Previous PingOne for Enterprises releases

PingFederate Connection

The latest version of PingFederate available for download through PingOne for Enterprise is 10.3.

You can download later versions of PingFederate from the Ping Identity main download site.

PingOne Connector

See Known Issues and Limitations below for important information.

PingOne for Enterprise Directory

Notification emails sent to administrators when new users self-register now include a link to the Users → User Directory → Users menu where you can approve the new user.

For more information, see Approve new directory users.

Azure Conditional Access

Added the MFA_SUBJECT attribute to the Microsoft Azure AD identity repository configuration.

If you’re using PingID for Azure Conditional Access, the MFA_SUBJECT attribute in PingOne for Enterprise can be mapped the same as the username attribute in PingID.

For more information, see Connect to Azure and Configuring PingID MFA for Microsoft Azure AD Conditional Access in the PingID documentation.

Office 365 Connector

Migrated the Office 365 Connector from the Azure AD Graph API 1.6 to the Microsoft Graph API 1.0

See Known Issues and Limitations below.

For more information, see the Office 365 Connector documentation.

SSO Admins

Updated the Account → Administrators page to display all single sign-on (SSO) administrative users.

Previously, SSO admins who were also registered in other PingOne for Enterprise accounts did not display.

For more information, see Assign administrative roles.

Office 365 Connector

PingOne Connector

See Known Issues and Limitations below for important information.

SSO/SLO

Increased the max-age parameter of the strict-transport-security header for the https://sso.connect.pingidentity.com/sso/ endpoint.

The previous max-age was 1 year. The new max-age is 2 years.

PingOne Connector

Custom Application Categories

Added the ability to create custom application categories.

Custom application categories let you organize applications in ways that work best for your organization.

For more information, see Creating a custom application category.

PingOne Connector

See Known Issues and Limitations below for important information.

Single Logout

Added support for the optional idpid parameter to all single logout (SLO) endpoints.

If you specify the idpid value, the SLO operation is restricted only to sessions with the specified idpid value.

For more information, see PingOne for Enterprise and SLO.

SSO Admins

Updated the Account → Administrators page to display all single sign-on (SSO) administrative users.

Previously, SSO admins who were also registered in other PingOne for Enterprise accounts did not display.

For more information, see Assign administrative roles.

PingOne Provisioner

Clearing fields on updates is not supported.

Multivalued attributes, such as emails and addresses, are not supported. Multiple values appear as a single-array value in PingOne.

Custom attributes are set when the user is initially created. They cannot be updated after they are set.

PingOne Provisioner

Added support for custom string attributes.

See Known Issues and Limitations below for important information.

PingOne Provisioner

Clearing fields on updates is not supported.

Multivalued attributes, such as emails and addresses, are not supported. Multiple values appear as a single-array value in PingOne.

Custom attributes are set when the user is initially created. They cannot be updated after they are set.

Admin Portal Banner

Added a feature allowing you to display a banner message in the administrative portal.

For more information, see Adding a logo and banner message.

Single Logout Flow

Added a feature allowing administrators to choose how PingOne for Enterprise handles single logout (SLO) requests.

For more information, see Configure the dock when using PingOne for Enterprise Directory and Configuring the dock when using an identity bridge.

PingID Device Administrator Role

Added a new administrative role to manage user PingID Device settings.

For more information, see Assign administrative roles.

Read-Only Administrative Roles

Added a feature allowing you to assign user groups to read-only versions of administrative roles.

Read-only roles allow administrators to access the areas of the admin portal normally allowed by that role, but not to change settings.

For more information, see Configuring SSO to the PingOne for Enterprise admin portal.

Password Policy

Changed the default password requirements for new accounts.

Previous default settings required a minimum password length of 6 characters, with no requirement for special characters.

New default settings require a minimum password length of 8 characters, and a minimum of one special character.

This change only applies to new accounts.

Single Logout Flow

Single logout from the admin portal does not currently support redirect SLO flow.

If you select Redirect SLO flow for your users, your SSO admins should use the Sign Off button at the top right of the admin portal rather than signing off through the PingOne Dock.

Admin-API Client

Removed the ability to use special characters in the Client Name and Description fields when creating API clients.

Special characters in these fields can present a security risk.

If you have existing API clients that include special characters, you will be forced to remove the characters the next time you edit the client.

For more information, see Creating an Admin-API client.

Password Policy Customization

Added a feature giving PingOne for Enterprise for Managed Service Providers administrators the ability to permit their customer accounts to customize password policies.

For more information, see Configuring customer account service settings.

Admin-API Client

Removed the ability to use special characters in the Client Name and Description fields when creating API clients.

Special characters in these fields can present a security risk.

If you have existing API clients that include special characters, you will be forced to remove the characters the next time you edit the client.

For more information, see Creating an Admin-API client.

Password Policy Customization

Added a feature giving PingOne for Enterprise for Managed Service Providers administrators the ability to permit their customer accounts to customize password policies.

For more information, see Configuring customer account service settings.

OAuth Access Token

Increased the allowed number of trusted origins for OAuth access token Cross-Origin Resource Sharing. The previous limit was 10. The current limit is 100.

For more information, see Configuring your OAuth settings.

PingOne for Customers Provisioner

Added a new provisioner for PingOne for Customers.

This provisioner includes:

For more information see PingOne Integration Kit.

Self-Service Password Reset

Reduced the lifetime of self-service user password reset from the sign on screen.

Previously the password reset link was valid for 3 days. Currently the password reset link is valid for 24 hours.

PingOne for Customers Provisioner

Aquera Provisioner

Added a new provisioner for Aquera Connector. This is the initial release for this provisioner.

This provisioner includes:

For more information, see Overview of the Aquera Connector.

SCIM SaaS Provisioner

Fixed application/JSON headers for SCIM 1.1 requests.

Added logic to avoid sending an empty FormattedName attribute.

For more information, see Overview of the SCIM Connector.

ServiceNow Provisioner

Added support for the Orlando and Paris versions of Service Now.

For more information, see Overview of the ServiceNow Connector.

ServiceNow Provisioner

SCIM SaaS Provisioner

Also, existing attributes on the SaaS might night be removed during an updated, and the desired value might not be correctly set as primary. * SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behavior that is not consistent with the intended use of the SCIM SaaS Provisioner. * The SCIM provisioner will not provision users until the users are updated.

Authentication Policy

Added a feature that allows you to choose whether to authenticate SSO admins using their email or their SSO username.

For more information, see Create or update an authentication policy.

Administrator Settings

Added a feature that allows you to change the certificate expiration notification settings for Global and SaaS administrators.

For more information, see Editing administrative roles, permissions, and notifications and Manage your user profile.

Subscription API

Added a new result status to PingID audit events.

UNSUCCESSFUL_ATTEMPT represents an invalid one-time passcode (OTP) attempt that did not result in failed authentication.

For more information about audit events, see Get the audit events for a Poll subscription.

Single Logout

PingOne for Enterprise’s single logout (SLO) implementation relies on the ability to send cookies within an iframe. Safari now blocks this function by default, which causes SLO to fail in most scenarios.

We are working to accommodate this new behavior.

