Fixed an issue that was causing the admin account to be locked, if resetting a password in the PingOne admin portal using a password that does not meet the PingOne directory policy.

SSD-3418

Fixed an issue when resetting a password from the PingOne admin portal.

SSD-3294

Fixed an issue when loading content from PingOne admin portal using Internet Explorer 10.

October, 2016: Minor Release

Enhancements
Feature Description

Certificate management

We’ve now added email notifications to inform you when the primary verification certificate or secondary verification certificate associated with a conniction or identity bridge is expiring. Email notifications are sent two months before expiry, a week before expiry, and at the time of expiry.

Admin roles

We’ve renamed the Directory Administrator role to Identity Repository Administrator, for clarity. The Identity Repository Administrator refers to an administrator who is responsible for the identity repository, regardless of whether it is PingFederate, AD Connect, a Third Party repository, or PingOne Directory.

Dashboard

We’ve enhanced the layout of data in the graphs displayed on the dashboard.

MSP administrator

We’ve enhanced the Managed Service Provider (MSP) admin account capabilities. Now if an MSP account owns a PingOne SSO for SaaS Apps account and invites a customer or partner to create a connection to an application under that PingOne SSO for SaaS Apps account by registering an "Invited PingOne SSO" account, the Invited PingOne SSO account is now listed in the MSP’s customer list page.

PingOne user accounts

For any new identity provider that you set up, the lifetime of any user session is now set to 2 hours by default. You can change the duration from PingOne, if you need to do so.

Attribute mapping

We’ve added the phone number attribute to the list of dock attribute mapping options for PingFederate, AD Connect, and third party SAML identity repositories.

Resolved issues
Ticket ID Issue

SSD-3356

Restored the setting application logos on applications created in PingOne SSO for SaaS Apps accounts, as they were being removed incorrectly. The logos were removed when this capability was removed for PingOne for Enterprise when using the new PingOne for Enterprisedock.

BE-1812

Fixed an issue that was preventing the Go to PingOneand Sign Offbuttons from showing in the browser extension.

ID-5976

Fixed an error handling issue on the PingOne for Enterprise password reset page.

ID-5993

Fixed an issue that was preventing users changing the default signing certificate assigned to their managed application.

ID-6171

Fixed an issue with the delete certificate feature.

SSD-3288

Fixed an issue that was preventing a user from entering an email address that includes the '+' character, when inviting a customer from a Managed Service Provider (MSP) account in PingOne for Enterprise.

SSD-3331

Fixed an error displayed when adding Google Drive as a Basic SSO application in PingOne for Enterprise.

SSD-3259

Implemented a fix to make transaction processing more resilient to service configuration problems.

SSD-3169

Fixed a security issue with MSP Support Admin (read-only) roles.

SSD-3108

Fixed an issue updating login failures on the dashboard.

September, 2016: Minor Release

Enhancements
Feature Description

Admin log reporting

We’ve added a new Administrator Login category to the reports log. The new report shows all login attempts by a PingOne administrator, the method of login used (username and password, or SSO) and whether the login attempt was successful.

SSO to PingOne Admin portal

We’ve added the ability for administrators having Identity Repository administrator or SaaS administrator roles to SSO directly to the PingOne admin portal. In previous versions this was only available for the Global administrator and the Service User administrator roles. This option is only available when using PingFederate, AD Connect, or Third Party SAML as your identity repository.

PingOne API

We’ve added support for PKCS7 formatted certificates.

Certificate Management

We’ve reorganized the layout of the connections that are listed in the certificate Connections tab. Connections are now listed by category (identity bridge or application). Identity bridge connections are listed by type (such as PingFederate, or Third Party SAML). The applications header shows the number of application connections associated with the certificate. .

Resolved issues
Ticket ID Issue

SSD-3020

Verification certificate tool tip text updated.

SSD-3129

Fixed an issue that was permitting users to upload expired or invalid certificates for third party SAML Identity Providers.

SSD-3112

Fixed an issue when accessing the attribute mapping page for a SAML 2.0 connection. When exiting the page and then uploading metadata with a different attribute set, the attributes were not being updated correctly.

