New features

Ticket ID Description


Administrators can create templates from PingAccess applications. For more information, see Creating PingAccess application templates.


Application owners can apply PingAccess templates to their applications and promote them to PingAccess environments. For more information, see Using PingAccess templates and Promoting PingAccess applications.

Resolved issues

Ticket ID Description


When updating a user's role, the Discard Changes button works as expected.


Previously, when PingCentral was configured to authenticate users through single sign-on (SSO) and it was not able to connect to PingFederate, the token provider, PingCentral would fail to start.

This issue has been resolved. Now, if PingCentral cannot connect to PingFederate, PingCentral starts and users receive an error message indicating that a connectivity issue is preventing them from signing in.


If you attempt to create applications without a signing key pair, you will receive the following message.Application signing settings not found. PingCentral currently only supports connections with signing settings.


If administrators add PingFederate environments to PingCentral that are missing dependencies, such as an authentication policy or access token management (ATM) information, they receive an error message that more accurately describes the issue.


Previously, when adding SAML metadata files or URLs to applications on the edit page, you could inadvertently save applications without any attribute mappings, including the SAML_SUBJECT attribute that is required for promotion. This issue was resolved, and you cannot promote applications until the SAML_SUBJECT attribute is assigned a value.


If the only environment in PingCentral is deleted, users can see the applications created from and promoted to that environment on the Applications page.


Previously, attribute scopes within an OpenID Connect policy must already have been defined within the target environment, or the policy could not be promoted.


Previously, you could not promote a PingAccess application to an environment where an application with the same name, but different destination type (site or agent), already existed. This issue is resolved.


If a PingFederate application was created from a template in a PingFederate version later than the version to which it is being promoted, the promotion fails. For example, if the template was created from a PingFederate 10.1 application, and you promote it to a PingFederate 9.3 environment, the promotion fails.

Previously, when this occurred, users received an unclear error message. Now, users receive an error message stating that promotions to previous versions of Ping Identity products not currently supported.


PingCentral token provider validation succeeds if the PingFederate base URL matches the PingAccess issuer URL. The default HTTPS port number 443 is no longer required to be explicitly indicated.


Previously, if you promoted a PingAccess application and renamed it in PingCentral, you could not promote it again without reverting the name change. This issue is resolved.

Known issues

Ticket ID Description


When SSO is enabled, custom session settings are modifiable, but are not honored.


When SSO is enabled, administrators can add and update users in PingCentral through the User Management page, even though it has no effect.


When modifying an environment, if an identity provider certificate is added or updated, and then the PingFederate admin password is updated, the cursor will jump down to the IDP Certificate Password field each time a key is pressed.


Administrators cannot update information for users not associated with a PingCentral environment, template, or application.


If PostgreSQL is set up without a database, PingCentral will fail to start. To prevent this from happening, add the database to the server prior to starting PingCentral.


If an OAuth application is added from an environment that does not use a client secret to authenticate, the Client Secret field displays, but is ignored. This display could cause confusion, as users can add and generate client secrets for their applications, but the secrets are not saved as expected.


If you enter an invalid application name when updating a SAML application, you will not receive an error message.


If a certificate is added to a SAML application and a SAML metadata file is subsequently provided that contains a certificate, additional changes to the application cannot be saved. If this occurs, exit the edit page and then access it again.


PingCentral promotes access token mappings and APCs (Authentication Policy Contracts) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PF environments, applications will not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.


If you promote a SAML applications with an assertion encryption certificate and then attempt to edit the application, the Save and Discard Changes buttons display on the edit page before you make any changes, which could be misleading.

Ignore this irregularity and click the Save button, or click the Discard Changes button to exit the edit page.


If applications and environments have long names, you might not be able to see the entire list of available environments when you attempt to promote applications.

To select an environment not immediately visible from the list, continue scrolling. The entire list will eventually display, but environment names toward the bottom of the list might appear distorted.


When application owners use SSO to access PingCentral, administrators cannot assign applications to them prior to the application owners ever accessing PingCentral.

However, after they sign on to PingCentral, administrators can access their account information and assign applications to them.