This issue impacts SLO on the following browsers:

You can solve this problem by enabling third-party cookies in the browser settings.

Admin-API Clients

Added a feature that allows you to create Admin-API clients to access subscription endpoints without the need for additional administrator accounts.

For more information, see Creating an Admin-API client

AWS Single Sign-On Provisioner

Added a new provisioner for AWS Single Sign-On. This is the initial release for this provisioner.

This provisioner includes:

See Known Issues and Limitations below for important information.

For more information, see Overview of the AWS Single Sign-On Connector.

PingOne Directory

Added a feature that directs a user to the specified redirect URL if they click on the registration URL after completing the registration process.

For more information about self-registration, see Allow self registration for new directory users.

Signing Certificates

Added a feature that allows administrators to designate a signing certificate as the default certificate for newly added application connections.

For more information, see Create a signing certificate and View certificate details.

AWS Single Sign-On Provisioner

PingOne Directory

Added a feature that allows administrators to enable additional directory attributes for use in attribute mapping for IdP, dock, and application configuration.

For more information, see Manage directory attributes.

PingOne Provisioner

PingOne Provisioner

Concur 1.0.1

Atlassian Cloud Provisioner

ServiceNow Connector 2.2

Atlassian Cloud Provisioner

Code42 Provisioner

ZScaler Private Access Provisioner

Code42 Provisioner

Zscaler Private Access Provisioner

AD Connect agent management

Metadata Download URL

Session Idle Timeout

Slack Connecter

Zoom Connector 1.0

Zoom Connector 1.0

SCIM Provisioner

Zscaler ZIA Provisioner 1.1

Branding

We’ve expanded the branding options for the PingOne dock as well as the AD Connect and PingOne Directory login screens. We have also added new branding options for intermediate SSO screens including error, SLO, and IdP Discovery screens. Finally we have reorganized the branding screens in the PingOne admin portal. See Assign branding and design for more information.

OAuth refresh tokens

We’ve added support for OAuth refresh tokens with OpenID Connect applications. See Configuring your OAuth settings and Adding or updating an OIDC application for more information.

Updated provisioner for ServiceNow

We’ve updated the provisioner for Salesforce. The update to this provisioner includes support for:

See Known Issues and Limitations for important information.

Delegated administration of applications

We’ve added an Application Administrator role and the ability for you to delegate administration of applications to an Application Administrator. See Assign Application Administrator applications for more information.

SLO for OpenID Connect applications

We’ve added single logout (SLO) support for OpenID Connect (OIDC) applications. See the Logout URI when adding an OIDC application, or Adding or updating an OIDC application for more information.

Disable inactive users in PingOne directory

We’ve added the ability for you to disable users who’ve been inactive for an extended period of time. See Disable directory users for more information.

ServiceNow provisioner

The following limitations apply:

Adding OIDC applications

We’ve updated the selection and configuration of OIDC applications, streamlining this process based on the type of OIDC application connection you want to add. See Adding or updating an OIDC application for more information.

Encryption certificates

We’ve added management of encryption certificates to the certificate management page (Setup → Certificates). You can choose the encryption certificate used for an application. See Update an encryption certificate for more information.

Administrators and SSO

We’ve updated the Administrators page so that when an assigned administrator first signs on (SSO) to the admin portal, they’re automatically added to the list of administrators displayed on the Account → Administrators page. See Assign administrative roles for more information.

Browser extension updated

The browser extension (used for Basic SSO password vaulting) has been updated to version 2.54.9. This update included a fix for an unexpected prompt to restart the browser extension.

Updated provisioner for Salesforce

We’ve updated the provisioner for Salesforce. The update to this provisioner includes support for:

Salesforce provisioner

The following limitations apply:

PingOne directory user passwords

We’ve updated the PingOne directory user password process for new users. Now after you create a new user, the user must change their assigned password when they first sign on. See Add directory users for more information.

Updated provisioner for WebEx^®

We’ve updated the provisioner for WebEx. The update to this provisioner includes:

Updated provisioner for Amazon Web Services

We’ve updated the provisioner for Amazon Web Services (AWS). The update to this provisioner includes:

PingFederate Bridge

PingFederate Bridge is now the default PingFederate identity bridge for PingOne. It’s a light-weight version of PingFederate designed for quick and easy configuration with PingOne. See .pingidentity.com/pingfederatebridge/pf93///[Introduction to PingFederate Bridge] and Connect to PingFederate for more information.

Admin portal SSO for multiple groups

You can now assign multiple groups to administrative roles for the purpose of SSO to the PingOne admin portal from the PingOne dock. We’ve also created a new page for this assignment: Setup → Dock → Admin Portal SSO. See Configure SSO from the dock to the admin portal for more information.

Ping directory branding

We’ve added the ability for you to brand PingOne directory pages for your organization. See Assign directory branding and designs for more information.

SSO reports

You can now apply filtering to SSO reports based on specific applications. See Run a predefined report or Run a custom report for more information.

Supported languages

PingOne UI components now support the use of more languages. See PingOne for Enterprise language support for more information.

WebEx provisioner

The following limitations apply:

Amazon Web Services provisioner

The following limitations apply:

PingFederate Bridge

PingFederate Bridge is now the default PingFederate identity bridge for PingOne. It’s a light-weight version of PingFederate designed for quick and easy configuration with PingOne. See .pingidentity.com/pingfederatebridge/pf93///[Introduction to PingFederate Bridge] and Connect to PingFederate for more information.

Admin portal SSO for multiple groups

You can now assign multiple groups to administrative roles for the purpose of SSO to the PingOne admin portal from the PingOne dock. We’ve also created a new page for this assignment: Setup → Dock → Admin Portal SSO. See Configure SSO from the dock to the admin portal for more information.

Ping directory branding

We’ve added the ability for you to brand PingOne directory pages for your organization. See Assign directory branding and designs for more information.

SSO reports

You can now apply filtering to SSO reports based on specific applications. See Run a predefined report or Run a custom report for more information.

Supported languages

PingOne UI components now support the use of more languages. See PingOne for Enterprise language support for more information.

Basic SSO option

We’ve added an option for you to enable Basic SSO on the Setup → Dock → Configurations page in the admin portal. When enabled, you’ll use the browser extension to add apps for Basic SSO. See Basic SSO (password vaulting) for more information.

Basic SSO browser extension new field available

We’ve updated the browser extension used for Basic SSO apps to support an additional field for use when training the browser extension to sign on to a Basic SSO app. The additional (third) field is optional and is supplied for those apps that require sign-on information in addition to the user name and password fields.

IO-5262

(Provisioning) Fixed an issue where disabling users in the user source without a synchronized user in a target SaaS could result in a new user being created in the SaaS. The affected PingOne apps are:

SSD-11699

Fixed an issue in PingOne directory where a user having the same email address could not be recreated being deleted.

Basic SSO option

We’ve added an option for you to enable Basic SSO on the Setup → Dock → Configurations page in the admin portal. When enabled, you’ll use the browser extension to add apps for Basic SSO. See Basic SSO (password vaulting) for more information.