SSD-3161

Fixed an issue with caching when trying to SSO with an account that was suspended and then re-enabled.

SSD-3168

Fixed a security issue with Managed Service Provider (MSP) admin capabilities in PingOne.

August 30, 2016: Minor Release

Enhancements
Feature Description

Certificate management

Certificates that do not have a CN defined, now show the first 20 characters of the Subject DN as the certificate name.

Performance enhancements were applied to the Certificate Management page.

Certificate expiry dates are now displayed in a 4 digit format.

Resolved issues
Ticket ID Issue

ID-5718

Fixed an issue when adding SAML v1.1 applications from the application catalog, where certificate management was not being supported.

ID-5717

Fixed an issue that was preventing a user from being able to add a multiplexed SAML app from the Application Catalog.

ID-5679

Fixed an issue with the appearance of the Select Imagebutton for the Application logo and icon. The appearance is now sized correctly and consistently in the UI.

ID-5671

Fixed a issue when clicking the Active Downloadlink in Safari, that was causing it to be displayed, rather than downloaded.

ID-5846

Fixed a bug that was causing an infinite loop when attempting to access the Devices page before completing first factor authentication using PingOne.

SSD-3136

The option to define an application logo has been removed when creating or editing an application connection for users that have upgraded to the new dock. The option remains for users that are using legacy dock.

SSD-2993

SSD-3121

Fixed a bug when uploading metadata that included mappings that were already in the connection, and was causing these mappings to be lost.

SSD-3036

Fixed an issue that was causing an exception when loading the Certificate Management page if invalid certificates were present.

SSD-3017

Fixed a bug where binary certificates that were uploaded were not saved correctly.

August 9, 2016: Minor Release

Enhancements
Feature Description

My Applications search

We’ve enhanced the ability to search the My Applications list. You can now search by the:

  • Entity ID.

  • Application description or part of the description.

  • Application name.

In previous versions it was only possible to search by the application name.

PingOne certificate management

We’ve added the ability to view the SHA1 and SHA256 fingerprint in the certificate Properties tab.

PingOne passwords

When changing the administrator password in the PingOne admin portal, the administrator is now required to enter their current password, as well as their new password. If the administrator enters the wrong password three times, the account is temporarily locked.

Resolved issues
Ticket ID Issue

ID-5685

Fixed a broken link in the Invite IdP page.

ID-5549

Properties and connections associated with a verification certificate are now displayed in separate tabs. This matches the way this information is presented for signing certificates.

ID-4585

Fixed an issue that was preventing the secondary instance of a certificate from being deleted when replacing a primary certificate with a secondary certificate.

ID-5428

When configuring a managed connection, the text for the Application Icon has been changed to 'For use on the dock'. As the Application Logo is not used on the new PingOne dock, the text for this field has been changed to 'For use on the previous version of the dock'.

BE-1642

Fixed an issue that was making the browser extension unresponsive when clicking the username and then clicking Learn when training an app.

BE-1601

Fixed an issue when training an app that was causing a loop when clicking the Login button.

ID-5712

Fixed an issue when editing an application that was preventing changes to the SLO or SLO Response Endpoint from being saved.

ID-5689

Fixed an issue in the Certificate Management page that was preventing the Download and Export buttons from working in some browsers.

ID-5691

Fixed an issue on the Certificate Management page where applications sharing a connection (a multiplexed connection) were being displayed as disabled.

July 19, 2016: Minor Release

Enhancements
Feature Description

Certificate management

We’ve added a new centralized certificate management UI. The new UI enables you to:

  • Create new signing certificates.

  • Migrate individual connections to different signing certificates.

  • Add certificate expiration notifications.

  • Verify certification for failover and migration.

  • Share certificates.

Additional language support for end user components

The following languages are now supported for all PingOne user subsystems (PingOne dock, transaction processing, browser extension, and authentication):

Chinese, Dutch, English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Thai.

Resolved issues
Ticket ID Issue

ID-5544

Fixed an issue where the PingOne signing certificate wasn’t showing up in the list of results when typing "Ping" in the certificate search field.

