PingOne integration
We simplified the steps to establish trust with PingOne and provide intuitive user interfaces to manage this trust. With PingFederate 10.2, customers can create a connection between PingOne and PingFederate once and apply this trust model when adopting PingOne services, like PingOne MFA and PingOne Risk.
Reusable policy fragments
Administrators can now create reusable policy fragments and apply them in multiple authentication policies. This reusability eases policy management and scalability. For example, you can create a reusable policy fragment with policy components that you frequently use and apply that fragment in multiple policies. When the authentication requirements need adjustments, you can make those changes in the fragment without updating the policies that reference it. Furthermore, you can manage fragments individually through the administrative API, which helps to streamline automation efforts.
Customer IAM
Registration workflow
Customers can now introduce additional tasks into the registration flow; these tasks can be conditional, serial, or a mix of both. For example, you can configure the registration process to prompt the end-users for more information based on the initial data they provided (conditional), followed by an acceptance of the terms of service (serial). Because you capture the registration workflow in a policy fragment, the benefits of fragments apply as well. In other words, administrators can update the registration workflow without modifying the Local Identity Profile configuration.
Multiple auxiliary object classes
The Local Identity Profile configuration now supports multiple auxiliary object classes. This new capability addresses the needs of an administrator who wants to store the local identity field values in attributes that fall outside of the primary object class. For example, suppose you plan on using inetOrgPerson as the primary object class because it comes with a set of useful user attributes like givenName and mail. However, you also need to ask for and store the date of birth from your users. In this example, you can add naturalPerson as an auxiliary object class and store your users’ birthday information in dateOfBirth, an attribute from the naturalPerson auxiliary object class.
OAuth 2.0 Pushed Authorization Request
Version 10.2 adds support for the OAuth 2.0 Pushed Authorization Requests (PAR) draft specification. Customers can allow OAuth clients to send authorization request parameters directly to PingFederate. PAR maintains the privacy of authorization request data that would have been otherwise transmitted via the browser. Use cases where the OAuth client needs to send sensitive data in the authorization request will benefit from PAR. PAR is also becoming a requirement for some industry regulations. For instance, both Open Banking in the UK and the Consumer Data Right in Australia adopt this specification.
Authentication policy for change password
The Change Password capability in the HTML Form Adapter provides a self-service solution to the problem where users know their passwords and want to change them. When enabling this optional feature, administrators can now apply an authentication policy to it. Doing so allows our customers to enforce strong authentication requirements, such as multi-factor authentication through PingID, before letting their users change their passwords. This enhancement is related to the same capability that already exists for the Password Reset capability, a self-service solution to recover from the forgotten-password problem. It is worth noting that administrators can undoubtedly reuse the same policy for both change password and password reset if such a policy satisfies the security requirements.
Session revocation upon password update
Authentication sessions have been supported in PingFederate for several years now. Simply put, after a user signs on successfully, PingFederate can create a session for the user. When the user initiates subsequent sign-on requests, the user does not need to reauthenticate for some time. With version 10.2, administrators can optionally configure PingFederate to revoke the authentication sessions upon a password update. If enabled, when a user completes a change password or password reset flow successfully, PingFederate revokes the sessions associated with that user outside of the current browser. This new capability mitigates the risk associated with devices taken over by bad actors. While this capability is independent of the authentication policies for change passwords and password reset features, they provide strong protection against rogue devices when used together.
Authentication API
The Authentication API now accepts the authentication and registration action values via the action query parameter in addition to the Content-Type HTTP request header. This added flexibility allows the API interactions to flow through networks that may interrupt requests with vendor-specific Content-Type header values. Using a query parameter, our customers can ensure that the authentication and registration events they need to deliver the desired end-user experience will complete no matter which networks these events may come through.
Cluster Node Authentication Selector
We enhanced the Cluster Node Authentication Selector with an additional result-matching option. Previously, an administrator can create one policy path for each configured selector result value. With PingFederate 10.2, an administrator can optionally create a No Match policy path for the scenario where the index or tag does not match any configured selector results.
Extended Property Authentication Selector
We also applied the No Match result-matching capability to the Extended Property Authentication Selector. An administrator can optionally branch a policy path for the scenario where the invoking client or connection is not populated with the extended property value that matches the expected selector results. Furthermore, administrators may configure this selector to perform case-insensitive matching.
Bundled integration kits
We have added more integration kits to our product distribution for the following integration scenarios:
  • Attribute lookups from PingOne
  • Credential validations against PingOne
  • Provisioning identities into PingOne
  • Integrations through the Reference ID IdP or SP Adapter from the Agentless Integration Kit
  • Authentication via client certificate through the X.509 Certificate IdP Adapter
These additions eliminate the need to download and install them separately.
