Previous PingOne SSO for SaaS Apps releases

Manual Connection IdPID

Removed the ability to change the idpid value for an existing manual customer connection.

The idpid value acts as the identifier for an IdP connection, and changing it can cause unexpected behavior.

If you need to change the idpid value, you can create a new manual connection.

For more information, see What is an idpId?.

SSO/SLO

Increased the max-age parameter of the strict-transport-security header for the https://sso.connect.pingidentity.com/sso/ endpoint.

The previous max-age was 1 year. The new max-age is 2 years.

Custom Entity ID

Added the ability to define a custom entity ID for applications that are enabled through PingOne.

If a custom entity ID is in use by a non-multiplexed connection, it cannot be changed.

For more information, see Add or update other applications.

SSO Summary Report

Added a new SSO User Count report type.

The SSO User Count report counts the total number of unique users for a customer during the specified period. You can run the report either by customer name or IdP ID.

For more information, see PingOne for Enterprise report types.

Customer Connection API

Added a feature allowing you to delete customer connections and application connections using the customer connection API.

For more information, see PingOne SSO for SaaS Apps Customer Connection API.

Admin Portal Banner

Added a feature allowing you to display a banner message in the administrative portal.

For more information, see Assign branding and design.

Read-Only Administrative Roles

Added a feature allowing you to assign user groups to read-only versions of administrative roles.

Read-only roles allow administrators to access the areas of the admin portal normally allowed by that role, but not to change settings.

For more information, see Configure SSO to the admin portal.

Verbose Reporting

Added a feature allowing more detailed reports and subscriptions for partner accounts with OIDC identity providers.

For more information, see Creating and administering a partner account.

Account ID

Added a feature allowing administrative users to look up their unique account ID.

To find your account ID, go to Account → Properties.

Invited Connection Contact Email

Added a feature allowing administrators to change the contact email for invited accounts.

For more information, see Edit an invited customer connection.

Customer Connections REST API

Added request parameters to the Customer Connection Rest API. These optional parameters give you the same control over application connections using the API that you would have using the admin console.

For more information, see PingOne SSO for SaaS Apps Customer Connection API

OAuth Access Token

Increased the allowed number of trusted origins for OAuth access token Cross-Origin Resource Sharing. The previous limit was 10. The current limit is 100.

For more information, see Configuring your OAuth settings.

Admin Console SSO

Added the ability to configure your IdP connection to allow administrative users to SSO into the admin console.

See Known issues and limitations below for important limitations to this feature.

For more information, see Configure SSO to the admin portal

PingOne Token Lifetime

Reduced the lifetime of the PingOne user token from ten minutes to five minutes.

For more information, see Process the PingOne SSO for SaaS Apps token exchange.

Single Logout

PingOne’s single logout (SLO) implementation relies on the ability to send cookies within an iframe. Some browsers now block this ability by default, which causes problems with SLO.

SLO does not function on browsers where third-party cookies are disabled.

This issue impacts SLO on the following browsers:

IdP-initiated SLO does not terminate the admin portal session in browsers that enforce SameSite.

We are working to accommodate this new behavior.

Administrator Settings

Added a feature that allows you to change the certificate expiration notification settings for Global and SaaS administrators.

For more information, see Editing administrative roles, permissions, and notifications and Manage your user profile.

Customer Connections

Added a feature that allows you to filter the list of existing customer connections by status or type.

For more information, see Edit an invited customer connection and Edit a managed customer connection.

Certificate management

We’ve added a new certificate management UI. The new UI enables you to:

See Certificate management for more information.

Adding OIDC applications

We’ve updated the selection and configuration of OIDC applications, streamlining this process based on the type of OIDC application connection you want to add. See Adding or updating an OIDC application for more information.

OpenID Connect login_hint parameter

We’ve added the ability for you to pass the idpid or email domain in the OpenID Connect (OIDC) login_hint parameter when adding an OIDC application. See the Default User Profile Attribute Contract settings in Adding or updating an OIDC application for more information.

Customer connection email invitation

You can now select the PingOne data center region for invited customers. See Creating an invited SSO connection for more information.

Cross-origin resource sharing (CORS) for OpenID Connect

If you’re integrating OpenID Connect (OIDC) applications with PingOne, you can now configure one or more trusted origins to enable cross-origin resource sharing (CORS). See Configuring your OAuth settings for more information.

SSO reporting

We’ve added new report types and predefined reports for SSO transactions. For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Report types] and .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Report event information].