ID-5502

Fixed an issue when setting up a connection to an application, that meant the PingOne default certificate was always selected even when a different signing certificate was chosen.

ID-5481

Fixed an issue that caused the PingOne provided signing certificate to be downloaded for an application connection, even if a different singing certificate was selected for the connection.

ID-5486

Renamed the Connection Summary "Certificate" label to "Signing Certificate".

ID-5485

Fixed an issue when promoting a secondary verification certificate to the primary verification certificate. The instance of the secondary verification certificate wasn’t being automatically deleted.

ID-5482

Fixed an issue that the certificate properties Issuer DN and Expiration Date fields were not updating accordingly when uploading a response to a certificate signing request (CSR).

ID-5343

Fixed an issue importing the PingOne metadata file via a URL when setting up a Third-Party SAML identity bridge.

ID-5329

Fixed an issue that was affecting the proper display of text when verifying AD Connect as an identity bridge.

BE-1569

Fixed an issue for trained apps in PingOne browser extension v2.22.0 that was preventing the browser extension from signing in users automatically.

ID-5585

Fixed a bug that was causing formatting issues in the PingOne dock search.

ID-5543

Change the name of the link used to change an identity repository from "Change User Store Type" to "Change Identity Repository".

ID-5508

Fixed an issue that was preventing some users from editing an application.

June 28, 2016: Minor Release

Enhancements
Feature Description

New Application Catalog categories

We’ve added the following categories to the application catalog: benefits, training, and travel.

Resolved issues
Ticket ID Issue

ID-5444

Fixed an issue when attempting to erase the identity bridge URL, the field was not updating correctly.

ID-5385

Fixed formatting of the applications listed in the application catalog.

ID-5342

Fixed an issue with editing an application, where Chrome and Firefox browsers were auto-populating the first two application configuration fields with autosaved username and password data.

ID-4503

Fixed missing link that enables a user to log back into the admin web portal after they successfully logged out.

BE-1493

Fixed an issue when training a basic SSO app, that caused training to pause when clicking on the Login field.

ID-5462

Fixed an error when setting up a Third Party SAML identity bridge that prevented the list of connection information from being displayed.

ID-5363

Fixed an issue that custom app icons were not being displayed in the My Applications page, unless the entry was expanded. Custom app icons now app in the My Applications page, and when deleting an application.

ID-5356

The browser extension install option now only appears if there is at least one Basic SSO application installed.

ID-5361

Fixed a security vulnerability associated with the application name on the legacy dock.

ID-5415

Fixed a security vulnerability associated with the browser extension.

SSD-2817

Fixed an issue that was causing a mismatch between the total number of logins displayed in the Dashboard maps and the number of logins recorded in the Logins field.

June 15, 2016: Minor Release

Resolved issues

Ticket ID Issue

ID-5268

Performance enhancements, to address customer issues when performing a search of Users by Service.

ID-4656

Fixed a potential security vulnerability.

ID-5342

Fixed an issue with editing an application, where Chrome and Firefox browsers were auto-populating the first two application configuration fields with autosaved username and password data.

ID-5334

Fixed an issue that was causing an error when adding an application.

ID-5274

Fixed an issue when clicking a Configuration page link it was landing on the Dashboard.

ID-1671

Fixed an issue on the Company Settings page when viewing company description the characters were not displaying correctly.

ID-5332

Fixed and issue that an application which had been updated to show a new icon displayed the old icon when trying to delete the application.

June 1, 2016: Major Release

Enhancements
Feature Description

New PingOne dock

We’ve totally redesigned the PingOne dock:

  • There’s a new user interface, with application categories, frequently used applications and quick access to account information.

  • A new search bar to help you find applications and install new ones.

  • More options for you to customize and brand the interface. This includes use of company logos, custom background images, definitions of application categories, and colors of navigation panes, fonts and the search bar.

  • And improved display quality of application icons.

include::partial$p14e_p1refs_faw.adoc[tags=faw]provisioning

We’ve updated Facebook at Work provisioning to support provisioning user manager details.

See Known Limitations for more information.

