For the best possible experience, review these notes before using PingCentral 1.10.
Update OAuth and OIDC template grant types, scopes, and policy contracts and revert to previous versions
If you are an administrator, you can now update the grant types,
scopes, and policy contracts in OAuth and OpenID Connect (OIDC) templates to
further customize them to meet your needs.
The history of these templates is also available to review and
compare with previous versions. You can see which administrator modified the
template configuration or policy contract, when it was modified, and details
regarding these modifications. You can also revert templates to previous
versions, if necessary. See OAuth and OIDC templates for
details.
Update applications with the latest template version available
If an application is based on an outdated template, an
Outdated Template icon now displays next to its name
in the applications list. Edit the template and click the Update
Template button. See Updating applications for
details.
Use SSO to access PingFederate and PingAccess from PingCentral
You can now use SSO to access
PingFederate and
PingAccess from
PingCentral. For details, see
Configuring PingFederate and PingAccess for SSO.
Account lockout mechanisms added to mitigate password guessing
Account lockout mechanisms that prevent users from accessing the
application or API after a specified number of failed sign-on attempts were
added to this release. Specify the number of failed attempts that are allowed
before users are locked out and the lockout period in the
application.yaml file.
Cannot update or revert templates created in version 1.2 or earlier
Templates created in version 1.2 or earlier do not store the
environment ID, so you cannot update their grant types, scopes, or policy
contracts, nor can you revert them to previous versions.
Resolved a potential security vulnerability
Resolved a potential security vulnerability that is described in
security bulletin SECBL022 (requires sign-on).
Configure APC mappings for OIDC applications in PingFederate
PingCentralpromotes access
token mappings and authentication policy contracts (APCs) with OIDC
applications, but the APC mappings that link the APCs to the access token
managers are not currently promoted with them. If the APC mappings do not
already exist in the target PingFederate
environments, applications do not function as expected.
When new APCs are promoted in PingCentral, access token mapping referencing
the APC is created, but persistent grant mapping is not established, so the
configurations are invalid.
To resolve these issues, configure the APC mappings within
PingFederate.
SP certificates and assertion encryption certificates must be different
When promoting SAML applications, PingFederate does not allow you to use the same
certificate as both a service provider (SP) certificate and an assertion
encryption certificate. Instead of preventing the promotion to continue, you
receive a message similar to the following:
Environment'staging': PingFederate. This certificate either
has the same ID or the same content as the certificate with index
0.
To continue the promotion, ensure that the SP certificate and the
assertion encryption certificate are different.
Promoting applications with authentication challenge policies
Customized authentication challenge responses, which support
single-page applications, are available in PingAccess 6.2 or later. Applications with this
type of policy can be added to PingCentral,
but cannot be promoted to another environment unless the authentication
challenge policy, with the same UUID, also exists in the target
environment.
Update truststore path if PingCentral fails to start
After upgrading to 1.8, 1.9, or 1.10, PingCentral fails to start if
${pingcentral.home}
is used in the trust store path. To
prevent this from happening, change the home path to be the absolute trust store
path and delete the Certificates table in the
database.Adding SAML applications through the API
If you attempt to add a SAML application to PingCentral from an existing application through
the API, and the connection JSON contains identity attribute names and
placeholders, you receive an error message advising you to nullify the
Names field. However, even if you nullify this field,
you still receive an error message because the JSON contains placeholders.
Remove these placeholders before you proceed.
Managing environments through the API
When creating, updating, or validating an environment through the
API, you receive a server error message if the environment
Name or Password fields are
null or missing. API requests cannot be processed without this information, so
ensure that these fields contain valid values.
You will also receive a misleading error message if the
PingAccess Password field is null. Rather than
informing you that the information in this field is invalid, it informs you that
you cannot connect to the PingFederateadministrative console, which is misleading.
Requests to connect PingAccess to a PingCentral environment cannot be
processed without this information, so ensure that this field contains a valid
value.