PingFederate 10.2 provides the following enhancements and resolved issues.
Enhancements
- PingOne integration
- We simplified the steps to establish trust with PingOne and provide intuitive user interfaces to manage this trust. With PingFederate 10.2, customers can create a connection between PingOne and PingFederate once and apply this trust model when adopting PingOne services, like PingOne MFA and PingOne Risk.
- Reusable policy fragments
- Administrators can now create reusable policy fragments and apply them in multiple authentication policies. This reusability eases policy management and scalability. For example, you can create a reusable policy fragment with policy components that you frequently use and apply that fragment in multiple policies. When the authentication requirements need adjustments, you can make those changes in the fragment without updating the policies that reference it. Furthermore, you can manage fragments individually through the administrative API, which helps to streamline automation efforts.
- Customer IAM
-
- Registration workflow
- Customers can now introduce additional tasks into the registration flow; these tasks can be conditional, serial, or a mix of both. For example, you can configure the registration process to prompt the end-users for more information based on the initial data they provided (conditional), followed by an acceptance of the terms of service (serial). Because you capture the registration workflow in a policy fragment, the benefits of fragments apply as well. In other words, administrators can update the registration workflow without modifying the Local Identity Profile configuration.
- Multiple auxiliary object classes
- The Local Identity Profile configuration
now supports multiple auxiliary object classes. This new
capability addresses the needs of an administrator who wants to
store the local identity field values in attributes that fall
outside of the primary object class. For example, suppose you
plan on using inetOrgPerson as the
primary object class because it comes with a set of useful user
attributes like
givenName
andmail
. However, you also need to ask for and store the date of birth from your users. In this example, you can add naturalPerson as an auxiliary object class and store your users’ birthday information indateOfBirth
, an attribute from the naturalPerson auxiliary object class.
- OAuth 2.0 Pushed Authorization Request
- Version 10.2 adds support for the OAuth 2.0 Pushed Authorization Requests (PAR) draft specification. Customers can allow OAuth clients to send authorization request parameters directly to PingFederate. PAR maintains the privacy of authorization request data that would have been otherwise transmitted via the browser. Use cases where the OAuth client needs to send sensitive data in the authorization request will benefit from PAR. PAR is also becoming a requirement for some industry regulations. For instance, both Open Banking in the UK and the Consumer Data Right in Australia adopt this specification.
- Authentication policy for change password
- The Change Password capability in the HTML Form Adapter provides a self-service solution to the problem where users know their passwords and want to change them. When enabling this optional feature, administrators can now apply an authentication policy to it. Doing so allows our customers to enforce strong authentication requirements, such as multi-factor authentication through PingID, before letting their users change their passwords. This enhancement is related to the same capability that already exists for the Password Reset capability, a self-service solution to recover from the forgotten-password problem. It is worth noting that administrators can undoubtedly reuse the same policy for both change password and password reset if such a policy satisfies the security requirements.
- Session revocation upon password update
- Authentication sessions have been supported in PingFederate for several years now. Simply put, after a user signs on successfully, PingFederate can create a session for the user. When the user initiates subsequent sign-on requests, the user does not need to reauthenticate for some time. With version 10.2, administrators can optionally configure PingFederate to revoke the authentication sessions upon a password update. If enabled, when a user completes a change password or password reset flow successfully, PingFederate revokes the sessions associated with that user outside of the current browser. This new capability mitigates the risk associated with devices taken over by bad actors. While this capability is independent of the authentication policies for change passwords and password reset features, they provide strong protection against rogue devices when used together.
- Authentication API
- The Authentication API now accepts the authentication and registration action values via the action query parameter in addition to the Content-Type HTTP request header. This added flexibility allows the API interactions to flow through networks that may interrupt requests with vendor-specific Content-Type header values. Using a query parameter, our customers can ensure that the authentication and registration events they need to deliver the desired end-user experience will complete no matter which networks these events may come through.
- Cluster Node Authentication Selector
- We enhanced the Cluster Node Authentication Selector with an additional result-matching option. Previously, an administrator can create one policy path for each configured selector result value. With PingFederate 10.2, an administrator can optionally create a No Match policy path for the scenario where the index or tag does not match any configured selector results.
- Extended Property Authentication Selector
- We also applied the No Match result-matching capability to the Extended Property Authentication Selector. An administrator can optionally branch a policy path for the scenario where the invoking client or connection is not populated with the extended property value that matches the expected selector results. Furthermore, administrators may configure this selector to perform case-insensitive matching.
- Bundled integration kits
- We have added more integration kits to our product distribution for the
following integration scenarios:
- Attribute lookups from PingOne
- Credential validations against PingOne
- Provisioning identities into PingOne
- Integrations through the Reference ID IdP or SP Adapter from the Agentless Integration Kit
- Authentication via client certificate through the X.509 Certificate IdP Adapter
- Upgrade of bundled kits
- We have also enhanced the Upgrade Utility to handle various upgrade scenarios in the area of bundled kits. For instance, administrators can select the kits that Upgrade Utility should not upgrade because they prefer to upgrade them manually later. Additionally, when the Upgrade Utility detects that the source installation already contains a newer version of a kit, it retains the more recent version in the target installation. These improvements reduce the time and effort required to keep the bundled integration kits up-to-date.