Known issues and limitations

Subject Issue/Limitation

Facebook at Work provisioning

  • Clearing fields on updates is not supported.

  • Due to API limitations with matching a user’s manager using the display name, if multiple matches occur the first match will be used. This could be an issue if multiple employees in the Facebook at Work account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

  • Due to LDAP limitations, when you update a manager’s name it does not update their Distinguished Name (DN). The provisioner uses the distingushed name to match a manager in Facebook At Work and may not find the correct match. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

  • Due to SaaS API limitations, adding a manger may require a search of all Facebook At Work users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

May 17, 2016: Minor Release

Enhancements

Feature Description

include::partial$p14e_p1refs_webex.adoc[tags=WebEx]Provisioning

We’ve updated WebEx provisioning to support:

* Additional user attributes. * WebEx API v10.0 SP3. * Improvements to error handling and logging.

See Known Limitations for more information.

Resolved issues

Ticket ID Issue

ID-4842

Fixed an issue on the PingID Configuration page where choosing to discard changes when attempting to exit this page didn’t exit the page.

ID-5135

Fixed an issue where a new token wasn’t being generated when a PingOne for Enterprise administrator clicked the Invite SaaS Admin link to send an email to the PingOne for SaaS Apps application administrator.

ID-5128

Fixed an issue where some users were not being removed from the PingID service when selecting Remove on the Users by Service page.

ID-5020

Fixed an issue with removing customers from the customers listing. The last customer displayed in the listing wasn’t being removed.

BE-1300

(Browser extension) Fixed an issue causing an include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]installation error (1603) when attempting to install the browser extension.

Deprecated features

Feature Description

PingID Standalone account

The registration option for a PingID Standalone account has been removed. All of the functionality offered by this account is now included in a PingOne for Enterprise account.

Known issues and limitations

Subject Issue/Limitation

WebEx provisioning

* The WebEx ID attribute is not updateable in PingOne. * The MeetingType attribute is limited to one value in PingOne (not a multivalued attribute). * Due to API Limitations, WebEx doesn’t allow a user to be created in a suspended state. WebEx will automatically activate the user after it is created.

April 26, 2016: Minor Release

Resolved issues

Ticket ID Issue

ID-4842

Fixed an issue where a Managed Service Provider (MSP) was unable to log in to an Invited PingOne SSO account as a Directory Admin.

ID-3881

Fixed an issue where downloading the PingOne metadata file for a Third-Party SAML identity bridge wasn’t working properly in Safari.

ID-5134

Fixed an issue where user were unable to add applications to their personal dock.

SSD-2627

Fixed a security issue with an error message.

BE-1084

(Browser extension) Fixed an issue when using include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]version 11 where the browser extension wasn’t capturing and supplying user credentials properly.

BE-1222

(Browser extension) Fixed an issue where Basic SSO wasn’t working properly when using Internet Explorer for some applications not in the Application Catalog.

BE-1279

(Browser extension) Fixed an in Internet Explorer 11 when signing on to a Basic SSO application from the PingOne dock.

Deprecated features

Feature Description

PingID Standalone account

The registration option for a PingID Standalone account has been removed. All of the functionality offered by this account is now included in a PingOne for Enterprise account.

April 19, 2016: Minor Release

Enhancements

Feature Description

include::partial$p14e_p1refs_box.adoc[tags=Box]Provisioning

We’ve updated Box provisioning to support:

  • Additional user attributes.

  • Improvements to error handling and logging.

See Known Limitations for more information.

Resolved issues

Ticket ID Issue

None

(None to report for this release.)

Known issues and limitations

Subject Issue/Limitation

Box provisioning

  • Once set, you cannot clear user attributes.

  • The login attribute cannot be updated through provisioning.

  • The Inactive Status Default user attribute has no effect if the Box connector is configured to delete (hard-delete) users instead of disable (soft-delete) users when de-provisioning. Additionally, deleting a user in an LDAP repository will always set the status for the user as "inactive" in Box.

April 5, 2016: Minor Release

Enhancements

Feature Description

None

(None to report for this release.)

Resolved issues

Ticket ID Issue

None

(None to report for this release.)