Turkish language support

We’ve updated the PingOne user interface to include support for Turkish. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[PingOne language support].

Administrative auditing (reports and subscriptions)

Administrative auditing is now available PingOne for Enterprise, PingID and PingOne SSO for SaaS Apps. You can utilize the administrative audit events through both the Reports and the Subscriptions facilities.

PKCE support for OpenID Connect (OIDC)

We’ve added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow.

PKCE support for OpenID Connect (OIDC)

We’ve added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters] For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters].

OpenID Connect applications

PingOne for Enterprise and PingOne SSO for SaaS Apps now support the OpenID Connect (OIDC) protocol for application integration using code, implicit or hybrid flows. You can customize access tokens for your account or per application. Client authentication is done using client secrets.

For PingOne for Enterprise, you can make PingOne OIDC applications available on the PingOne dock. The applications are also selectable in access and authentication policies.

Service provider SAML encryption

We have added an option for you to configure encryption of the assertion in the outbound SAML response sent from PingOne for an application. You can assign the encryption algorithm to use. You can also upload your own certificate to use for encryption. NOTE: For enhanced security we will sign the SAML response rather than the assertion in the SAML response when encryption is enabled.

See Add or update a SAML-enabled application for more information.

Updated navigation design

We have updated the design of the top-level navigation for the PingOne admin portal. There is no functional or behavioural impact. This is solely a style change.

SSD-6751

Fixed an issue where the restAuthUsername value wasn’t always set when the integration page was loaded.

SAML signature signing algorithm

We’ve added the ability for you to configure the signature signing algorithm for all assertion signing to PingOne. PingOne will continue to support the SHA-1 algorithm, but now allows you to select SHA-256, SHA-384 and SHA-512. New SAML connections default to SHA-256. See Adding or updating a SAML-enabled application for more information.

Multiplexing and manual connections

When configuring a manual connection to an application, currently it is possible to select for multiplexing not to be used for non-SAML applications. Multiplexing is used for all non-SAML applications.

SSD-5879

Fixed an issue where the number of connections displayed on the My Applications page for applications was incorrect when an application was disabled.

SSD-3780

Fixed an issue where no warning or confirmation prompt was displayed when saving an Attribute Policy that had no associated connection.

Multiplexing and manual connections

When configuring a manual connection to an application, currently it is possible to select for multiplexing not to be used for non-SAML applications. Multiplexing is used for all non-SAML applications.

PingOne universal certificate

A new PingOne universal certificate is now available. If you’re using multiplexing, or using manually configured customer connections, you’re using the PingOne universal certificate. In this case, it is imperative that you edit the application configuration to update the PingOne universal certificate. See Update the PingOne SSO for SaaS Apps universal certificate for instructions.

PingOne encryption certificate

When you’re adding a customer connection manually, we’ve added the option to separately download the PingOne encryption certificate.

IdP discovery

When you edit a customer connection, you need only specify the domain or domains used for customer email addresses and we will use this information to discover the IdP for the connection. We’ve added the option to set the current connection as the default IdP connection used for all of your applications.

We’ve also updated the IdP Discovery popup window to display the application logo and your corporate logo (if you’ve configured this).

Testing application integration

For security reasons, we’ve disabled connections to the PingOne Test IdP by default. This connection is enabled only when you select to test your application. We also ensure that you can disable the connection when you’re done testing.

Corporate branding

We’ve added an Account → Branding page for you to assign branding to be used for your organization’s account.

Salesforce provisioner

We’ve updated the Salesforce provisioner with the following changes and enhancements:

SSD-4316

Fixed an issue that was prompting a user to activate OAuth when creating a connection for which provisioning was not selected.

IO-2027

We’ve improved the handling of different letter case logins and aliases for the Box provisioner.

IO-2243

Fixed an issue with the Microsoft Office 365 provisioner that was causing an error when trying to retrieve a user during provisioning.

IO-2242

Fixed an issue with the WebEx provisioner’s handling of the timezones not listed in WebEx’s timezone encoding list.

SSD-4040

Fixed an issue when filtering dashboard metrics, where filtering by "today" would return 0 results. Also fixed an issue with the mouse over popup on chart data that spanned a DST boundary where the time reported was offset by +1/-1 hour.

SSD-4071

Fixed an issue that was preventing the propagation of SLO settings changed on an application in a PingOne for SaaS Apps account from being applied to all connections to that application.