Known issues

Ticket ID Description
PASS-909 If you have only one person with an Administrator role and change that person's role to Application Owner, PingCentral will become impossible to administer.
PASS-1552 When updating a user's role, the Discard Changes button does not currently work.
PASS-1620 Clicking on the View Client Details link that displays in the Promotion History section of the page occasionally causes a blank white screen to display instead of the intended details. If this occurs, select another page within PingCentral and then return to the Applications page.
PASS-1998 When an OAuth/OIDC application is promoted from PingCentral to PingFederate, the secret is captured and saved. If this application is removed from PingCentral and a new application is created with the same name, promotions to PingFederate will use the client secret provided for the original application instead of the new secret that was provided in the new application. There is currently no way to retrieve the secret that was provided for the original promotion.
PASS-2090 If SSO is enabled and PingCentral cannot contact the OpenID provider on startup, PingCentral will fail to start. Either ensure your configuration is correct and the provider is up and running, or disable SSO. Review the application.log file to identify the issue.

PingCentral only accesses the OpenID Provider configuration at startup time. If relevant changes have been made on the provider which affect the configuration, PingCentral must be restarted to recognize them.

PASS-2097 When a user logs into PingCentral for the first time using SSO, a local user is provisioned to associate applications with the user. PingCentral Administrators can update local user information. However, if Administrators update the user name or delete a user name for an SSO user, that user will need to be reprovisioned the next time the user logs in using SSO, which can result in them losing ownership of their applications.
PASS-2122 When modifying an environment, if an identity provider certificate is added or updated, and then the PingFederate admin password is updated, the cursor will jump down to the IDP Certificate Password field each time a key is pressed.

Known limitations

Limitation Workaround
There is no PingCentral installer for Microsoft Windows. Install PingCentral by unzipping the file. Then, run.bat script, which is located in the bin folder. Or, run PingCentral as a service using the provided method, which is located in the sbin folder.
You cannot promote applications created in more recent versions of PingFederate to older versions of PingFederate. For example, you cannot promote an application created in PingFederate v9.3 to PingFederate v9.2.
SSO limitation Workaround
Rather than maintain a JWT within a cookie, the authentication state is maintained on the server side within PingCentral. The HTTP session is identified via the PINGCENTRAL_SESSION_ID cookie. Restarting PingCentral will reset this state, as it is not persistent.
PingCentral session settings are ignored when SSO is enabled. The HTTP session cookie, PINGCENTRAL_SESSION_ID, is fixed at this time. The token obtained from the provider is only subject to the expiration defined by the provider. Likewise, key rolling is defined by the provider and it is responsible for maintaining the appropriate keys within its JWKS endpoint.
When SSO is enabled, local PingCentral user access is not possible. This includes the default Administrator user. HTTP basic authentication is not available for PingCentral API access. OAuth 2 bearer tokens must be used.
OAuth/OIDC limitation Workaround
When using OAuth and OIDC, access token mappings are not automatically promoted with the application. Ensure access token mapping are available on the target instance of PingFederate.
When using OAuth and OIDC, authentication policy contracts and the associated mappings are not automatically promoted with the application. Ensure authentication policy contracts and the associated mappings are available on the PingFederate target instance.
SAML limitation Workaround
SP connections require authentication policy contract mappings. Adapter mappings are not supported.
Artifact and SOAP bindings are not supported for SP connections.
Dependent entities, including authentication policy contracts, data stores, etc., are not automatically promoted with the application. Ensure dependent entities are available on the PingFederate target instance.
All connections must specify a primary certificate for signature validation. Multiple connections are not supported.
Assertion encryption is not supported.