SSD-2572

Added new application categories for Benefits, Training and Travel.

ID-4819

Fixed an issue where an error occurred when you attempted to change your password using AD Connect with the Password Change option enabled and the IWA option disabled.

ID-4839

Fixed an issue where Basic SSO transactions weren’t being logged.

Known issues and limitations

Subject Issue/Limitation

Browser extension installation in Mozilla Firefox®

After installing the PingOne browser extension in Firefox, you need to refresh the page. Otherwise, the browser extension installation will begin again. Ticket ID: ID-4248.

March 15, 2016: Minor Release

Enhancements

Feature Description

None

(None to report for this release.)

Resolved issues

Ticket ID Issue

None

(None to report for this release.)

ID-4658

Fixed an issue where the number of applications displayed in the Dashboard page didn’t match the number of applications displayed in the My Applications page.

ID-4650

Fixed an issue where provisioning for AD Connect was failing.

ID-4422

Fixed an issue where the PingID settings file had an extraneous escape character.

BE-1142

(Browser extension) Fixed an issue where the PingOne browser extension was interfering with display rendering in include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]version 10 or 11 when using include::partial$p14e_p1refs_oracle.adoc[tags=Oracle]Business Intelligence Enterprise Edition.

Known issues and limitations

Subject Issue/Limitation

Dropbox provisioning

  • Clearing fields on updates is not supported.

  • Due to API limitations, a user’s email cannot be updated until the user has activated their account.

  • Due to API limitations, a user cannot be suspended or unsuspended until the user has activated their account.

  • Due to API limitations, if a user’s given name or surname fails to update due to the new value containing unsupported characters (* | : " < > ?), an error may not be reported in the provisioning logs.

Browser extension installation in Mozilla Firefox®

After installing the PingOne browser extension in Firefox, you need to refresh the page. Otherwise, the browser extension installation will begin again. Ticket ID: ID-4248.

February 23, 2016: Minor Release

Enhancements

Feature Description

include::partial$p14e_p1refs_dropbox.adoc[tags=Dropbox]Provisioning

We’ve updated Dropbox provisioning to support additional user attributes. See Known Limitations for more information.

Invited PingOne SSO Accounts

We’ve add an Administrators page to the PingOne admin portal for Invited PingOne SSO accounts. You can now assign multiple administrators for your account.

Resolved issues

Ticket ID Issue

None

(None to report for this release.)

SSD-2267

Fixed an issue for multi-factor authentication with include::partial$p14e_p1refs_safenet.adoc[tags=SafeNet]where users needed to authenticate a second time when logging in to Safenet.

ID-4278

Fixed an issue in the Reports page display where the Category values was removed whenever the report results were expanded.

ID-1682

Fixed an issue on the User Groups page where the Deprovision all users checkbox wasn’t displayed when you cleared a selected checkbox next to the application name.

BE-976

(Browser extension) Fixed an issue where the Save Learning popup wasn’t displaying properly for include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]version 9.

Known issues and limitations

Subject Issue/Limitation

Dropbox provisioning

  • Clearing fields on updates is not supported.

  • Due to API limitations, a user’s email cannot be updated until the user has activated their account.

  • Due to API limitations, a user cannot be suspended or unsuspended until the user has activated their account.

  • Due to API limitations, if a user’s given name or surname fails to update due to the new value containing unsupported characters (* | : " < > ?), an error may not be reported in the provisioning logs.

Browser extension installation in Mozilla Firefox®

After installing the PingOne browser extension in Firefox, you need to refresh the page. Otherwise, the browser extension installation will begin again. Ticket ID: ID-4248.

February 2, 2016: Minor Release

Resolved issues

Ticket ID Issue

ID-4216

Fixed an issue where the Save button wasn’t working in the application credentials dialog box for Basic SSO applications.

ID-4213

Fixed an issue where the step to configure provisioning for a PingFederate identity bridge displayed in the existing tab/window rather than a new tab/window.

ID-4145

Fixed an issue where the browser extension wasn’t automatically signing in after you install your first Basic SSO application.