Basic SSO browser extension new field available

We’ve updated the browser extension used for Basic SSO apps to support an additional field for use when training the browser extension to sign on to a Basic SSO app. The additional (third) field is optional and is supplied for those apps that require sign-on information in addition to the user name and password fields.

Updated provisioner for PingOne for Customers

We’ve updated the provisioner for PingOne for Customers. This provisioner is intended for existing PingOne for Enterprise accounts using either PingOne directory or AD Connect who want to migrate their users to PingOne for Customers. The update to this provisioner includes:

SCIM SaaS provisioner

We’ve updated the provisioner for SCIM SaaS applications. This provisioner includes:

PingOne for Customers provisioner

The following limitations apply:

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

PingOne for Customers provisioner

The following limitations apply:

OpenID Connect custom scopes

We’ve added OAuth configuration settings for OpenID Connect applications to enable you to define custom scopes or to modify existing scopes with custom or standard claims. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Configure the access token].

PingOne redirect URI

We’ve updated the PingOne redirect URI to include a verification code unique to your account. The redirect URI used by your OpenID Connect provider for PingOne must include the verification code for SSO to be successful. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Connect to OpenID Connect].

Audit & Report administrator

We’ve added a dedicated administrator role for working with the audit event streaming and polling capabilities. The Audit & Report administrator is restricted to accessing the PingOne Dashboard and the Reporting and Subscriptions pages. The Audit & Report administrator can also access the API for polling audit events when audit subscriptions are configured as polling subscriptions. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Assign administrative roles] and .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Managing reports and subscriptions].

SSO reporting

We’ve added new report types and predefined reports for SSO transactions. For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Report types] and .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Report event information].

SSD-10353

Fixed an issue where access to the PingOne admin portal generated an error when the PingOne authentication policy applied multi-factor authentication for SSO to the admin portal.

SSD-10402

Fixed an issue that occurred while adding a new SAML application. The signing certificate selected during the configuration process was not being used for the signing certificate download link displayed on the summary page at the end of the configuration process. Instead, the download link used the default signing certificate.

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

OpenID Connect custom scopes

We’ve added OAuth configuration settings for OpenID Connect applications to enable you to define custom scopes or to modify existing scopes with custom or standard claims. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Configure the access token].

PingOne redirect URI

We’ve updated the PingOne redirect URI to include a verification code unique to your account. The redirect URI used by your OpenID Connect provider for PingOne must include the verification code for SSO to be successful. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Connect to OpenID Connect].

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

OpenID Connect query parameters

We’ve updated the OpenID Connect repository configuration to enable you to specify additional query parameters for the authentication request PingOne sends to the OpenID Connect provider. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Connect to OpenID Connect].

PingOne dock and SSO session lifetimes

We’ve updated the PingOne dock to use the same session lifetime as the SSO session. The PingOne dock and SSO session can now be set to as low as 15 minutes. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Configure the dock when using an identity bridge].

Turkish language support

We’ve updated the PingOne user interface to include support for Turkish. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[PingOne language support].

SSD-9795

Fixed an issue where users who are members of a large number of groups were unable to use SafeNet for multi-factor authentication.

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

include::partial$p14e_p1refs_github.adoc[tags=Github]provisioner

We’ve a new provisioner for Github applications. This provisioner includes:

Administrative auditing (reports and subscriptions)

Administrative auditing is now available PingOne for Enterprise, PingID and PingOne SSO for SaaS Apps. You can utilize the administrative audit events through both the Reports and the Subscriptions facilities .

PKCE support for OpenID Connect (OIDC)

We’ve added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters]

For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters].

SLO for OIDC identity providers

We’ve added single logout (SLO) support for PingOne for Enterprise OIDC identity providers (IdPs). You can specify the end-session URL through the well-known metadata of the OpenID Connect provider (end_session_endpoint), or when you configure the PingOne connection for the OIDC IdP. When SLO is triggered, PingOne redirects the user logout process to the end-session URL for the OIDC IdP.

Automatic IdP Discovery

We’ve added automatic IdP discovery for all PingOne for Enterprise managed applications (applications managed by your account, rather than a service provider). For these applications, we no longer require that you specify the idpid for SP-initiated (SAML) requests or OIDC authorization requests.

SAML assertion available in reports

For SAML applications, we’ve added an enhancement to reports for you to display the SAML assertion for a failed SSO audit event included in a report. You can click on the failure code to display a popup containing the SAML assertion.

PingOne directory enhancements

We’ve added features to PingOne directory allowing you to:

include::partial$p14e_p1refs_faw.adoc[tags=faw]provisioner

We’ve updated the provisioner for Workplace by Facebook applications. This provisioner includes:

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Github provisioner

The following limitations apply:

Workplace by Facebook provisioner

The following limitations apply:

PKCE support for OpenID Connect (OIDC)

We’ve added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters] For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters].

SLO for OIDC identity providers

We’ve added single logout (SLO) support for PingOne for Enterprise OIDC identity providers (IdPs). You can specify the end-session URL through the well-known metadata of the OpenID Connect provider (end_session_endpoint), or when you configure the PingOne connection for the OIDC IdP. When SLO is triggered, PingOne redirects the user logout process to the end-session URL for the OIDC IdP.

Automatic IdP Discovery

We’ve added automatic IdP discovery for all PingOne for Enterprise managed applications (applications managed by your account, rather than a service provider). For these applications, we no longer require that you specify the idpid for SP-initiated (SAML) requests or OIDC authorization requests.

PingOne directory enhancements

We’ve added features to PingOne directory allowing you to:

include::partial$p14e_p1refs_faw.adoc[tags=faw]provisioner

We’ve updated the provisioner for Workplace by Facebook applications. This provisioner includes:

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Workplace by Facebook provisioner

The following limitations apply:

Users by Service

We’ve added support for first and last name values for provisioned users on the Users → Users By Service page.

PingOne directory user registrations

We’ve added the ability for you to specify a reply-to email address for user registrations on the Setup → Directory → Registration page.

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

ServiceNow provisioner (Kingston, Jakarta, Istanbul)

We’ve added new capabilities for the ServiceNow applications:

See Known Issues and Limitations for important information. This is a new ServiceNow provisioner. We’ve rebranded the existing provisioner from ServiceNow to "ServiceNow (Fuji)".

Box provisioner

We’ve added new capabilities for the Box applications:

See Known Issues and Limitations for important information.

SSD-7486

Fixed an issue when adding a new SAML application where changes to the signing algorithm were not being retained after saving the changes.

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

ServiceNow provisioner (Kingston, Jakarta, Istanbul)

The following limitations apply:

Box provisioner

The following limitations apply:

OpenID Connect identity repository

We’ve added support for OpenID Connect identity repositories. You can now authenticate users through any OpenID provider. See Connect to OpenID Connect for more information.

Force MFA option

If you have an authentication policy in place for your PingOne account, when you add an application to PingOne, you now have the option to require that each time a user accesses the application, they must use multi-factor authentication (MFA).

New attribute mapping settings

When you add an application to PingOne and use advanced attribute mapping to map your identity provider attributes to service provider attributes, you will now find settings for random and hash functions. The hash function takes a literal string or attribute value. The random function generates a random string of a specified length. Both functions optionally hash the string using the selected algorithm (MD5, SHA-1, SHA-256) and encode the string using the selected encoder (hex, base64).

