Known issues

Administrative API
For IdP connections, the administrative API connection support is limited to Browser SSO, WS-Trust STS, and OAuth Assertion Grant connections. As a result, when updating an IdP connection using the administrative API, it is possible to lose inbound provisioning settings previously configured using the administrative console.
Only resource types currently supported by the administrative API are included in the exported data. Resources not yet supported include:
  • Identity Store Provisioners
  • Inbound provisioning settings from IdP connections
  • PingOne for Enterprise settings
  • SMS Provider settings
  • WS-Trust STS settings
Cloud HSM
You cannot do the following using a Cloud HSM private key:
  • Decrypt JWT access tokens
  • Decrypt OpenID Connect ID tokens in OpenID Connect Relying Party (RP) connections

Known limitations

SameSite cookie handling in Chrome

To implement this change, you must be running PingFederate 9.3.1 or above.

In Chrome release 80, it is expected that the default behavior of cookies that do not have a SameSite specifier will change. Cookies without the SameSite value specified, are expected to have SameSite=Lax set by default.

Enabling the Lax value makes cookies available to third-parties through HTTP GET requests, but not by other methods, such as POST. This capability can also be enabled in other browsers such as Firefox by enabling a user setting.

When the Lax value is enabled, cookies without the SameSite specifier are restricted to the same site the user is browsing. The impact to PingFederate users, when this setting is enabled, is that they will need to re-authenticate existing SSO sessions.

If cookies need to be available in a third-party context, you must configure the SameSite=None setting. You can do this by uncommenting the <Set name="sameSiteSpecifier">None</Set> line in the <pf_install>/pingfederate/etc/jetty-runtime.xml file.

Administrative console and administrative API
  • Previously, the administrative API did not accurately reflect a Persistent Grant Max Lifetime setting of 29 days (or shorter) with the selection of the Grants Do Not Timeout Due To Inactivity option. As a result, if you have configured such OAuth authorization server settings and have generated a bulk export in version 10.0 through 10.0.2, we recommend that you re-generate a new bulk export after upgrading to version 10.0.3 (or a more recent version). The newly exported data does not contain the aforementioned flaw, and you can safely import it to version 10.0.3 (or a more recent version).
  • When enabling mutual TLS certificate-based authentication, administrators often configure a list of acceptable client certificate issuers. When an administrator uses a browser to access the console or the administrative API documentation, PingFederate returns to the browser the list of acceptable issuers as part of the TLS handshake. If the browser's client certificate store contains multiple client certificates, the browser often presents to the user only the certificates whose issuer matches one of the acceptable issuers. However, when PingFederate runs in a Java 11 environment, Chrome presents to the administrator all its configured client certificates, regardless of whether the issuer matches one of the acceptable issuers, or not.
  • Prior to toggling the status of a connection via the administrative API, an administrator must ensure that any expired certificates or no longer available attributes are replaced with valid certificates or attributes; otherwise, the update request fails.
  • When creating or updating a child instance of a hierarchical plugin, the administrative API retains objects with an "inherited": false name/value pair (or without such name/value pair altogether), ignores those with a value of true, and returns a 200 HTTP status code. No error messages are returned for the ignored objects.
  • Using the browser's navigation mechanisms (for example, the Back button) causes inconsistent behavior in the administrative console. Use the navigation buttons provided at the bottom of screens in the PingFederate console.
  • If authenticated to the PingFederate administrative console using certificate authentication, a session that has timed out may not appear to behave as expected. Normally (when using password authentication), when a session has timed out and a user attempts some action in the console, the browser is redirected to the login page, and then back to the administrative console once authentication is complete. Similar behavior applies for certificate authentication, in principle. However, because the browser may automatically resubmit the certificate for authentication, the browser may redirect to the administrative console and not the login page.
Hardware security modules (HSM)
  • When using PingFederate with an HSM from Gemalto or nCipher, it is not possible to use an elliptic curve (EC) certificate as an SSL server certificate.
  • PingFederate must be deployed with Oracle Server JRE (Java SE Runtime Environment) 8.
  • When consuming SAML metadata, PingFederate does not report an error when neither the validUntil nor the cacheDuration attribute is included in the metadata. Note that PingFederate does reject expired SAML metadata as indicated by the validUntil attribute value, if it is provided.
  • The anchored-certificate trust model cannot be used with the SLO redirect binding because the certificate cannot be included with the logout request.
  • If an IdP connection is configured for multiple virtual server IDs, PingFederate will always use the default virtual server ID for IdP Discovery during an SP-initiated SSO event.
Composite Adapter configuration
  • SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.
Self-service password reset
Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.
PingFederate does not support case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.
It is worth noting that while it is possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage (if implemented), we recommend not to do so to avoid record migration issues if it is decided later that client records should be stored in a directory server.
Customer identity and access management
Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.
  • LDAP referrals return an error and cause provisioning to fail if the user or group objects are defined at the DC level, and not within an OU or within the Users CN.
  • The totalResults value in SCIM responses indicates the number of results returned in the current response, not the total number of estimated results on the LDAP server.
If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth's persistent grant USER_KEY attribute, then the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.
Database logging
If PingFederate cannot establish a JDBC connection at startup, PingFederate will continue to write log messages to the failover log file, despite the failover and resume configuration. When the JDBC connectivity issue is resolved, restart PingFederate. On restart, PingFederate will start writing log messages to the database.
Note that if PingFederate is able to establish a JDBC connection at startup, PingFederate will be able to write log messages to the failover log when it encounters a JDBC connectivity issue and resume writing log messages to the database when it re-establishes the JDBC connection.
The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.
  • When the configcopy tool is used to copy all connections, channels, data sources, adapters, or token translators, overridden properties are applied to all instances. Care must be taken when applying overrides for copy-all operations.
  • The configcopy tool supports copying only a single reference for each of the following configuration items that are defined for a given connection: adapter, data source, Assertion Consumer Service URL, Single Logout Service URL, and Artifact Resolution Service URL. When multiple adapters, data stores, or any of the aforementioned service URLs are associated with a given connection, only the first reference to each is copied.
  • The configcopy tool does not support creation of configuration data that does not exist in the source. If an override parameter for a parameter that does not exist in the source configuration is set, the behavior of the target system is not guaranteed.
  • The configcopy tool, when used for copying plugin configurations (including adapters, token translators, and other data stores), does not currently support overrides of complex data structures, including tables, extended contract attributes, and masked fields.
  • When the configcopy tool is used to copy connection data, any SOAP SLO endpoints defined in the source are not copied to the target, even if the SOAP SLO endpoint is the only SLO endpoint defined at the source. These must be manually added to the target.