Resolved issues

Ticket ID Description


Resolved a problem causing RSASSA-PSS signing algorithms to fail for HSM providers using Java 8u261 or later.


Resolved an issue that prevented the revocation of sessions newly created after registration. This issue occurred when a local identity profile registration created a new session and the associated adapter defined a unique user key attribute, but PingFederate failed to associate the attribute value with the session.


Resolved an issue that caused OAuth requests to fail when an OAuth client has authentication set to None and a client certificate is presented in a request to the /as/token.oauth2 endpoint for that client.


Resolved an issue that prevented PingFederate from starting up post-upgrade when a connection-based override existed for a Reference ID adapter instance.


Resolved an issue that caused the audit log to intermittently record incorrect connection IDs.


To reduce the number of search requests to directory servers during user authentication, PingFederate no longer performs multiple calls to the LDAP Root DSE checking for IntermediateClientRequestControl support. This LDAP control can send servers information about a client and any downstream clients.


When PingFederate is configured to use PingOne for Enterprise as the authentication provider for administrative console log in, PingFederate's direct login URL no longer fails.


PingFederate with Bouncy Castle FIPS integration now lets you place the Bouncy Castle provider at the top of the provider list in the file. This ensures that PingFederate uses the Bouncy Castle provider for cryptographic signing operations. Before you change the provider ordering in an existing deployment, see Integrating with Bouncy Castle FIPS provider for more information.


PingFederate's token translator now correctly processes JWT tokens in the formats application/jwk+json and application/jwk-set+json.


When retrieving members of a SCIM group, PingFederate now uses the IdP connection's base DN as the search base instead of deriving it from the root DSE.


Resolved an issue that caused a blank screen to appear during some log in attempts. This issue occurred when an OAuth flow going through an authentication policy tree took a fail branch after an IdP connection and the next adapter in the fail branch had an existing session.


Resolved an issue that prevented users from changing their passwords when PingFederate is configured with a context path in the file.


Updated the Apache Velocity engine with security patches.


Resolved an issue when using a PingFederate cluster with lifetime extension policies to update the expiration time of internally managed tokens.


Resolved a performance issue that affected the OAuth Client Management Service and Dynamic Client Registration when clients are stored in an LDAP directory. This issue could slow the creation and update of OAuth clients in deployments that have many clients defined.


Resolved an issue that caused some runtime requests that had queued on initial start-up while PingFederate's configuration was updated to use the previous configuration.


Resolved an issue that prevented PingFederate from using the OAuth device authorization grant type when authenticating users with an IdP connection.