SSD-6937

Fixed an issue where the signing algorithm for a non-multiplexed application wasn’t updating the signing algorithm for the connection.

SSD-6763

Fixed an issue where administrative SSO to the PingOne admin portal for newly assigned administrators was failing when multi-factor authentication (MFA) for the admin portal was required in the authentication policy.

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

SSD-6751

Fixed an issue where the restAuthUsername value wasn’t always set when the integration page was loaded.

SSD-6627

Fixed an issue where Basic SSO apps were being counted towards the application limit even though the setting to allow Basic SSO was disabled (the default).

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

include::partial$p14e_p1refs_faw.adoc[tags=faw]provisioner

We’ve updated the Workplace by Facebook provisioner to add support for additional user attributes. See Known Issues and Limitations for important information. NOTE: If you’ve been using the Workplace by Facebook application (formerly known as Facebook at Work), you will need to edit the application by clicking through to the last page and saving the application. You will then be able to take advantage of the new provisioner features.

SSD-6604

Fixed an issue where you were unable to edit or delete duplicate groups.

SSD-6599

Fixed an issue where the PingOne was using the NA region authenticator for multi-factor authentication, rather than the proper regional authenticator for the PingOne account.

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Workplace by Facebook provisioner

The following limitations apply:

Multi-factor authentication for the PingOne admin portal

We’ve added a feature on the Authentication Policy page in the admin portal to enable and require PingID multi-factor authentication (MFA) for PingOne administrators who access the PingOne admin portal. Included is an option to specify an administrator who can access the admin portal without requiring MFA.

See SSO to the PingOne for Enterprise admin portal with multi-factor authentication for more information.

SAML signature signing algorithm for SSO

We’ve added the ability for you to configure the signature signing algorithm for all authentication requests, assertion signing and single logout (SLO) between PingOne and SAML identity providers and between PingOne and SAML service providers. PingOne will continue to support the SHA-1 algorithm, but now allows you to select SHA-256, SHA-384 and SHA-512. New SAML connections default to SHA-256. See Connect to PingFederate for more information.

SAML signature signing algorithm

We’ve added the ability for you to configure the signature signing algorithm for all assertion signing to PingOne. PingOne will continue to support the SHA-1 algorithm, but now allows you to select SHA-256, SHA-384 and SHA-512. New SAML connections default to SHA-256. See Adding or updating a SAML-enabled application for more information.

Session revocation for PingOne directory

We’ve implemented a session revocation service for the PingOne directory workflows: user deletion, user disablement and password reset. When you perform these workflows for a PingOne Directory user, the session revocation service will now terminate the PingOne session associated with that user and prevent them from performing new SSO requests through PingOne. See Delete directory users for a description. NOTE: The session revocation service does not perform SLO to SaaS applications that the user may have in an active session.

PingFederate summary information

We’ve added configuration summary information on the Identity Repository Settings page for identity repositories using PingFederate 8.0 or greater.

New provisioner for Jive^®

We’ve added a new provisioner for Jive applications. This provisioner includes:

See Known Issues and Limitations for important information.

Basic SSO and the browser extension

Basic SSO and the PingOne browser extension are no longer offered for new PingOne accounts. Accounts that are currently utilizing Basic SSO or the browser extension can continue using these facilities without interruption. For accounts not currently using Basic SSO or the browser extension, availability of these facilities is no longer displayed.

Jive provisioner

The following limitations apply:

include::partial$p14e_p1refs_slack.adoc[tags=Slack]provisioner

We’ve have added support for additional user attributes. See Known issues and limitations for important information. NOTE: Existing customers must edit their existing Slack application, click through to the end page and save to take advantage of the new features

SCIM SaaS provisioner

We’ve added a new provisioner for SCIM SaaS applications. This provisioner includes:

See Known issues and limitations for important information.

Ping IDaaS Directory provisioner

We’ve added a new provisioner for Ping IDaaS Directory.

See Known issues and limitations for important information.

SSD-6063

Fixed an issue where you were unable to preview the PingOne dock.

SSD-5879

Fixed an issue where the number of connections displayed on the My Applications page for applications was incorrect when an application was disabled.

SSD-3780

Fixed an issue where no warning or confirmation prompt was displayed when saving an Attribute Policy that had no associated connection.

SSD-3838

Fixed an issue where the dropdown list on the search bar automatically displayed when opening the PingOne dock using include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]10.

SSD-3838

Fixed an issue when using include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]and clicking the search bar, where an application description wasn’t being displayed after clicking the down arrow.

Slack provisioner

SCIM SaaS provisioner

Ping IDaaS Directory provisioner

Multiplexing and manual connections

When configuring a manual connection to an application, currently it is possible to select for multiplexing not to be used for non-SAML applications. Multiplexing is used for all non-SAML applications.

Deleting a customer account

We’ve added a confirmation dialog box when you choose to delete a customer account. (SSD-5867)

SSD-5735

Fixed an issue where changing the application category for a PingOne for Enterprise managed application did not update the application category on the PingOne dock.

SSD-5603, 5604

Updated Ping logo, icon and favicon.

Administrators page

We’ve redesigned the Account → Administrators page for clarity and ease of use.

Users By Service Bypass option

We’ve removed the Unlimited Time setting for the Bypass option for Users By Service for all administrators except Global Administrators. You must now be a Global Administrator to enable the Bypass option for a user for an unlimited time. (SSD-4983)

include::partial$p14e_p1refs_msedge.adoc[tags=MsEdge]support

You can now use the Microsoft Edge browser (version 40) to access the PingOne admin portal.

SSD-5358

Fixed an issue on the My Applications page in the admin portal where the Request Ping Identity add a new application to the application catalog selection did not reference the proper URL.

SSD-5307

Fixed an issue when adding a new private SAML application where the setting for the Force Re-authentication option wasn’t being saved correctly.

BE-2344

(Browser extension) Fixed an issue where the locale setting for the browser extension didn’t match the locale setting for the PingOne dock.

PingOne universal certificate

A new PingOne universal certificate is now available. You need to update to the new PingOne universal certificate if you’re using either PingFederate or a Third-Party SAML provider as your identity bridge and your configuration requires either:

See Check whether you need to update the PingOne for Enterprise universal certificate for more instructions.

PingOne encryption certificate

We now include the PingOne encryption certificate in the PingOne metadata available when you’re configuring a PingFederate or Third-Party SAML identity bridge. We’ve also added the option to separately download the PingOne encryption certificate if you intend to manually configure the IdP settings (rather than using the PingOne metadata).

Custom entity IDs

When configuring a PingFederate or Third-Party SAML identity bridge, you can now select to enable account-specific entity IDs and specify a custom entity ID for your account. We will validate the ID to ensure that it is unique across all PingOne accounts.

include::pingone_for_enterprise:partial$p14e_p1refs_gapps.adoc[tags=GApps]provisioner

We’ve updated the Google Apps for Work provisioner as follows:

include::partial$p14e_p1refs_zendesk.adoc[tags=Zendesk]provisioner

We’ve updated the Zendesk provisioner as follows:

PingOne universal certificate

A new PingOne universal certificate is now available. If you’re using multiplexing, or using manually configured customer connections, you’re using the PingOne universal certificate. In this case, it is imperative that you edit the application configuration to update the PingOne universal certificate. See Update the PingOne SSO for SaaS Apps universal certificate for instructions.

