New features

Ticket ID Description
PASS-933 Access token mapping information is now stored when applications are added to PingCentral and transferred into the target PingFederate instances when applications are promoted.
PASS-1528 PingCentral now supports the PostgreSQL open source relational database system.
PASS-1128 Application owners can now revert applications to previously promoted versions. The reverted version of the application will not exist outside of PingCentral until it is promoted again, at which point it will also be available in PingFederate.
PASS-2015 When using SAML templates, application owners can now provide an .xml file that could contain an Entity ID, ACS URL, certificates, attribute information, or all of this information, from a similar SAML application. Or, they can continue providing the Entity ID, ACS URL and certificates during the promotion process.
PASS-2202 After a SAML application has been promoted to an environment, the connection metadata is exported and stored as part of that application. This metadata is now available to download as an .xml file, which you can use to promote other SAML applications.
PASS-2414 You can now use Docker to deploy PingCentral. Preconfigured Docker images are available in Docker containers, which provide complete working instances of applications that are immediately available to use after they are deployed.
PASS-2839 PingCentral now promotes the first Authentication Policy Contract (APC) configured for service provider connections. In prior releases, the APC, with the same ID, was expected to already exist in the target environment for the connection promotion to succeed.
PASS-3177 Application owners can now encrypt a SAML assertion if encryption is enabled for the connection.
PASS-3262 Application owners can now customize the scopes they apply to their OAuth and OIDC applications.

Resolved issues

Ticket ID Description

Protected environment text on the Environments page no longer incorrectly refers to "production" if the protected environment is not a production environment.


Unverified environments no longer display when templates and applications are added to PingCentral, and when applications are promoted.


Using special characters when searching on the Environments, Templates, and Users pages no longer results in a server error.


The sorting feature is no longer case sensitive for applications managed within PingCentral.


When updating SAML applications, PingCentral now correctly indicates whether certificates are optional.


After creating an environment, the user wizard can now be accessed without errors.

PASS-2925 PingFederates that have long passwords will no longer receive data integrity violation errors.

New known issues

Ticket ID Description

If you add a PingFederate environment to PingCentral that is missing a dependency and refresh your cache, the Add Application page will become unusable and you will receive an error message, which falsely informs you that your PingFederate administrator credentials are incorrect.

To resolve the issue, either add the missing dependencies or remove the environment from PingCentral.


When adding SAML metadata files or URLs to applications in the edit screen, you can inadvertently save applications without any attribute mappings, including the SAML_SUBJECT attribute that is required for promotion. If you attempt to promote those applications, you will receive an error message informing you that the SAML_SUBJECT attribute is missing from the attribute contract fulfillment.

To resolve this issue, access the edit screen for the application, assign the SAML_SUBJECT attribute a value, and attempt to promote the application again.



If an SP certificate is added to a SAML application and a SAML metadata file is subsequently provided that contains a certificate, additional changes to the application cannot be saved.

If this occurs, exit the edit screen and then access it again.


PingCentral now promotes access token mappings and APCs (Authentication Policy Contracts) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PF environments, applications will not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.


If you promote a SAML application with an assertion encryption certificate and then attempt to edit the application, the Save and Discard Changes buttons display on the edit screen before you make any changes, which could be misleading.

Ignore this irregularity and click the Save button, or click the Discard Changes button to exit the edit screen.


If applications and environments have long names, you might not be able to see the entire list of available environments when you attempt to promote applications.

To select an environment not immediately visible from the list, continue scrolling. The entire list will eventually display, but environment names toward the bottom of the list might appear distorted.


When application owners use SSO to access PingCentral, administrators cannot assign applications to them prior to the application owners ever accessing PingCentral.

However, after they sign on to PingCentral, administrators can access their account information and assign applications to them.


OAuth and OIDC applications created from templates in PingCentral version 1.0.1 used the application name as the Client ID during promotion. Starting with PingCentral version 1.2, the application ID is used as the Client ID.

So, if an OAuth or OIDC application is created from a PingCentral version 1.0.1 template and promoted, a new client ID will be created for the application and the old client ID will no longer be used.


If the Promote button is clicked more than once when a SAML application is promoted, the application could be unintentially promoted to an environment multiple times.

To prevent this from happening, press the Enter key during the promotion process.


If a PingFederate environment is added to PingCentral and becomes unavailable for any reason, no applications will display on the Applications page.

To resolve this issue, an administrator can remove the environment from PingCentral, set PingCentral to skip verification on the environment, or resolve the issues making the environment unavailable.

PASS-3645 When adding and updating SAML applications, you will receive an error message if you provide a service provider metadata file that does not contain certificate information.

If this occurs, ignore the message and continue to add or update the application.

PASS-3646 The names of scopes added to applications cannot contain spaces, nor can the Scopes field contain spaces before or after the scope name. If spaces exist, applications cannot be successfully promoted.
PASS-3648 When updating SAML applications, you can provide a new metadata file to replace an older version. If the new file does not contain a certificate, the certificate associated with the older version might still display.

If this occurs, click Cancel and select the .xml file again. The page will reflect the absence of a certificate after it is refreshed.

PASS-3659 When promoting SAML applications with multiple authentication policy contracts that were directly imported into PingCentral, the first contract on the list should be used. However, all contracts in the list are currently being used, which results in promotions failing if the destination environments do not contain authentication policy contracts with matching IDs.
PASS-3663 When creating templates or adding existing OAuth or OIDC applications to PingCentral, information regarding the client displays. When scopes are not restricted, the Scopes field displays None, when it should display the following message: This application uses all common scopes provided by the target environment.