Hostname verification for LDAPS
For LDAP type datastores with LDAPS enabled, hostname verification of the certificate is enabled by default for all new datastores beginning with PingFederate 7.3. When upgrading from a previous version of PingFederate, this option is disabled for existing datastores for compatibility reasons. Administrators should consider activating this new option for greater security.
Changes in a database table supporting nested group membership
Outbound provisioning of groups and nested group membership requires an update in the internal datastore. Follow the instructions in Reviewing database changes to add or update the group_membership table.
SSLv3 disabled
To mitigate the POODLE attack, the SSLv3 protocol is disabled by default starting in PingFederate 7.3. It can be re-enabled by modifying the connector configuration in jetty-runtime.xml and jetty-admin.xml found in the <pf_install>/pingfederate/etc directory.
New representation for multivalued attributes in WS-Federation assertions
Starting with PingFederate 7.3, multivalued attributes in WS-Federation assertions are now represented as multiple AttributeValue elements under a single Attribute element. Previously, they were represented as a series of Attribute elements with the same name. The new behavior was implemented for compatibility with ADFS 2.0. To revert to the previous behavior, a setting is available in wstrust-global-settings.xml.
A new index (EXPIRESIDX) in the database table for OAuth persistent grants
PingFederate 7.3 added an index (EXPIRESIDX) for the expires column in the pingfederate_access_grant database table. For information on adding this index to your existing table, see Reviewing database changes.
A new database table for OAuth persistent grant extended attributes
Starting with PingFederate 7.2 R2, a new database table needs to be created to support OAuth's persistent grant extended attributes. The database scripts to create this table can be found in <pf_install>/pingfederate/server/default/conf/access-grant/sql-scripts/access-grant-attribute-<databaseServer>.sql. See Reviewing database changesfor more information.
LDAP filter syntax checking
Starting with PingFederate 7.2, LDAP filters only allow spaces in matched-against values.

Examples

(|(sAMAccountName=${username})(employeeID=ID for ${username})) is allowed; spaces in the matched-against value of “ID for ${username}” are valid.

( | (sAMAccountName=${username}) (employeeID=ID for ${username}) ) is not allowed because this filter contain spaces outside of matched-against values.

Invalid filters cause SSO runtime failures. Error messages logged to server.log include:

Caused by: javax.naming.NamingException: [LDAP: error code 87 - Expected a closing parenthesis...
Caused by: javax.naming.NamingException: [LDAP: error code 87 - Unexpected closing parenthesis found...

We recommend reviewing LDAP filters and removing spaces outside of matched-against values after upgrade.

HTML Form Adapter enhancement
Starting with version 7.1 R3, PingFederate tracks login attempts in the HTML Form Adapter. When the number of login failures reaches the Challenge Retries threshold defined in the adapter, the user is locked out for one minute. See HTML Form Adapter for more information.
A new index (CLIENTIDIDX) in the database table for OAuth persistent grants
PingFederate 7.1 R3 added an index (CLIENTIDIDX) for the client_id column in the pingfederate_access_grant database table. For information on adding this index to your existing table, see Reviewing database changes.
Requested (formerly SAML) AuthN Context authentication selector process order changed
In releases prior to 7.1 R2, when the Requested AuthN Context Authentication Selector received a list of authentication contexts, it used the last context that it could match, rather than the first. However, both the SAML and OpenID Connect specifications treat an authentication context list as appearing in order of preference. To align the Requested AuthN Context Authentication Selector with these specifications, the selection order was changed in 7.1 R2. With this release, the selector will use the first authentication context it can match, rather than the last.
Multivalued LDAP attributes passed to outbound provisioning OGNL expressions
In releases before version 7.1, if an OGNL expression was used to populate a SaaS-partner field in outbound provisioning, only the first value of a selected multivalued LDAP attribute was used in the OGNL expression. As of PingFederate 7.1, this behavior was changed to use all values in the expression.
Note: If this new behavior conflicts with existing deployments, it can be reverted via the supportMultiValuesFromDirectory property located in the <pf_install>/pingfederate/server/default/data/config-store/com.pingidentity.provisioner.mapping.OgnlFieldMapper.xml file.
OAuth clients reconfiguration

Neither the Upgrade Utility nor the platform-specific installers migrates OAuth clients that are created from PingFederate 6.5 through 7.0. Use any of the following interfaces to reconfigure your OAuth clients:

  • The Clients window (Applications > OAuth > Clients) in the PingFederate administrative console.
  • The /oauth/clients administrative API endpoint.
  • The REST-based web service for OAuth client management at the /pf-ws/rest/oauth/clients and /pf-ws/rest/oauth/clients/id endpoints. This web service requires the client records to be stored in a database.

Note that PingFederate has been storing OAuth clients in XML files since version 7.1; these clients are migrated to the new installation. In addition, if you have configured PingFederate 6.8 (or a more recent version) to store OAuth clients in an external database, the new installation retains that configuration as well.