PingOne encryption certificate

When you’re adding a customer connection manually, we’ve added the option to separately download the PingOne encryption certificate.

IdP discovery

When you edit a customer connection, you need only specify the domain or domains used for customer email addresses and we will use this information to discover the IdP for the connection. We’ve added the option to set the current connection as the default IdP connection used for all of your applications.

We’ve also updated the IdP Discovery popup window to display the application logo and your corporate logo (if you’ve configured this).

Testing application integration

For security reasons, we’ve disabled connections to the PingOne Test IdP by default. This connection is enabled only when you select to test your application. We also ensure that you can disable the connection when you’re done testing.

SSD-4485

Fixed an issue where selecting to use the PingOne universal certificate for a Third-Party SAML identity bridge configuration, then changing to use the PingOne directory as the identity repository, caused the Renewal Certificate to be selected for use rather than the PingOne universal certificate.

SSD-4450

Fixed an issue that resulted in configuration updates not being used during SSO.

SSD-4298

Fixed an issue where the Upload link was being displayed on top of the company logo icon when registering for a new account.

SSD-3777

Fixed an issue where the Signoff button was being displayed after closing the browser tab for an impersonated session, then going to the PingOne admin portal (the impersonated session) from the PingOne dock.

SSD-3721

Fixed an issue on the My Devices page where pressing the Enter key did not correspond to clicking the Save button.

include::partial$p14e_p1refs_box.adoc[tags=Box]and include::partial$p14e_p1refs_webex.adoc[tags=WebEx]provisioners

We’ve improved handling of look-up by Secondary ID, for instances when look-up by Primary ID fails to return a user.

Corporate branding

We’ve added an Account → Branding page for you to assign branding to be used for your organization’s account.

Corporate branding

We’ve removed the Setup → General page and moved the account branding setting to a new Account → Branding page. On this page, you can assign branding to be used for your organization’s account.

User support message

The user support message setting that appeared on the (now removed) Setup → General page is displayed as one of the settings on the Setup → Dock page.

The user support message is displayed to your users when they click the Need Help? link in the dock.

SSD-4300

Fixed an error message that was displaying repeatedly.

SSD-4659

Fixed an error message displayed when attempting to SSO to an application without the appropriate permissions.

SSD-4671

Fixed an issue where Application Catalog icons weren’t being displayed consistently.

SSD-3167

Fixed an issue where Support Admins (Read-Only) were unable to view the Users tab when impersonating an account using PingOne directory as the identity repository.

SSD-4661

Fixed an issue where the QR code wasn’t being displayed when selecting to add a new device in the PingOne dock.

SSD-4511

Removed the (non-editable) corporate logo field from the Account → Company page. The corporate logo assignment is on the Account → Branding page.

SSD-4687

Fixed an issue where selecting "Other" as the country on the Company page resulted in an error.

SSD-4806

Fixed an issue where an error was thrown when mapping an advanced attribute using "As Literal", entering data, then clicking Save before the preview field updated.

SSD-4844

Fixed an issue where the expiry date for the PingOne universal certificate shown after setting up an identity repository was different (by one day) from the expiry date shown in for the certificate in the list on the Setup → Certificates page.

SSD-4915

Fixed an issue on the Company page when the country is France. The dropdown list for State/Province/Region displayed a second entry for "Limousin", rather than an entry for "Lorraine".

SSD-4425

Fixed an issue where the Company ID value was no longer displayed in the PingOne dock. The Company ID value is now displayed on the bottom of the navigation pane in the dock.

SSD-5064, 5065

Fixed an issue where attempting to SSO to the admin portal from the PingOne dock fails when the prior SSO request was from the dock to PingFederate.

SSD-3773

Fixed an issue where a customer password reset was not also triggering the display of the license agreement if the license agreement had been updated.

BE-2192

Fixed an issue where an error wasn’t being displayed when attempting to launch a Basic SSO application in the PingOne dock (without refreshing the page) after the application had been removed from the My Applications list.

BE-2228

Fixed an issue where the PingOne browser extension training wizard wasn’t able to complete for the Cloudpay Community application.

BE-2228

Fixed issues where the PingOne browser extension training wizard wasn’t able to complete for a number of applications.

BE-2268

Fixed an issue where the PingOne browser extension for include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]was affecting the ability to load intranet sites.

Directory settings permissions

We’ve expanded Identity Repository administrators permissions to include access to view and modify the directory settings when the identity repository is PingOne directory.

API Provisioning

From March 4th 2017 Salesforce is no longer supporting TLS 1.0 protocol. PingOne has been updated to support OAuth for Provisioning communication to accommodate this change. See How to Migrate the Salesforce Provisioner for instructions.

JIT Provisioning (just-in-time) is not impacted by this change.

SSD-3822

Fixed an error message displayed when uploading an IdP metadata file that is missing necessary information for SP-initiated SSO.

SSD-3695

Fixed an issue where the phone number wasn’t being passed to the authentication provider (PingID).

PingOne reporting

We’ve added a new SSO summary report to the list of predefined reports included in the PingOne admin portal reporting. This report shows the number of unique users that are actively using PingOne, and which applications they are logging in to. It also shows the total number of SSO events for each application.

Password change

We’ve enhanced security to ensure that if a user fails to enter the correct password three times when changing their password on the User Profile page, they are automatically logged out.

Salesforce provisioner

We’ve updated the Salesforce provisioner with the following changes and enhancements:

SSD-4473

Fixed an issue that was preventing an MSP administrator from impersonating an account to which only disabled administrators has access.

BE-2130

Fixed an issue that was preventing the browser extension welcome message from displaying correctly in some browsers.

SSD-4316

Fixed an issue that was prompting a user to activate OAuth when creating a connection for which provisioning was not selected.

SSD-4289

Fixed a security issue with an MSP administrator’s ability to impersonate customer accounts.

SSD-4282

Fixed an issue that was preventing error message popups from closing correctly in the PingOne admin portal.

BE-2080/BE-1940

Fixed an issue that was preventing characters from displaying correctly when training an app, if the language is not English.

IO-2027

We’ve improved the handling of different letter case logins and aliases for the Box provisioner.

IO-2243

Fixed an issue with the Microsoft Office 365 provisioner that was causing an error when trying to retrieve a user during provisioning.

IO-2242

Fixed an issue with the WebEx provisioner’s handling of the timezones not listed in WebEx’s timezone encoding list.

Salesforce provisioner

Certificate Management

PingOne will now inform you if a verification certificate that has been configured on a connection is invalid when the connection is being edited.

Reporting

We’ve added the ability to navigate back to the Users by Service page if you clicked on the Latest Activity link for a user on the Users by Service page.

SSD-4040

Fixed an issue when filtering dashboard metrics, where filtering by "today" would return 0 results. Also fixed an issue with the mouse over popup on chart data that spanned a DST boundary where the time reported was offset by +1/-1 hour.

