Page created: 15 Jul 2020
|
Page updated: 8 May 2023
Several specific modifications since version 10.0 might affect existing deployments.
- Delayed heartbeat response due to archive import on startup
- Starting with version 10.2, when you place an archive in the
<pf_install>/pingfederate/server/default/data/drop-in-deployer
directory on startup, the heartbeat endpoint will not return
200
until archive import completes. Depending on how long archive import and configuration loading takes, the first successful heartbeat response may be significantly delayed relative to earlier versions. If you have configured a health check or probe that can trigger a restart of the server, crash loop behavior can result. Review the configuration of these checks to ensure time thresholds are set appropriately. - Microsoft Internet Explorer 11
- Ping Identity commits to deliver the best experience for administrators and users. As we continue to improve our products, we encourage our customers to migrate off of Microsoft Internet Explorer 11. We intend to remove Internet Explorer 11 from our qualification process in December 2021.
- Expression Admin role
- When upgrading to PingFederate 10.1 or higher from a previous version, administrative users who were granted the Admin role in the earlier installation are granted the Expression Admin role automatically. You can achieve the same result by using the /bulk/import administrative API endpoint to bulk-import a configuration that was bulk-exported from PingFederate 10.0.
- Authentication session created after user registration
- As of PingFederate 10.1, an authentication session is automatically created for a
user after registration, preventing the user from having to log in again during the
next SSO transaction. This feature is enabled by default for all new and existing
local identity profiles. However, if needed, you can disable it through the
/localIdentity/identityProfiles administrative API endpoint
by setting the createAuthnSessionAfterRegistration attribute to
false
. - Authorization endpoint
- Before version 10.2, PingFederate did not validate the NumericDate value of exp claims in a signed request object's JWT. To ensure the JWT does not expire too far in the future, PingFederate 10.2 and later do validate the value. PingFederate rejects any JWT that expires more than 720 minutes later. You can change that default value in <pf_install>/pingfederate/server/default/data/config-store/jwt-request-object-options.xml.
- Configuration change necessary for MFA adapters
- As of PingFederate 10.2, when you define policies using multi-factor authentication
(MFA) adapters, you must select the User ID Authenticated
check box in the Incoming User ID popup to allow users to
register as a new MFA user. You should only select this check box if the previous
authentication source has verified the Incoming User ID. You
should not select the check box if the MFA adapter is part of a policy used for
password reset or password change. For more information, see Defining authentication policies.Important: Administrators using the PingID adapter must review existing policies and select this check box if appropriate. Otherwise, the adapter will prevent new user registration.
- AWS CloudHSM
- If PingFederate is running on Linux and uses AWS CloudHSM, when administrators upgrade from PingFederate 10.0 or earlier to PingFederate 10.0.1 or later, they must also upgrade the CloudHSM client to version 3.2.0.
- Template html.form.login.template.html
- Starting with PingFederate 10.0, the html.form.login.template.html template no longer includes the $forgotPasswordUrl variable.