New features and improvements in PingCentral 2.0.
Template synchronization now available for SAML and PingAccess applications
Administrators can now synchronize OAuth, OIDC, SAML, and PingAccess templates to ensure that their templates are based on the most up-to-date configurations available. Applications based on out-of-date templates have Outdated Template icons displayed next to them, which inform application owners that newer versions of the templates are available.
Administrators can also now revert SAML SP connections and PingAccess application templates to previous versions. See the Reverting templates to previous versions tab on the SAML 2.0 and PingAccess templates page for details.
Note that when you upgrade to PingCentral 2.0, SAML and PingAccess application templates will have base revisions created for them. OAuth and OIDC templates created prior to version 2.0 cannot be synced with the most recent configurations available. Recreate the template in version 2.0 to use the sync feature going forward.
Application owners can now edit application JSON themselves
To accommodate a wide variety of promotion needs, application owners can now edit the application JSON for their applications when they promote them.
Note that providing application owners with this ability can be risky, so it’s highly recommended that approvals are enabled for the environment. Administrators can review the submitted application JSON and compare it to the original application JSON before approving the promotion request.
- This functionality is not yet available for PingAccess applications.
- Applications cannot be reverted to a promotion that uses JSON editing.
- Be aware that the JSON review window compares against the original application JSON and not the most recently promoted JSON.
Prevent application owners from deleting applications
Hide inactive promotion approvals
Approval expressions drag and drop enhancement
Multi-APC connection synchronization
Previously, PingCentral was unable to handle a service provider (SP) connection with multiple Authentication Policy Contracts (APC) mapped within it. The PingCentral 1.14 release enables users to select from multiple mapped contracts when adding an application as a managed application or a template.
However, due to a known synchronization limitation, if you update an existing single APC SP connection already managed by PingCentral to include a second APC and subsequently synchronize the application, you won't find an option to specify your preferred APC.
To simplify your workflow and mitigate potential challenges, we recommend refraining from using synchronization to modify multi-APC connections. Instead, consider creating a new SP connection that aligns with your desired APC configuration. This approach grants you control over APC selection, ensuring a smoother and more efficient process.
Configure APC mappings for OIDC applications in PingFederate
PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.
When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.
To resolve these issues, configure the APC mappings within PingFederate.
Promoting applications with authentication challenge policies
Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.
SP certificates and assertion encryption certificates must be different
Environment'staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.
To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.
Update truststore path if PingCentral fails to start
After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if
${pingcentral.home}
is used in the trust store
path. To prevent this from happening, change the home path to be the
absolute trust store path and delete the
Certificates table in the database.