SSD-4064

Fixed an issue where viewing latest activity for a user on the Users by Service page was redirecting to the old report logging UI.

SSD-4144

Fixed an issue that was preventing the first and last name from being displayed in the PingOne dock when using PingOne directory.

SSD-4116

Fixed an issue that was preventing an administrator from accessing report entries if they occurred in a timezone and at a time that was considered the next day for the local timezone. Administrators can now select up to one day in the future for the end date of a report filter.

SSD-4071

Fixed an issue that was preventing the propagation of SLO settings changed on an application in a PingOne for SaaS Apps account from being applied to all connections to that application.

SSD-4078

Fixed an issue that was limiting the value that can be entered in each field on the Password Policy page to three digit numbers (i.e. a maximum value of 999). This limit is now removed.

SSD-4037

Fixed an issue that was not clearing the filter criteria from the previous report, when running a predefined report in the Reporting tab.

SSD-3718

The dropdown box used to select fields when running a report has been fixed so that it now displays field names alphabetically.

SSD-3794/SSD-3784

Fixed an issue when impersonating an account via the PingOne dock that was causing the navigation window to resize incorrectly.

ID-5209

Fixed an issue that was marking the SAML_SUBJECT as an optional field when creating an application connection, rather than mandatory.

BE-2050

The browser extension can now handle language-based variations of the Eventzilla URL.

BE-1943

Fixed an issue that was preventing the browser extension from detecting the Password and Sign In button for the Office 365 app.

BE-1883

Fixed an issue displaying French language text when signing on to the browser extension.

BE-2003/BE-2005/BE-1995

Fixed an issue that was preventing the browser extension from loading correctly after changing the privacy key on a different browser or machine.

PingOne admin portal

We’ve made the following enhancements to the PingOne admin portal:

Application catalog

We’ve added support for the StartMeeting cloud application.

Reporting

The report log has been updated and enhanced.

BE-2003/BE-1995

Fixed an issue that was preventing the browser extension from loading correctly after changing the privacy key on a different browser or machine.

BE-1994

Fixed an issue that was preventing the sign in popup from being displayed in the PingOne dock following a browser refresh.

SSD-3630

Fixed an issue that was preventing the system from saving the correct value for the Account Specific Entity ID field and the Sign AuthRequest field when uploading metadata for a third party SAML identity repository configuration.

ID-5966

Fixed an issue when checking whether the Entity ID is unique during identity repository configuration.

ID-6344

Fixed an issue that was categorizing identity provider connections associated with a signing certificate incorrectly.

SSD-3572

Fixed an issue that was preventing the removal of the Identity Bridge Logout URL value assigned in PingOne.

SSD-3543

Fixed an issue where during configuration of an Invited PingOne SSO account, attempting to download a metadata file or a signing certificate generated an error.

Administrator capabilities

A global or support administrator impersonating a customer account can now delete the last administrator on the account.

PingOne admin portal

We’ve added the ability for a Managed Service Provider (MSP) to delete a custom email template in the PingOne admin portal.

PingOne admin portal

We’ve reduced the idle timeout for an admin session to 15 minutes.

We’ve added the ability for a Managed Service Provider (MSP) to delete a custom email template in the PingOne admin portal.

Certificate Management

We’ve made the following enhancements:

Workplace by Facebook™

We’ve renamed this feature (formerly known as Facebook at Work), and removed the suppressEmail attribute.

Box Provisioner

We’ve added support for updating user emails in Box Provisioner. NOTE: Existing customers must remove their existing Box applications and then add the application connection to take advantage of the new feature.

SSD-3501

Fixed an issue that was preventing a customer from creating an account when receiving an email invitation from a Managed Service Provider (MSP) administrator in PingOne.

SSD-3497/SSD-3394

Fixed an issue that was preventing the use of "?" and "/" characters in advanced attribute mapping.

SSD-3480

Fixed an issue that was preventing the validation error message from appearing when importing invalid metadata into the PingOne.

SSD-3464

Fixed an issue that was causing an exception error when trying to save an application with an invalid ACS URL in PingOne.

SSD-3441

Fixed an issue that was displaying the administrator role incorrectly when sending an invitation to a new administrator to become the administrator of an existing PingOne account.

ID-5882

Fixed an issue that was causing PingOne to automatically insert default values into optional attribute mapping fields that were purposefully left blank.

BE-1892

Fixed issues with the following apps, and enabled them in the Application Catalog:

ID-6039

We’ve hidden the ability to add primary and secondary verification certificates when creating an SAML 1.1 application connection, as verification certificates are not supported in SAML v1.1.

ID-6266

Fixed an issue that was preventing a newly created certificate from appearing in the Certificate List when using Internet Explorer v10 and v11.

ID-5714

The Single Logout Endpoint, Single Logout Response Endpoint, and Single Logout Binding Type fields have been removed from SAML v1.1 managed applications. SAML v1.1 does not support Single Logout Endpoints.

SSD-3421

Fixed an issue that was causing the admin account to be locked, if resetting a password in the PingOne admin portal using a password that does not meet the PingOne directory policy.

SSD-3418

Fixed an issue when resetting a password from the PingOne admin portal.

SSD-3294

Fixed an issue when loading content from PingOne admin portal using Internet Explorer 10.

Certificate management

We’ve now added email notifications to inform you when the primary verification certificate or secondary verification certificate associated with a conniction or identity bridge is expiring. Email notifications are sent two months before expiry, a week before expiry, and at the time of expiry.

Admin roles

We’ve renamed the Directory Administrator role to Identity Repository Administrator, for clarity. The Identity Repository Administrator refers to an administrator who is responsible for the identity repository, regardless of whether it is PingFederate, AD Connect, a Third Party repository, or PingOne Directory.

Dashboard

We’ve enhanced the layout of data in the graphs displayed on the dashboard.

MSP administrator

We’ve enhanced the Managed Service Provider (MSP) admin account capabilities. Now if an MSP account owns a PingOne SSO for SaaS Apps account and invites a customer or partner to create a connection to an application under that PingOne SSO for SaaS Apps account by registering an "Invited PingOne SSO" account, the Invited PingOne SSO account is now listed in the MSP’s customer list page.

PingOne user accounts

For any new identity provider that you set up, the lifetime of any user session is now set to 2 hours by default. You can change the duration from PingOne, if you need to do so.

Attribute mapping

We’ve added the phone number attribute to the list of dock attribute mapping options for PingFederate, AD Connect, and third party SAML identity repositories.

SSD-3356

Restored the setting application logos on applications created in PingOne SSO for SaaS Apps accounts, as they were being removed incorrectly. The logos were removed when this capability was removed for PingOne for Enterprise when using the new PingOne for Enterprisedock.

BE-1812

Fixed an issue that was preventing the Go to PingOneand Sign Offbuttons from showing in the browser extension.

ID-5976

Fixed an error handling issue on the PingOne for Enterprise password reset page.

ID-5993

Fixed an issue that was preventing users changing the default signing certificate assigned to their managed application.

ID-6171

Fixed an issue with the delete certificate feature.

