Known issues

Administrative API
/sp/idpConnections
For IdP connections, the administrative API connection support is limited to Browser SSO, WS-Trust STS, and OAuth Assertion Grant connections. As a result, when updating an IdP connection using the administrative API, it is possible to lose inbound provisioning settings previously configured using the administrative console.
/bulk
Only resource types currently supported by the administrative API are included in the exported data. Resources not yet supported include:
  • Identity Store Provisioners
  • Inbound provisioning settings from IdP connections
  • SMS Provider settings
  • WS-Trust STS settings

Known limitations

Updating Java 8 to 11
Updating Java version 8 to version 11 results in an error when PingFederate is already installed and running. To work around this issue, uninstall and reinstall the PingFederate Windows service by running the UninstallPingFederateService.bat and InstallPingFederateService.bat files located in <pf_install>/pingfederate/sbin/wrapper.
Administrative console and administrative API
  • Previously, the administrative API did not accurately reflect a Persistent Grant Max Lifetime setting of 29 days (or shorter) with the selection of the Grants Do Not Timeout Due To Inactivity option. As a result, if you have configured such OAuth authorization server settings and have generated a bulk export in version 10.0 through 10.0.2, we recommend that you re-generate a new bulk export after upgrading to version 10.0.3 (or a more recent version). The newly exported data does not contain the aforementioned flaw, and you can safely import it to version 10.0.3 (or a more recent version).
  • When enabling mutual TLS certificate-based authentication, administrators often configure a list of acceptable client certificate issuers. When an administrator uses a browser to access the console or the administrative API documentation, PingFederate returns to the browser the list of acceptable issuers as part of the TLS handshake. If the browser's client certificate store contains multiple client certificates, the browser often presents to the user only the certificates whose issuer matches one of the acceptable issuers. However, when PingFederate runs in a Java 11 environment, Chrome presents to the administrator all its configured client certificates, regardless of whether the issuer matches one of the acceptable issuers or not.
  • Prior to toggling the status of a connection with the administrative API, an administrator must ensure that any expired certificates or no longer available attributes are replaced with valid certificates or attributes; otherwise, the update request fails.
  • When creating or updating a child instance of a hierarchical plugin, the administrative API retains objects with an "inherited": false name/value pair (or without such name/value pair altogether), ignores those with a value of true, and returns a 200 HTTP status code. No error messages are returned for the ignored objects.
  • Using the browser's navigation mechanisms (for example, the Back button) causes inconsistent behavior in the administrative console. Use the navigation buttons provided at the bottom of windows in the PingFederate console.
  • If authenticated to the PingFederate administrative console using certificate authentication, a session that has timed out might not appear to behave as expected. Normally (when using password authentication), when a session has timed out and a user attempts some action in the console, the browser is redirected to the login page, and then back to the administrative console once authentication is complete. Similar behavior applies for certificate authentication, in principle. However, because the browser might automatically resubmit the certificate for authentication, the browser might redirect to the administrative console and not the login page.
Hardware security modules (HSM)
  • PingFederate must be deployed with Oracle Server JRE (Java SE Runtime Environment) 8, or Amazon Corretto 8.
  • When using PingFederate with an HSM from Thales or Entrust, it is not possible to use an elliptic curve (EC) certificate as an SSL server certificate.
  • When using PingFederate with an HSM from Thales, it is not possible to generate a self-signed elliptic curve (EC) certificate.
  • When using PingFederate with an HSM from Thales, it is not possible to use an elliptic curve (EC) certificate as a signing certificate.
SSO and SLO
  • When consuming SAML metadata, PingFederate does not report an error when neither the validUntil nor the cacheDuration attribute is included in the metadata. Note that PingFederate does reject expired SAML metadata as indicated by the validUntil attribute value, if it is provided.
  • The anchored-certificate trust model cannot be used with the SLO redirect binding because the certificate cannot be included with the logout request.
  • If an IdP connection is configured for multiple virtual server IDs, PingFederate will always use the default virtual server ID for IdP Discovery during an SP-initiated SSO event.
Composite Adapter configuration
  • SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.
Self-service password reset
Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.
OAuth
PingFederate does not support case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.
It is worth noting that while it is possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage (if implemented), we recommend not doing so to avoid potential record migration issues.
Customer identity and access management
Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.
Provisioning
  • LDAP referrals return an error and cause provisioning to fail if the user or group objects are defined at the DC level, and not within an OU or within the Users CN.
  • The totalResults value in SCIM responses indicates the number of results returned in the current response, not the total number of estimated results on the LDAP server.
Logging
If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth's persistent grant USER_KEY attribute, the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.
Even if a source attribute has been configured for masking in an IdP adapter and the source attribute is mapped as the adapter's unique user key, the user key attribute is not masked in the server or audit logs.
Database logging
If PingFederate cannot establish a Java Database Connectivity (JDBC) connection at startup, PingFederate will continue to write log messages to the failover log file, despite the failover and resume configuration. When the JDBC connectivity issue is resolved, restart PingFederate. On restart, PingFederate will start writing log messages to the database.
If PingFederate is able to establish a JDBC connection at startup, PingFederate will be able to write log messages to the failover log when it encounters a JDBC connectivity issue and resume writing log messages to the database when it re-establishes the JDBC connection.
RADIUS NAS-IP-Address
The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.
Configcopy
Note:

As of PingFederate 10.2, the configcopy tool has been deprecated and will be removed in a future release.

  • When the configcopy tool is used to copy all connections, channels, data sources, adapters, or token translators, the overridden properties are applied to all instances. Proceed cautiously when applying overrides for copy-all operations.
  • The configcopy tool supports copying only a single reference for each of the following configuration items that are defined for a given connection: adapter, data source, Assertion Consumer Service URL, Single Logout Service URL, and Artifact Resolution Service URL. When multiple items are associated with a given connection, only the first reference to each is copied.
  • The configcopy tool does not support creation of configuration data that does not exist in the source. If an override parameter is set for a parameter that does not exist in the source configuration, the behavior of the target system is not guaranteed.
  • The configcopy tool, when used for copying plugin configurations (including adapters, token translators, and other data stores), does not currently support overrides of complex data structures, including tables, extended contract attributes, and masked fields.
  • When the configcopy tool is used to copy connection data, any SOAP Single logout (SLO) endpoints defined in the source are not copied to the target, even if the SOAP SLO endpoint is the only SLO endpoint defined at the source. These must be manually added to the target.
Microsoft Internet Explorer 11
The Dashboard > Cluster pane does not align the spokes of nodes in the center. Instead, it displays them left-aligned.
Apple Safari 14.0.1 and 14.0.2 on Mojave 10.14.6
During the initial setup of PingFederate after a fresh installation, the Choose File button on the License tab does not display the dialog that allows you to select a file.