Known issues

Ticket ID Description
PASS-909 If you have only one person with an Administrator role and change that person's role to Application Owner, PingCentral will become impossible to administer.
PASS-1552 When updating a user's role, the Discard Changes button does not currently work.
PASS-1620 Clicking on the View Client Details link that displays in the Promotion History section of the page occasionally causes a blank white screen to display instead of the intended details. If this occurs, select another page within PingCentral and return to the Applications page.
PASS-1998 When an OAuth/OIDC application is promoted from PingCentral to PingFederate, the secret is captured and saved. If this application is removed from PingCentral and a new application is created with the same name, promotions to PingFederate will use the client secret provided for the original application instead of the new secret that was provided in the new application. There is currently no way to retrieve the secret that was provided for the original promotion.
PASS-2090 If SSO is configured for PingCentral and PingFederate is unavailable, PingCentral will fail to start. If this occurs, determine why PingFederate is unavailable, resolve the issue, and restart PingCentral.
PASS-2097 When SSO is enabled, an administrator is able to update and add users to PingCentral via the User Management page, even though it has no effect.
PASS-2122 When modifying an environment, if an identity provider certificate is added or updated, and then the PingFederate admin password is updated, the cursor will jump down to the IDP Certificate Password field each time a key is pressed.
PASS-2276

PASS-2131

Having the Username field empty during the login process results in a server error.
PASS-2296 The PingCentral download location in the Red Hat Enterprise Linux installer is incorrect.

Known limitations

Limitation Workaround
There is no PingCentral installer for Microsoft Windows. Install PingCentral by unzipping the ping-central-1.0.0.zip file. Then, run.bat script, which is located in the bin folder. Or, run PingCentral as a service using the provided method, which is located in the sbin folder.
You cannot promote applications created in more recent versions of PingFederate to older versions of PingFederate. For example, you cannot promote an application created in PingFederate version 9.3 to PingFederate version 9.2.
SSO limitation Workaround
Rather than maintain a JWT within a cookie, the authentication state is maintained on the server side within PingCentral. The HTTP session is identified via the PINGCENTRAL_SESSION_ID cookie. Restarting PingCentral will reset this state, as it is not persistent.
PingCentral session settings are ignored when SSO is enabled. The HTTP session cookie, PINGCENTRAL_SESSION_ID, is fixed at this time. The token obtained from the provider is only subject to the expiration defined by the provider. Likewise, key rolling is defined by the provider and it is responsible for maintaining the appropriate keys within its JWKS endpoint.
When SSO is enabled, local PingCentral user access is not possible. This includes the default Administrator user. HTTP basic authentication is not available for PingCentral API access. OAuth 2 bearer tokens must be used.
OAuth/OIDC limitation Workaround
When using OAuth and OIDC, access token mappings are not automatically promoted with the application. Ensure access token mapping are available on the target instance of PingFederate.
When using OAuth and OIDC, authentication policy contracts and the associated mappings are not automatically promoted with the application. Ensure authentication policy contracts and the associated mappings are available on the PingFederate target instance.
SAML limitation Workaround
SP connections require authentication policy contract mappings. Adapter mappings are not supported.
Artifact and SOAP bindings are not supported for SP connections.
Dependent entities, including authentication policy contracts, data stores, etc., are not automatically promoted with the application. Ensure dependent entities are available on the PingFederate target instance.
All connections must specify a primary certificate for signature validation. Multiple connections are not supported.
Assertion encryption is not supported.