PingOne for Enterprise

Previous PingOne SSO for SaaS Apps releases

February 2022

Enhancements
Feature Description

Manual Connection IdPID

Removed the ability to change the idpid value for an existing manual customer connection.

The idpid value acts as the identifier for an IdP connection, and changing it can cause unexpected behavior.

If you need to change the idpid value, you can create a new manual connection.

For more information, see What is an idpId?.

October 2021

Enhancements
Feature Description

SSO/SLO

Increased the max-age parameter of the strict-transport-security header for the https://sso.connect.pingidentity.com/sso/ endpoint.

The previous max-age was 1 year. The new max-age is 2 years.

September 2021

Enhancements
Feature Description

Custom Entity ID

Added the ability to define a custom entity ID for applications that are enabled through PingOne.

If a custom entity ID is in use by a non-multiplexed connection, it cannot be changed.

For more information, see Add or update other applications.

SSO Summary Report

Added a new SSO User Count report type.

The SSO User Count report counts the total number of unique users for a customer during the specified period. You can run the report either by customer name or IdP ID.

For more information, see PingOne for Enterprise report types.

Resolved issues
Ticket ID Issue

SSD-16877

Fixed an issue that reassigned the signing certificate to the default signing certificate when the signingCertFingerprint parameter was not specified when updating a customer connection.

July 2021

Enhancements
Feature Description

Customer Connection API

Added a feature allowing you to delete customer connections and application connections using the customer connection API.

Admin Portal Banner

Added a feature allowing you to display a banner message in the administrative portal.

For more information, see Assign branding and design.

June 2021

Enhancements
Feature Description

Read-Only Administrative Roles

Added a feature allowing you to assign user groups to read-only versions of administrative roles.

Read-only roles allow administrators to access the areas of the admin portal normally allowed by that role, but not to change settings.

For more information, see Configure SSO to the admin portal.

Verbose Reporting

Added a feature allowing more detailed reports and subscriptions for partner accounts with OIDC identity providers.

May 2021

Enhancements
Feature Description

Account ID

Added a feature allowing administrative users to look up their unique account ID.

To find your account ID, go to Account → Properties.

April 2021

Enhancements
Feature Description

Invited Connection Contact Email

Added a feature allowing administrators to change the contact email for invited accounts.

For more information, see Edit an invited customer connection.

March 2021

Enhancements
Feature Description

Customer Connections REST API

Added request parameters to the Customer Connection Rest API. These optional parameters give you the same control over application connections using the API that you would have using the admin console.

OAuth Access Token

Increased the allowed number of trusted origins for OAuth access token Cross-Origin Resource Sharing. The previous limit was 10. The current limit is 100.

For more information, see Configuring your OAuth settings.

January 2021

Enhancements
Feature Description

Admin Console SSO

Added the ability to configure your IdP connection to allow administrative users to SSO into the admin console.

See Known issues and limitations below for important limitations to this feature.

For more information, see Configure SSO to the admin portal

PingOne Token Lifetime

Reduced the lifetime of the PingOne user token from ten minutes to five minutes.

Known issues and limitations
Subject Issue/Limitation

Single Logout

PingOne’s single logout (SLO) implementation relies on the ability to send cookies within an iframe. Some browsers now block this ability by default, which causes problems with SLO.

SLO does not function on browsers where third-party cookies are disabled.

This issue impacts SLO on the following browsers:

  • Safari 13.1+ on MacOS

  • Safari on iOS and iPadOS 13.4+

  • Any browser where the user has disabled third party cookies

IdP-initiated SLO does not terminate the admin portal session in browsers that enforce SameSite.

We are working to accommodate this new behavior.

November 2020

Enhancements
Feature Description

Administrator Settings

Added a feature that allows you to change the certificate expiration notification settings for Global and SaaS administrators.

October 2020

Enhancements
Feature Description

Customer Connections

Added a feature that allows you to filter the list of existing customer connections by status or type.

April 2020

Enhancements
Feature Description

Certificate management

We’ve added a new certificate management UI. The new UI enables you to:

  • Create new signing certificates

  • View usage of configured certificates

  • Migrate individual applications and identity providers to different signing certificates, or change the configured verification certificate

  • Automatically receives email notifications when certificates are expiring or have expired

See Certificate management for more information.

September-November 2019

Enhancements
Feature Description

Adding OIDC applications

We’ve updated the selection and configuration of OIDC applications, streamlining this process based on the type of OIDC application connection you want to add. See Adding or updating an OIDC application for more information.

OpenID Connect login_hint parameter

We’ve added the ability for you to pass the idpid or email domain in the OpenID Connect (OIDC) login_hint parameter when adding an OIDC application. See the Default User Profile Attribute Contract settings in Adding or updating an OIDC application for more information.

June, 2019

Enhancements
Feature Description

Customer connection email invitation

You can now select the PingOne data center region for invited customers. See Creating an invited SSO connection for more information.

April, 2019

Enhancements
Feature Description

Cross-origin resource sharing (CORS) for OpenID Connect

If you’re integrating OpenID Connect (OIDC) applications with PingOne, you can now configure one or more trusted origins to enable cross-origin resource sharing (CORS). See Configuring your OAuth settings for more information.

January, 2019

Enhancements
Feature Description

SSO reporting

We’ve added new report types and predefined reports for SSO transactions. For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Report types] and .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Report event information].

November, 2018

Enhancements
Feature Description

Turkish language support

We’ve updated the PingOne user interface to include support for Turkish. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[PingOne language support].

