New features

Ticket ID Description


Application owners can use OGNL expressions to fine-tune the attribute values used to authenticate their SAML application users. Administrators manage these expressions in PingCentral and determine which applications and templates have access to them.

Known issues

Ticket ID Description


If PostgreSQL is set up without a database, PingCentral fails to start. To prevent this from happening, add the database to the server before starting PingCentral.


If a certificate is added to a SAML application and a SAML metadata file is subsequently provided that contains a certificate, additional changes to the application cannot be saved. If this occurs, exit the edit page and then access it again.


PingCentral promotes access token mappings and authentication policy contracts (APCs) with OpenID Connect (OIDC) applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.


When application owners use single sign-on (SSO) to access PingCentral, administrators cannot assign applications to them before the application owners access PingCentral.

After application owners sign on to PingCentral, administrators can access their account information and assign applications to them.


When using templates to add Web + API applications to PingCentral, you can drag rules between Web and API policies, which might cause the page to go blank. If this occurs, refresh the browser window.


When an environment is deleted, applications that were promoted to that environment retain the promotion details from the deleted environment. PingCentral does not remove this information from applications when an environment is no longer available.


Customized authentication challenge responses, which support single-page applications, are also available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral, but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.


When using PingCentral, you might occasionally receive a reflective access warning message. You can safely ignore this message.


When creating, updating, or validating an environment through the API, you receive a server error message if the environment Name or Password fields are null or missing. API requests cannot be processed without this information, so ensure that these fields contain valid values.


When creating or validating an environment through the API, you receive a misleading error message if the PingAccess Password field is null. Rather than informing you that the information in this field is invalid, it informs you that you cannot connect to the PingFederate admin console, which is misleading.

Requests to connect PingAccess to a PingCentral environment cannot be processed without this information, so ensure that this field contains a valid value.


If you attempt to add a SAML application to PingCentral from an existing application through the API, and the connection JSON contains identity attribute names and placeholders, you receive an error message advising you to nullify the Names field. However, even if you nullify this field you still receive an error message because the JSON contains placeholders. Remove these placeholders before you proceed.


When application owners add and update their applications, they can provide metadata exported from service provider (SP) connections, which might include entity IDs, ACS URLs, and certificates, but they cannot provide metadata exported from identity provider (IdP) connections.


When promoting SAML applications, PingFederate does not allow you to use the same certificate as both an SP certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

Environment'staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.


If you delete several trusted certificate authority (CA) certificates less than a minute apart, PingCentral correctly revokes trust for the first certificate, but does not revoke trust for the other certificates subsequently deleted.


After upgrading to 1.8 or 1.9, PingCentral fails to start if ${pingcentral.home} is used in the truststore path. To prevent this from happening, change the home path to be the absolute truststore path and delete the Certificates table in the database.