If the Promote button is clicked more than once when a SAML application is promoted, the application could be unintentionally promoted to an environment multiple times. To prevent this from happening, press the Enter key during the promotion process.


When adding and updating SAML applications, you receive an error message if you provide a service provider metadata file that does not contain certificate information. If this occurs, ignore the message and continue to add or update the application.


If you update SAML attributes while updating other application information, the attribute information will not be saved. To prevent this from happening, update the attributes and save your changes. Then, you can update additional application information.


If owner or promotion configuration information is updated for a PingAccess application, or a PingAccess application is promoted, the modified timestamp does not update as it should, which could be deceiving if the list of applications is sorted by modified date. However, if you update the name, description, context root, resources, or policy, the timestamp is also updated.


If you add an application to PingCentral from the Applications page, unmanaged applications might display that you cannot manage.


If you filter for PingAccess applications, add a PingAccess application by using the Add to PingCentral button, and return to the Applications page, the filter might appear to be on and you might not be able to view the details for another unmanaged PingAccess application. If this occurs, refresh your browser window.


If PingCentral is installed as a service, installation files are stored in a local directory, such as /usr/local/pingcentral-1-1.4.0/. When using the command line to upgrade to 1.5.0, ensure that the existing parameter points to the direct path of the previous installation, and not to the softlink path, which appears first. Selecting the softlink path results in the installation failing even though a success message displays.


Administrators can change environment short codes to codes that already exist. If this occurs, and users promote an application to two different environments with the same short code, only one environment status icon displays, which could be misleading. To prevent this from happening, ensure each environment short code is unique.


If PingCentral was installed as a Linux service by one user, and the upgrade is performed by another, the service might no longer start. To resolve this issue, run the following command to update the installation files to match the existing ownership:

chown -R [user]:[group] [INSTALL_DIR]

Where the user and group match the existing installation. For example:

chown -R pingcentral:pingcentral /usr/local/pingcentral-1


When you start PingCentral 1.5, you might see warning messages related to illegal reflective access by org.springframework.util.ReflectionUtils. These messages can be safely ignored.


If a password is entered for a PKCS12 (P12) file when updating the TLS key pair, you might receive a misleading error indicating that the alias is not found. To prevent this from happening, leave the key password blank for PKCS12 key pair files.


When editing PingAccess applications, pressing the Enter key after making changes to the context root does not always save the changes to the context root. When these applications are promoted, they contain an incorrect context root. To prevent this from happening, click Save rather than pressing Enter.


If you change a template associated with a PingAccess application and click Cancel, the newly selected template displays on the edit page. If this occurs, refresh the page to see that the original template is still associated with the application.


If unsupported PingCentral APIs are used to update a PingAccess application and the JSON is saved incorrectly, the Application page might become unresponsive. If this occurs, ensure the application JSON is valid and reload the page.


When an assertion encryption certificate has been used to promote an application, or when a certificate is added to an application, the certificate does not display when the application is promoted or when subsequent updates are made. To ensure that the correct certificate is applied, reselect the certificate when you promote the application.


When using templates to add Web + API applications to PingCentral, you can drag rules between Web and API policies, which might cause the page to go blank. If this occurs, refresh the browser window.


Entering a context root that begins with the reserved context root in PingAccess (typically /pa) displays generic "Save Failed" error message, instead of a more descriptive one.

For example, if /pa is a reserved context root in PingAccess and you enter /papapizza as a context root, you receive this message.


If a template was created from a PingAccess application, and that application is deleted from PingAccess, you can no longer add applications to PingCentral using that template.


If administrators attempt to add a PingAccess application to PingCentral while PingAccess is unavailable and they click the Refresh Now link, the Application page might not display any applications. To prevent this from happening, they should select the Skip Verification option for the PingAccess environment to skip the validation process until it becomes available.


If you are using a Postgres database with PingCentral and you attempt to sort applications by name when filters are applied, you might receive a server error message. To work around this issue, either remove the filters to sort all applications by name, or retain the filters with applications sorted by modification date.