SSD-3288

Fixed an issue that was preventing a user from entering an email address that includes the '+' character, when inviting a customer from a Managed Service Provider (MSP) account in PingOne for Enterprise.

SSD-3331

Fixed an error displayed when adding Google Drive as a Basic SSO application in PingOne for Enterprise.

SSD-3259

Implemented a fix to make transaction processing more resilient to service configuration problems.

SSD-3169

Fixed a security issue with MSP Support Admin (read-only) roles.

SSD-3108

Fixed an issue updating login failures on the dashboard.

Admin log reporting

We’ve added a new Administrator Login category to the reports log. The new report shows all login attempts by a PingOne administrator, the method of login used (username and password, or SSO) and whether the login attempt was successful.

SSO to PingOne Admin portal

We’ve added the ability for administrators having Identity Repository administrator or SaaS administrator roles to SSO directly to the PingOne admin portal. In previous versions this was only available for the Global administrator and the Service User administrator roles. This option is only available when using PingFederate, AD Connect, or Third Party SAML as your identity repository.

PingOne API

We’ve added support for PKCS7 formatted certificates.

Certificate Management

We’ve reorganized the layout of the connections that are listed in the certificate Connections tab. Connections are now listed by category (identity bridge or application). Identity bridge connections are listed by type (such as PingFederate, or Third Party SAML). The applications header shows the number of application connections associated with the certificate. .

SSD-3020

Verification certificate tool tip text updated.

SSD-3129

Fixed an issue that was permitting users to upload expired or invalid certificates for third party SAML Identity Providers.

SSD-3112

Fixed an issue when accessing the attribute mapping page for a SAML 2.0 connection. When exiting the page and then uploading metadata with a different attribute set, the attributes were not being updated correctly.

SSD-3161

Fixed an issue with caching when trying to SSO with an account that was suspended and then re-enabled.

SSD-3168

Fixed a security issue with Managed Service Provider (MSP) admin capabilities in PingOne.

Certificate management

Certificates that do not have a CN defined, now show the first 20 characters of the Subject DN as the certificate name.

Performance enhancements were applied to the Certificate Management page.

Certificate expiry dates are now displayed in a 4 digit format.

ID-5718

Fixed an issue when adding SAML v1.1 applications from the application catalog, where certificate management was not being supported.

ID-5717

Fixed an issue that was preventing a user from being able to add a multiplexed SAML app from the Application Catalog.

ID-5679

Fixed an issue with the appearance of the Select Imagebutton for the Application logo and icon. The appearance is now sized correctly and consistently in the UI.

ID-5671

Fixed a issue when clicking the Active Downloadlink in Safari, that was causing it to be displayed, rather than downloaded.

ID-5846

Fixed a bug that was causing an infinite loop when attempting to access the Devices page before completing first factor authentication using PingOne.

SSD-3136

The option to define an application logo has been removed when creating or editing an application connection for users that have upgraded to the new dock. The option remains for users that are using legacy dock.

SSD-2993

SSD-3121

Fixed a bug when uploading metadata that included mappings that were already in the connection, and was causing these mappings to be lost.

SSD-3036

Fixed an issue that was causing an exception when loading the Certificate Management page if invalid certificates were present.

SSD-3017

Fixed a bug where binary certificates that were uploaded were not saved correctly.

My Applications search

We’ve enhanced the ability to search the My Applications list. You can now search by the:

In previous versions it was only possible to search by the application name.

PingOne certificate management

We’ve added the ability to view the SHA1 and SHA256 fingerprint in the certificate Properties tab.

PingOne passwords

When changing the administrator password in the PingOne admin portal, the administrator is now required to enter their current password, as well as their new password. If the administrator enters the wrong password three times, the account is temporarily locked.

ID-5685

Fixed a broken link in the Invite IdP page.

ID-5549

Properties and connections associated with a verification certificate are now displayed in separate tabs. This matches the way this information is presented for signing certificates.

ID-4585

Fixed an issue that was preventing the secondary instance of a certificate from being deleted when replacing a primary certificate with a secondary certificate.

ID-5428

When configuring a managed connection, the text for the Application Icon has been changed to 'For use on the dock'. As the Application Logo is not used on the new PingOne dock, the text for this field has been changed to 'For use on the previous version of the dock'.

BE-1642

Fixed an issue that was making the browser extension unresponsive when clicking the username and then clicking Learn when training an app.

BE-1601

Fixed an issue when training an app that was causing a loop when clicking the Login button.

ID-5712

Fixed an issue when editing an application that was preventing changes to the SLO or SLO Response Endpoint from being saved.

ID-5689

Fixed an issue in the Certificate Management page that was preventing the Download and Export buttons from working in some browsers.

ID-5691

Fixed an issue on the Certificate Management page where applications sharing a connection (a multiplexed connection) were being displayed as disabled.

Certificate management

We’ve added a new centralized certificate management UI. The new UI enables you to:

See Overview of signing and verification certificates for more information.

Additional language support for end user components

The following languages are now supported for all PingOne user subsystems (PingOne dock, transaction processing, browser extension, and authentication):

Chinese, Dutch, English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Thai.

ID-5544

Fixed an issue where the PingOne signing certificate wasn’t showing up in the list of results when typing "Ping" in the certificate search field.

ID-5502

Fixed an issue when setting up a connection to an application, that meant the PingOne default certificate was always selected even when a different signing certificate was chosen.

ID-5481

Fixed an issue that caused the PingOne provided signing certificate to be downloaded for an application connection, even if a different singing certificate was selected for the connection.

ID-5486

Renamed the Connection Summary "Certificate" label to "Signing Certificate".

ID-5485

Fixed an issue when promoting a secondary verification certificate to the primary verification certificate. The instance of the secondary verification certificate wasn’t being automatically deleted.

ID-5482

Fixed an issue that the certificate properties Issuer DN and Expiration Date fields were not updating accordingly when uploading a response to a certificate signing request (CSR).

ID-5343

Fixed an issue importing the PingOne metadata file via a URL when setting up a Third-Party SAML identity bridge.

ID-5329

Fixed an issue that was affecting the proper display of text when verifying AD Connect as an identity bridge.

BE-1569

Fixed an issue for trained apps in PingOne browser extension v2.22.0 that was preventing the browser extension from signing in users automatically.

ID-5585

Fixed a bug that was causing formatting issues in the PingOne dock search.

ID-5543

Change the name of the link used to change an identity repository from "Change User Store Type" to "Change Identity Repository".

ID-5508

Fixed an issue that was preventing some users from editing an application.

New Application Catalog categories

We’ve added the following categories to the application catalog: benefits, training, and travel.

ID-5444

Fixed an issue when attempting to erase the identity bridge URL, the field was not updating correctly.

ID-5385

Fixed formatting of the applications listed in the application catalog.

ID-5342

Fixed an issue with editing an application, where Chrome and Firefox browsers were auto-populating the first two application configuration fields with autosaved username and password data.

ID-4503

Fixed missing link that enables a user to log back into the admin web portal after they successfully logged out.

BE-1493

Fixed an issue when training a basic SSO app, that caused training to pause when clicking on the Login field.

