PingCentral 1.11 (March 2023) - PingCentral - 1.11

When creating a new client, PingCentral now generates OAuth client secrets compatible with PingFederate. For more information, see Promoting OAuth and OIDC applications.

You can now configure multiple Assertion Consumer Service (ACS) URLs during SAML application creation. This new feature simplifies application development since the same application can use different URLs simultaneously. For more information, see Using SAML 2.0 templates.

When promoting an application between environments, you can now configure an application name for OAuth and OpenID Connect (OIDC) clients, SAML connections, and PingAccess applications. For more information, see Promoting applications.

You can now choose to delete applications from PingFederate or PingAccess in addition to PingCentral. This feature is flexible because you can select which environments to delete the application from. For more information, see Managing applications.

Instead of using administrator credentials for basic authentication, you can now configure PingCentral to use OAuth client credentials to connect to PingFederate or PingAccess. PingCentral will request an access_token to use whenever it connects to PingFederate or PingAccess. For more information, see Configuring PingFederate and PingAccess for SSO.

Along with other dependencies (libraries), we've upgraded the H2 database from v1 to v2. For more information, see Upgrading PingCentral.

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

Environment'staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if ${pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

If the installation path has any spaces in the existing or new instance, the H2 database is not migrated during upgrade. Upon removing the spaces from the file path, the migration is successful.