October, 2018

Enhancements
Feature Description

Administrative auditing (reports and subscriptions)

Administrative auditing is now available PingOne for Enterprise, PingID and PingOne SSO for SaaS Apps. You can utilize the administrative audit events through both the Reports and the Subscriptions facilities.

PKCE support for OpenID Connect (OIDC)

We’ve added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow.

September, 2018

Enhancements
Feature Description

PKCE support for OpenID Connect (OIDC)

We’ve added support for Proof Key for Code Exchange (PKCE) to secure OIDC clients that cannot or choose not to use a client secret. We have therefore relaxed the requirement that a client secret must be specified when configuring an OIDC application with the authorization code flow. For more information, see .pingidentity.com/pingone/employeeSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters] For more information, see .pingidentity.com/pingone/saasSsoAdminGuide/index.shtml//[Integrate an OIDC application, PKCE parameters].

July, 2018

Enhancements
Feature Description

OpenID Connect applications

PingOne for Enterprise and PingOne SSO for SaaS Apps now support the OpenID Connect (OIDC) protocol for application integration using code, implicit or hybrid flows. You can customize access tokens for your account or per application. Client authentication is done using client secrets.

For PingOne for Enterprise, you can make PingOne OIDC applications available on the PingOne dock. The applications are also selectable in access and authentication policies.

June, 2018

Enhancements
Feature Description

Service provider SAML encryption

We have added an option for you to configure encryption of the assertion in the outbound SAML response sent from PingOne for an application. You can assign the encryption algorithm to use. You can also upload your own certificate to use for encryption. NOTE: For enhanced security we will sign the SAML response rather than the assertion in the SAML response when encryption is enabled.

See Add or update a SAML-enabled application for more information.

Updated navigation design

We have updated the design of the top-level navigation for the PingOne admin portal. There is no functional or behavioural impact. This is solely a style change.

March, 2018

Resolved issues
Ticket ID Issue

SSD-6751

Fixed an issue where the restAuthUsername value wasn’t always set when the integration page was loaded.

December, 2017

Enhancements
Feature Description

SAML signature signing algorithm

We’ve added the ability for you to configure the signature signing algorithm for all assertion signing to PingOne. PingOne will continue to support the SHA-1 algorithm, but now allows you to select SHA-256, SHA-384 and SHA-512. New SAML connections default to SHA-256. See Adding or updating a SAML-enabled application for more information.

November, 2017

Known issues and limitations
Subject Issue/Limitation

Multiplexing and manual connections

When configuring a manual connection to an application, currently it is possible to select for multiplexing not to be used for non-SAML applications. Multiplexing is used for all non-SAML applications.

October, 2017

Resolved issues
Ticket ID Issue

SSD-5879

Fixed an issue where the number of connections displayed on the My Applications page for applications was incorrect when an application was disabled.

SSD-3780

Fixed an issue where no warning or confirmation prompt was displayed when saving an Attribute Policy that had no associated connection.

. Known issues and limitations

Subject Issue/Limitation

Multiplexing and manual connections

When configuring a manual connection to an application, currently it is possible to select for multiplexing not to be used for non-SAML applications. Multiplexing is used for all non-SAML applications.

June, 2017

Enhancements
Feature Description

PingOne universal certificate

A new PingOne universal certificate is now available. If you’re using multiplexing, or using manually configured customer connections, you’re using the PingOne universal certificate. In this case, it is imperative that you edit the application configuration to update the PingOne universal certificate. See Update the PingOne SSO for SaaS Apps universal certificate for instructions.

PingOne encryption certificate

When you’re adding a customer connection manually, we’ve added the option to separately download the PingOne encryption certificate.

IdP discovery

When you edit a customer connection, you need only specify the domain or domains used for customer email addresses and we will use this information to discover the IdP for the connection. We’ve added the option to set the current connection as the default IdP connection used for all of your applications.

We’ve also updated the IdP Discovery popup window to display the application logo and your corporate logo (if you’ve configured this).

Testing application integration

For security reasons, we’ve disabled connections to the PingOne Test IdP by default. This connection is enabled only when you select to test your application. We also ensure that you can disable the connection when you’re done testing.

April-May, 2017

Enhancements
Feature Description

Corporate branding

We’ve added an Account → Branding page for you to assign branding to be used for your organization’s account.

February, 2017

Enhancements
Feature Description

Salesforce provisioner

We’ve updated the Salesforce provisioner with the following changes and enhancements:

  • Support for approximately 150 additional user attributes.

  • Support for Salesforce REST v37.0 API.

  • Support for OAuth Authentication with the OAuth Configuration Service (OCS).

  • Support for custom subdomains.

  • You now have the option to freeze user accounts, rather than deactivating them.

  • Improved exception handling and reporting.

  • Support for Salesforce disabling TLS 1.0.

Resolved issues
Ticket ID Issue

SSD-4316

Fixed an issue that was prompting a user to activate OAuth when creating a connection for which provisioning was not selected.

IO-2027

We’ve improved the handling of different letter case logins and aliases for the Box provisioner.

IO-2243

Fixed an issue with the Microsoft Office 365 provisioner that was causing an error when trying to retrieve a user during provisioning.

IO-2242

Fixed an issue with the WebEx provisioner’s handling of the timezones not listed in WebEx’s timezone encoding list.

January, 2017

Resolved issues
Ticket ID Issue

SSD-4040

Fixed an issue when filtering dashboard metrics, where filtering by "today" would return 0 results. Also fixed an issue with the mouse over popup on chart data that spanned a DST boundary where the time reported was offset by +1/-1 hour.

SSD-4071

Fixed an issue that was preventing the propagation of SLO settings changed on an application in a PingOne for SaaS Apps account from being applied to all connections to that application.