- Administrative API enhancement
- PingFederate 10.2 extends the administrative API with /pingOneForEnterprise to manage the connectivity between PingOne for Enterprise and PingFederate.
- Other improvements
-
- Adds an optional OAuth client setting to set the per-client Default Access Token Manager to be the only access token manager that PingFederate can use to issue access tokens.
- Introduces an indicator to determine whether users have already been authenticated in the Incoming User Mapping configuration in authentication policies.
- Adds AES-GCM algorithms for SAML 2.0 XML encryption.
- Introduces an option to always sign SAML artifact responses.
- Preserves the incoming authentication response received via an IdP
connection deployed in an authentication policy and make it
available to downstream sources as the value of the
#FederationHubIncomingAuthnResponse
variable. - Returns HTTP 400 to OAuth clients when those clients include an nbf value equal to or greater than 60 minutes in their CIBA requests, per the Financial-Grade API specification from OpenID Foundation (openid.net/specs/openid-financial-api-ciba-wd-02.html#authorization-server).
- Separates the Forgot Username endpoint from the Account Recovery endpoint; the new dedicated Forgot Username endpoint is /ext/idrecovery/Recover.
- Rejects any signed request object's JWT that lasts over 720 minutes by validating the JWT's exp claim. You can change that default value in <pf_install>/pingfederate/server/default/data/config-store/jwt-request-object-options.xml.
- We also updated the following bundled components and third-party
dependencies:
- Jackson Databind 2.9.10.7
- OpenToken Adapter 2.6.2
- PingID IdP Adapter 2.8 and PingID RADIUS PCV 2.6
- Spring Framework 4.3.29
- UnboundID LDAP SDK 4.0.13
Resolved issues
Ticket ID | Description |
---|---|
PF-22478 | For metadata update email notifications, changes to single logout (SLO) endpoints are now only included if an SLO profile is enabled on the connection. For IdP connections, changes to single sign-on (SSO) endpoints are only included if SP-initiated SSO is enabled on the connection. Each change item in the email now also includes the endpoint type (SSO or SLO). |
PF-22762 | Resolved an issue that occurred when a user's password had expired, and they tried to authenticate with the HTML Form adapter and PingDirectory. Now if the user enters an invalid password, PingFederate no longer redirects them to the Change Password form. Administrators using PingDirectory 8.2 or later can now control this behavior with the return-password-expiration-controls setting in the PingDirectory password policy. |
PF-25532 | Case sensitivity for adapter and selector IDs is now enforced when using the authentication policy API. |
PF-25865 | PingFederate now returns a 404 Not Found code when calling the Federation Metadata endpoint with a PartnerSpId that is not found in the system. |
PF-26498 | Resolved an issue with administrator session timeout when using single login mode for administrative console. |
PF-26590 | Resolved an issue causing AuthN Context Selector to add or update both "No Match" and "Not in Request" as the authentication context in some cases. |
PF-27067 | Resolved an issue causing the HTML Form Adapter not to display the custom template that is supposed to be displayed when a user clicks Cancel during the password reset flow. |
PF-27077 | Resolved an issue preventing the configurations for OAuth clients created by Dynamic Client Registration to be updated after PingFederate was upgraded. An error was displayed stating, "An updated client secret is required because one of the chosen algorithms relies on a shared symmetric secret." |
PF-27105 | When FIPS approved mode is being used, HMACSHA256 will now be used rather than HMACSHA1. |
PF-27340 | Resolved an issue where extended properties were not available when mapping token exchange attributes to access token manager attributes. |
PF-27363 | When a domain name starts with https(s)://pingfederate…, the base URL is now redirecting correctly rather than being set to an empty string. This issue only affected the administrative console. |
PF-27468 | During change password, the HTML Form Adapter now displays the
configured error template upon encountering an unhandled generic
exception. Previously, PingFederate handled the
PasswordCredentialValidatorAuthnException and
used to render a blank page for any other exceptions. |
PF-27487 | Problems with the PingDirectory schema are now logged at the ERROR level rather than at the DEBUG level. |
PF-27561 | The urn:ietf:params.oauth:grant-type:token-exchange grant type is now
included as a supported grant type in the
.well-known/openid-configuration
endpoint. |
PF-27739 | White spaces that are accidentally added by copying a one-time password from an email are now removed, allowing the password reset to function correctly. |
PF-27908 | When using HSM hybrid mode with Thales Luna Network HSM, PingFederate allows users to select between HSM and the local trust store when importing .p12 keypairs. The keypairs are now correctly saved to HSM or the local trust store based on the user’s selection. Previously, they were only saved to the local trust store. |