ID-3883

Fixed an issue where errors weren’t being displayed properly when installing an identity bridge.

ID-3398

Fixed an issue for PingID Standalone accounts, where an extraneous warning was being displayed when clicking the Setup tab.

ID-3031

Fixed an issue where you were unable to upload a JPG image file for your profile picture.

ID-3030

Fixed an issue where invited PingOne directory users were unable to upload a JPG image file for their profile picture during the registration process.

BE-12

(Browser extension) Fixed an issue where the browser extension wasn’t working properly when login fields displayed in an iFrame.

BE-747

(Browser extension) Fixed an issue where sign on for Basic SSO applications wasn’t working properly when the application login required text input.

BE-623

(Browser extension) Fixed an issue where browser extension wasn’t working properly when the PingOne dock tab wasn’t the current tab.

ID-1656

Fixed an issue where the instruction steps for creating or editing an application displayed HTML tags and encoded characters.

ID-4214

Fixed an issue where the SSO endpoint was being truncated. Now extended to 2048 characters.

Known issues and limitations

Subject Issue/Limitation

Browser extension installation in Mozilla Firefox®

After installing the PingOne browser extension in Firefox, you need to refresh the page. Otherwise, the browser extension installation will begin again. Ticket ID: ID-4248.

January 26, 2016:

include::partial$p14e_p1refs_faw.adoc[tags=faw]Provisioning

Enhancements

Feature Description

Facebook at Work Provisioning

We’ve updated Facebook at Work provisioning to support additional user attributes.

Known issues and limitations

Subject Issue/Limitation

Known limitations for this release:

  • Making attributes create-only isn’t supported.

  • Clearing fields on updates isn’t supported.

  • The roles field supports only a single value.

January 19, 2016:

include::pingone_for_enterprise:partial$p14e_p1refs_365.adoc[tags=365]Provisioning

Enhancements

Feature Description

Office 365 Provisioning

We’ve updated Office 365 provisioning to support:

  • Provisioning additional user attributes.

  • Azure Active Directory Graph API v1.6 (updated from version v1.5).

  • Clearing of licenses on updates.

  • Improved exception handling and reporting.

Known issues and limitations

Subject Issue/Limitation

Known limitations for this release:

  • Opting out of license management for users is not supported. The provisioner will clear existing licenses even when the attribute is unmapped.

  • User delete is not supported. However, you can disable users.

  • Users cannot be created in a disabled state. They must first be created in an active state and then disabled.

  • Updating the mobile attribute requires that the service principal representing the provisioner (the place the user gets the Client ID and Secret) be assigned a role with Company Administrator privileges (using PowerShell). See this Ping Knowledge Base article for more information.

  • Updating the ImmutableID and Password attributes is not supported.

  • User updates containing a manager that has not yet been provisioned or updated by the new version will fail because the manager will not have the new extended attribute holding their Active Directory distinguished name.

  • If the DoBase64Conversion field is set to “false”, expect conflicts or failures on federated domains containing pre-existing users provisioned by Dirsync or a Ping product.

  • Only outbound provisioning is supported.

  • Automatic licensing of users is not supported.

January 12, 2016: Minor Release

Resolved issues

Ticket ID Issue

ID-3828

Fixed a misleading error message.

ID-3758

Fixed an issue regarding lapse of synchronization between PingOne directory administrators and directory users.

SSD-1956

Fixed an issue where meaningful information wasn’t being displayed in the Logout Confirmation screen.

ID-3904

Fixed an issue where some pages were displaying an error saying the domains wasn’t set, when the domain had already been set for the PingOne session.

ID-3504

Fixed an issue where you were unable to remove validation certificates assigned to Third-Party SAML identity bridges.

ID-1656

Fixed an issue where the instruction steps for creating or editing an application displayed HTML tags and encoded characters.

BE-656

(Browser extension) Fixed an issue during adding an application where the prompt to sign in normally for the application site was being displayed a second time after you’d already successfully signed in.

BE-623

(Browser extension) Fixed an issue where the Save popup wasn’t being displayed when adding the include::partial$p14e_p1refs_netflix.adoc[tags=netflix]application in include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]10.