Resolved issues

Ticket ID Description

PF-28204

Resolved a problem causing RSASSA-PSS signing algorithms to fail for HSM providers using Java 8u261 or later.

PF-28260

Resolved an issue that prevented the revocation of sessions newly created after registration. This issue occurred when a local identity profile registration created a new session and the associated adapter defined a unique user key attribute, but PingFederate failed to associate the attribute value with the session.

PF-28308

Resolved an issue that caused OAuth requests to fail when an OAuth client has authentication set to None and a client certificate is presented in a request to the /as/token.oauth2 endpoint for that client.

PF-28351

Resolved an issue that prevented PingFederate from starting up post-upgrade when a connection-based override existed for a Reference ID adapter instance.

PF-28423

Resolved an issue that caused the audit log to intermittently record incorrect connection IDs.

PF-28433

To reduce the number of search requests to directory servers during user authentication, PingFederate no longer performs multiple calls to the LDAP Root DSE checking for IntermediateClientRequestControl support. This LDAP control can send servers information about a client and any downstream clients.

PF-28455

When PingFederate is configured to use PingOne for Enterprise as the authentication provider for administrative console log in, PingFederate's direct login URL no longer fails.

PF-28464

PingFederate with Bouncy Castle FIPS integration now lets you place the Bouncy Castle provider at the top of the provider list in the java.security file. This ensures that PingFederate uses the Bouncy Castle provider for cryptographic signing operations. Before you change the provider ordering in an existing deployment, see Integrating with Bouncy Castle FIPS provider for more information.

PF-28491

PingFederate's token translator now correctly processes JWT tokens in the formats application/jwk+json and application/jwk-set+json.

PF-28511

When retrieving members of a SCIM group, PingFederate now uses the IdP connection's base DN as the search base instead of deriving it from the root DSE.

PF-28515

Resolved an issue that caused a blank screen to appear during some log in attempts. This issue occurred when an OAuth flow going through an authentication policy tree took a fail branch after an IdP connection and the next adapter in the fail branch had an existing session.

PF-28661

Resolved an issue that prevented users from changing their passwords when PingFederate is configured with a context path in the run.properties file.

PF-28683

Updated the Apache Velocity engine with security patches.

PF-28688

Resolved an issue when using a PingFederate cluster with lifetime extension policies to update the expiration time of internally managed tokens.

PF-28715

Resolved a performance issue that affected the OAuth Client Management Service and Dynamic Client Registration when clients are stored in an LDAP directory. This issue could slow the creation and update of OAuth clients in deployments that have many clients defined.

PF-28718

Resolved an issue that caused some runtime requests that had queued on initial start-up while PingFederate's configuration was updated to use the previous configuration.

PF-28729

Resolved an issue that prevented PingFederate from using the OAuth device authorization grant type when authenticating users with an IdP connection.