Several specific modifications may affect existing deployments.
- AWS CloudHSM
- If PingFederate is running on Linux and uses AWS CloudHSM, when administrators upgrade from PingFederate version 10.0 or earlier to PingFederate version 10.0.1 or later, they must also upgrade the CloudHSM client to version 3.0.
- Template html.form.login.template.html
- Starting with PingFederate 10.0, the html.form.login.template.html template no longer includes the $forgotPasswordUrl variable.
- Gemalto SafeNet Luna HSM 6.3
- When integrating with Gemalto SafeNet Luna Network HSM 6 (hardware security module), PingFederate 9.2 requires firmware version of 6.3.0 and client driver version of 6.3. For setup information, see Integrating with Gemalto SafeNet Luna Network HSM.
- Access token validation response
- Starting with PingFederate 9.2, the access token validation response no longer includes the username and subject elements by default. Responses include them only if they were mapped in the issuing access token management instance.
- Weaker cipher suites disabled
- Starting with PingFederate 9.1, weaker cipher suites TLS_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA are disabled in new installations and upgrades. As a result, the administrative and runtime servers support only TLS 1.2. If you must re-enable these cipher suites for legacy clients, refer to Managing cipher suites for more information.
- LDAP service accounts on PingDirectory
- If PingFederate 9.3.1 or newer has an LDAP connection with PingDirectory, then add the config-read privilege to its service account in PingDirectory. Otherwise, users will not receive password expiry notifications. For more information, see Assigning Privileges to Normal Users and Individual Root Users in the PingDirectory documentation.
- Improved validation for AudienceRestriction
- If an IdP connection is configured with multiple virtual server IDs, the AudienceRestriction value in a SAML response must now match the virtual server ID information embedded in the protocol endpoint at which PingFederate receives the message; otherwise, the SSO attempt fails. To override this validation on a per-connection basis, see Configuring validation for the AudienceRestriction element.
- Custom authentication selector
- If you have created a custom authentication selector that returns an IdP adapter instance ID or the connection ID of an IdP connection, you must update the associated descriptor instance. For more information, see Updating the custom authentication selector.
- Provisioning datastore reset
- Upgrading to PingFederate 9.0 or 9.0.1 when using its outbound provisioning
capability can result in user records being disabled at SaaS applications. The issue
has since been resolved in version 9.0.2.
If you are upgrading from version 8.4.4 (or earlier) or from version 9.0.2, 9.0.3, and 9.0.4 to version 10.0, the upgrade process automatically resolves this issue. No further action is required.
If you are upgrading from version 9.0 or 9.0.1 to PingFederate 10.0, you must use the provmgr command-line tool to reset the provisioning datastore on the upgraded installation. For more information, see Reviewing database changes.
- Security enhancement in JDBC datastore queries
- A security enhancement has been made in PingFederate 9.0 to safeguard JDBC datastore queries against back-end SQL injection attacks. This protection is enabled for all new installations. For upgrades, see Reviewing database changes.