PingCentral 1.10 (June 2022) - PingCentral - 1.10

If you are an administrator, you can now update the grant types, scopes, and policy contracts in OAuth and OpenID Connect (OIDC) templates to further customize them to meet your needs.

The history of these templates is also available to review and compare with previous versions. You can see which administrator modified the template configuration or policy contract, when it was modified, and details regarding these modifications. You can also revert templates to previous versions, if necessary. See OAuth and OIDC templates for details.

If an application is based on an outdated template, an Outdated Template icon now displays next to its name in the applications list. Edit the template and click the Update Template button. See Updating applications for details.

You can now use SSO to access PingFederate and PingAccess from PingCentral. For details, see Configuring PingFederate and PingAccess for SSO.

Account lockout mechanisms that prevent users from accessing the application or API after a specified number of failed sign-on attempts were added to this release. Specify the number of failed attempts that are allowed before users are locked out and the lockout period in the application.yaml file.

Templates created in version 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

Resolved a potential security vulnerability that is described in security bulletin SECBL022 (requires sign-on).

PingCentralpromotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral, but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

After upgrading to 1.8, 1.9, or 1.10, PingCentral fails to start if ${pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

If you attempt to add a SAML application to PingCentral from an existing application through the API, and the connection JSON contains identity attribute names and placeholders, you receive an error message advising you to nullify the Names field. However, even if you nullify this field, you still receive an error message because the JSON contains placeholders. Remove these placeholders before you proceed.

When creating, updating, or validating an environment through the API, you receive a server error message if the environment Name or Password fields are null or missing. API requests cannot be processed without this information, so ensure that these fields contain valid values.

You will also receive a misleading error message if the PingAccess Password field is null. Rather than informing you that the information in this field is invalid, it informs you that you cannot connect to the PingFederateadministrative console, which is misleading.

Requests to connect PingAccess to a PingCentral environment cannot be processed without this information, so ensure that this field contains a valid value.