Upgrade of bundled kits
We have also enhanced the Upgrade Utility to handle various upgrade scenarios in the area of bundled kits. For instance, administrators can select the kits that Upgrade Utility should not upgrade because they prefer to upgrade them manually later. Additionally, when the Upgrade Utility detects that the source installation already contains a newer version of a kit, it retains the more recent version in the target installation. These improvements reduce the time and effort required to keep the bundled integration kits up-to-date.
Administrative API enhancement
PingFederate 10.2 extends the administrative API with /pingOneForEnterprise to manage the connectivity between PingOne for Enterprise and PingFederate.
Other improvements
  • Adds an optional OAuth client setting to set the per-client Default Access Token Manager to be the only access token manager that PingFederate can use to issue access tokens.
  • Introduces an indicator to determine whether users have already been authenticated in the Incoming User Mapping configuration in authentication policies.
  • Adds AES-GCM algorithms for SAML 2.0 XML encryption.
  • Introduces an option to always sign SAML artifact responses.
  • Preserves the incoming authentication response received via an IdP connection deployed in an authentication policy and make it available to downstream sources as the value of the #FederationHubIncomingAuthnResponse variable.
  • Returns HTTP 400 to OAuth clients when those clients include an nbf value equal to or greater than 60 minutes in their CIBA requests, per the Financial-Grade API specification from OpenID Foundation (openid.net/specs/openid-financial-api-ciba-wd-02.html#authorization-server).
  • Separates the Forgot Username endpoint from the Account Recovery endpoint; the new dedicated Forgot Username endpoint is /ext/idrecovery/Recover.
  • Rejects any signed request object's JWT that lasts over 720 minutes by validating the JWT's exp claim. You can change that default value in <pf_install>/pingfederate/server/default/data/config-store/jwt-request-object-options.xml.
  • We also updated the following bundled components and third-party dependencies:
    • Jackson Databind
    • OpenToken Adapter 2.6.2
    • PingID IdP Adapter 2.8 and PingID RADIUS PCV 2.6
    • Spring Framework 4.3.29
    • UnboundID LDAP SDK 4.0.13

Resolved issues

Ticket ID Description
PF-22478 For metadata update email notifications, changes to single logout (SLO) endpoints are now only included if an SLO profile is enabled on the connection. For IdP connections, changes to single sign-on (SSO) endpoints are only included if SP-initiated SSO is enabled on the connection. Each change item in the email now also includes the endpoint type (SSO or SLO).
PF-22762 Resolved an issue that occurred when a user's password had expired, and they tried to authenticate with the HTML Form adapter and PingDirectory. Now if the user enters an invalid password, PingFederate no longer redirects them to the Change Password form. Administrators using PingDirectory 8.2 or later can now control this behavior with the return-password-expiration-controls setting in the PingDirectory password policy.
PF-25532 Case sensitivity for adapter and selector IDs is now enforced when using the authentication policy API.
PF-25865 PingFederate now returns a 404 Not Found code when calling the Federation Metadata endpoint with a PartnerSpId that is not found in the system.
PF-26498 Resolved an issue with administrator session timeout when using single login mode for administrative console.
PF-26590 Resolved an issue causing AuthN Context Selector to add or update both "No Match" and "Not in Request" as the authentication context in some cases.
PF-27067 Resolved an issue causing the HTML Form Adapter not to display the custom template that is supposed to be displayed when a user clicks Cancel during the password reset flow.
PF-27077 Resolved an issue preventing the configurations for OAuth clients created by Dynamic Client Registration to be updated after PingFederate was upgraded. An error was displayed stating, "An updated client secret is required because one of the chosen algorithms relies on a shared symmetric secret."
PF-27105 When FIPS approved mode is being used, HMACSHA256 will now be used rather than HMACSHA1.
PF-27340 Resolved an issue where extended properties were not available when mapping token exchange attributes to access token manager attributes.
PF-27363 When a domain name starts with https(s)://pingfederate…, the base URL is now redirecting correctly rather than being set to an empty string. This issue only affected the administrative console.
PF-27468 During change password, the HTML Form Adapter now displays the configured error template upon encountering an unhandled generic exception. Previously, PingFederate handled the PasswordCredentialValidatorAuthnException and used to render a blank page for any other exceptions.
PF-27487 Problems with the PingDirectory schema are now logged at the ERROR level rather than at the DEBUG level.
PF-27561 The urn:ietf:params.oauth:grant-type:token-exchange grant type is now included as a supported grant type in the .well-known/openid-configuration endpoint.
PF-27739 White spaces that are accidentally added by copying a one-time password from an email are now removed, allowing the password reset to function correctly.
PF-27908 When using HSM hybrid mode with Thales Luna Network HSM, PingFederate allows users to select between HSM and the local trust store when importing .p12 keypairs. The keypairs are now correctly saved to HSM or the local trust store based on the user’s selection. Previously, they were only saved to the local trust store.