ID-5462

Fixed an error when setting up a Third Party SAML identity bridge that prevented the list of connection information from being displayed.

ID-5363

Fixed an issue that custom app icons were not being displayed in the My Applications page, unless the entry was expanded. Custom app icons now app in the My Applications page, and when deleting an application.

ID-5356

The browser extension install option now only appears if there is at least one Basic SSO application installed.

ID-5361

Fixed a security vulnerability associated with the application name on the legacy dock.

ID-5415

Fixed a security vulnerability associated with the browser extension.

SSD-2817

Fixed an issue that was causing a mismatch between the total number of logins displayed in the Dashboard maps and the number of logins recorded in the Logins field.

ID-5268

Performance enhancements, to address customer issues when performing a search of Users by Service.

ID-4656

Fixed a potential security vulnerability.

ID-5342

Fixed an issue with editing an application, where Chrome and Firefox browsers were auto-populating the first two application configuration fields with autosaved username and password data.

ID-5334

Fixed an issue that was causing an error when adding an application.

ID-5274

Fixed an issue when clicking a Configuration page link it was landing on the Dashboard.

ID-1671

Fixed an issue on the Company Settings page when viewing company description the characters were not displaying correctly.

ID-5332

Fixed and issue that an application which had been updated to show a new icon displayed the old icon when trying to delete the application.

New PingOne dock

We’ve totally redesigned the PingOne dock:

See Introducing the PingOne for Enterprise dock for more information.

include::partial$p14e_p1refs_faw.adoc[tags=faw]provisioning

We’ve updated Facebook at Work provisioning to support provisioning user manager details.

See Known Limitations for more information.

Facebook at Work provisioning

include::partial$p14e_p1refs_box.adoc[tags=Box]Provisioning

We’ve updated Box provisioning to support:

See Known Limitations for more information.

None

(None to report for this release.)

Box provisioning

None

(None to report for this release.)

None

(None to report for this release.)

SSD-2572

Added new application categories for Benefits, Training and Travel.

ID-4819

Fixed an issue where an error occurred when you attempted to change your password using AD Connect with the Password Change option enabled and the IWA option disabled.

ID-4839

Fixed an issue where Basic SSO transactions weren’t being logged.

Browser extension installation in Mozilla Firefox^®

After installing the PingOne browser extension in Firefox, you need to refresh the page. Otherwise, the browser extension installation will begin again. Ticket ID: ID-4248.

None

(None to report for this release.)

None

(None to report for this release.)

ID-4658

Fixed an issue where the number of applications displayed in the Dashboard page didn’t match the number of applications displayed in the My Applications page.

ID-4650

Fixed an issue where provisioning for AD Connect was failing.

ID-4422

Fixed an issue where the PingID settings file had an extraneous escape character.

BE-1142

(Browser extension) Fixed an issue where the PingOne browser extension was interfering with display rendering in include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]version 10 or 11 when using include::partial$p14e_p1refs_oracle.adoc[tags=Oracle]Business Intelligence Enterprise Edition.

Dropbox provisioning

Browser extension installation in Mozilla Firefox^®

After installing the PingOne browser extension in Firefox, you need to refresh the page. Otherwise, the browser extension installation will begin again. Ticket ID: ID-4248.

include::partial$p14e_p1refs_dropbox.adoc[tags=Dropbox]Provisioning

We’ve updated Dropbox provisioning to support additional user attributes. See Known Limitations for more information.

Invited PingOne SSO Accounts

We’ve add an Administrators page to the PingOne admin portal for Invited PingOne SSO accounts. You can now assign multiple administrators for your account.

None

(None to report for this release.)

SSD-2267

Fixed an issue for multi-factor authentication with include::partial$p14e_p1refs_safenet.adoc[tags=SafeNet]where users needed to authenticate a second time when logging in to Safenet.

ID-4278

Fixed an issue in the Reports page display where the Category values was removed whenever the report results were expanded.

ID-1682

Fixed an issue on the User Groups page where the Deprovision all users checkbox wasn’t displayed when you cleared a selected checkbox next to the application name.

BE-976

(Browser extension) Fixed an issue where the Save Learning popup wasn’t displaying properly for include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]version 9.

Dropbox provisioning

Browser extension installation in Mozilla Firefox^®

After installing the PingOne browser extension in Firefox, you need to refresh the page. Otherwise, the browser extension installation will begin again. Ticket ID: ID-4248.

ID-4216

Fixed an issue where the Save button wasn’t working in the application credentials dialog box for Basic SSO applications.

ID-4213

Fixed an issue where the step to configure provisioning for a PingFederate identity bridge displayed in the existing tab/window rather than a new tab/window.

ID-4145

Fixed an issue where the browser extension wasn’t automatically signing in after you install your first Basic SSO application.

ID-3883

Fixed an issue where errors weren’t being displayed properly when installing an identity bridge.

ID-3398

Fixed an issue for PingID Standalone accounts, where an extraneous warning was being displayed when clicking the Setup tab.

ID-3031

Fixed an issue where you were unable to upload a JPG image file for your profile picture.

ID-3030

Fixed an issue where invited PingOne directory users were unable to upload a JPG image file for their profile picture during the registration process.

BE-12

(Browser extension) Fixed an issue where the browser extension wasn’t working properly when login fields displayed in an iFrame.

BE-747

(Browser extension) Fixed an issue where sign on for Basic SSO applications wasn’t working properly when the application login required text input.

BE-623

(Browser extension) Fixed an issue where browser extension wasn’t working properly when the PingOne dock tab wasn’t the current tab.

ID-1656

Fixed an issue where the instruction steps for creating or editing an application displayed HTML tags and encoded characters.

ID-4214

Fixed an issue where the SSO endpoint was being truncated. Now extended to 2048 characters.

Browser extension installation in Mozilla Firefox^®

After installing the PingOne browser extension in Firefox, you need to refresh the page. Otherwise, the browser extension installation will begin again. Ticket ID: ID-4248.

Facebook at Work Provisioning

We’ve updated Facebook at Work provisioning to support additional user attributes.

Known limitations for this release:

Office 365 Provisioning

We’ve updated Office 365 provisioning to support:

Known limitations for this release:

ID-3828

Fixed a misleading error message.

ID-3758

Fixed an issue regarding lapse of synchronization between PingOne directory administrators and directory users.

SSD-1956

Fixed an issue where meaningful information wasn’t being displayed in the Logout Confirmation screen.

ID-3904

Fixed an issue where some pages were displaying an error saying the domains wasn’t set, when the domain had already been set for the PingOne session.

ID-3504

Fixed an issue where you were unable to remove validation certificates assigned to Third-Party SAML identity bridges.

ID-1656

Fixed an issue where the instruction steps for creating or editing an application displayed HTML tags and encoded characters.

BE-656

(Browser extension) Fixed an issue during adding an application where the prompt to sign in normally for the application site was being displayed a second time after you’d already successfully signed in.

BE-623

(Browser extension) Fixed an issue where the Save popup wasn’t being displayed when adding the include::partial$p14e_p1refs_netflix.adoc[tags=netflix]application in include::pingone_for_enterprise:partial$p14e_p1refs_ie.adoc[tags=IE]10.