PingFederate 10.3 provides the following enhancements and resolved issues.
Enhancements
- Customer IAM
-
- Mandatory email ownership verification
- Administrators now have the option to make email ownership verification a requirement in their customer IAM configurations. If configured, PingFederate prompts the newly registered users to verify the email address they provided, and until the users complete the verification process, they won’t be able to SSO to their target applications. This optional capability can improve the data quality of customer identities as well as unify the end-user experience in the area of email ownership verification process.
- Session Management API
-
- Query and revoke by user identifiers
- PingFederate 10.3 allows OAuth applications to query PingFederate authentication sessions based on user identifiers. When multiple session identifiers exist—a user has signed on using multiple browsers, for example—PingFederate groups session information by session identifiers. Equipped with this information, applications can better understand the behavior of their users.
- Delete individual session data
- When responding to a query, the Session Management API groups session information per authentication source; each session data block comes with its unique identifier. Version 10.3 allows OAuth applications to remove individual session data based on those unique identifiers. This enhancement allows applications to clean up after themselves without affecting applications.
- OpenID Connect
-
- Virtual issuers
- Administrators can now define multiple virtual issuers for OpenID Connect. If configured, when minting ID tokens, PingFederate populates the issuer (iss) claim based on the Virtual Issuers configuration as well as the initial authorization requests. If the relying parties use the private key JWT authentication scheme, the same configurations apply when validating the audience (aud) claim from the inbound JWTs.
- ID token signing keys
- PingFederate 10.3 allows administrators to create multiple ID token signing key sets, each associated with one or more virtual issuers. When minting an ID token, PingFederate signs the ID token with a key from the applicable key set based on the Token Signing Keys configuration, the Virtual Issuers configuration, and the destination of the initial authorization request.
- Bundled integration kits
- We have added more integration kits to our product distribution for the
following scenarios:
- Identity risk scoring (PingOne Protect)
- Multi-factor authentication (PingOne MFA)
- Security Enhancements
-
- Bouncy Castle FIPS Provider
- PingFederate 10.3 now includes the Bouncy Castle FIPS (BCFIPS) Provider as part of the installation. As needed, customers can operate PingFederate using only FIPS-approved algorithms that satisfy cryptographic-related FedRAMP data processing controls.
- PKCE relying party support
- Both the IdP connections using the OpenID Connect protocol and the SSO-via-OpenID Connect authentication scheme for the administrative console now support the Proof Key for Code Exchange (PKCE) open standard (RFC7636). This enhancement helps mitigate the authorization code interception attack.
- Other improvements
-
- The character set used by the Email One-Time Password option, part of the self-service password reset (SSPR) configuration, is now customizable.
- Email templates are now configurable per HTML Form Adapter instance.
- Password management and username recovery HTML templates now come with additional variables, such as $adapterId and $client_id, for maximum flexibility in customization and branding.
- In the context of OIDC authentication for the administrative console, the domain portion of the redirect URL that PingFederate sends to an OpenID Provider is now customizable through a new setting (pf.admin.baseurl) in the run.properties file, most suitable for environments where the network device—a reverse proxy server or a load balancer—fronting the console uses a different hostname, port number, or both.
- The PingFederate SDK now supports custom storage for persistent
authentication sessions. Look for the
SessionStorageManager
interface in our SDK documentation for more information.
Resolved issues
Ticket ID | Description |
---|---|
PF-24719 | The $CurrentPingFedBaseURL variable in the HTML error page template is now correctly set with the virtual hostname. |
PF-24720 | Resolved an issue where email templates did not use virtual hostnames specified in the request. |
PF-26977 | The PingFederate Authentication API now supports external password management. A new state has been added to the SDK that can be used by adapters that support redirection to an external password management system. |
PF-27822 | When PingFederate cannot connect to the Google reCAPTCHA verify service, a debug message is now logged containing the verify service URL. |
PF-27918: | A reflected cross-site scripting (XSS) issue in the registration functionality of Local Identity Profiles has been resolved. |
PF-27946 | Increased the security around the Forgot Username functionality in the HTML Form Adapter. |
PF-28136 | Client JWT Authentication now returns a 400 response code when the sub claim in the client assertion is unknown. |
PF-28204 | Resolved a problem causing RSASSA-PSS signing algorithms to fail for HSM providers using Java 8u261 or later. |
PF-28233 | Resolved an issue causing the administrative console to become locked during concurrent console requests involving data sources and plugins. |
PF-28254 | Dynamic Client Registration Management (DCRM) now handles the context path for the
registration_client_uri attribute
correctly. |
PF-28312 | Resolved a problem causing provisioning to fail when querying timestamps in PingDirectory. |
PF-28315 | Resolved an issue causing null attributes to result in an UnsupportedOperationException in the UserInfo endpoint. |
PF-28331 | Fixed Authentication API error messages for certain Local Identity Profile registration flows when an account has already been linked. |
PF-28350 | Using the administrative API to import an adapter that uses a datasource no longer throws a validation error when X-BypassExternalValidation is set to true. |
PF-28351 | Resolved an issue that prevented PingFederate from starting up post-upgrade when a connection-based override existed for a Reference ID adapter instance. |
PF-28459 | Twilio exceptions detected by PingFederate when it tries to send an SMS using the Twilio service are now logged accurately rather than erroneously indicating the SMS was sent successfully. |
PF-28466 | When /idp/userinfo.openid is called with an invalid access token, the endpoint now returns the correct error response in JSON format, and audit.log records a failure status. |
PF-28477 | Resolved a problem causing provisioning to fail when the timestamp attribute had a null value. |
PF-28478 | Removed an erroneous warning message that was logged after upgrading Java runtime. |
PF-28503 | Resolved a problem causing a scheduled metadata update not to finish downloading from an external URL. |
PF-28678 | Resolved a problem causing a dependency error to display erroneously when Save was clicked on the IdP Adapter page. |
PF-28687 | Resolved a problem where changes made to the datastore configurations used for OAuth Grants do not take effect until restart. |
PF-28691 | Resolved a problem where configuration data could be corrupted in a PingFederate cluster by the replication of partially modified files. This could occur if a configuration change was made through the administrative console or API while replication was in progress. |
PF-28720 | PasswordValidationException is now logged at DEBUG level rather than WARN level. |
PF-28766 | JQuery has been updated to 3.5.1.min.js. |
PF-28781 | Updated PingFederate's mechanism for determining whether to display the current password field in profile management to a more secure alternative. |
PF-28807 | Resolved a problem causing an OAuth refresh grant request to fail if the request issued a refresh token alongside the access token. This was occurring when PingFederate was configured to use external consent management. |
PF-28813 | Resolved a problem causing OpenID Connect’s ui_locales parameter not to enforce the specified language on the Forgot Password (or any SSPR) page. On those pages, the language would default back to the default setting. |
PF-28825 | Resolved a problem causing PingFederate to send a request security token response (RSTR) without the actual security token to Microsoft Office 365 when WS-Trust 1.3 was in use. |
PF-28832 | Resolved a problem that occurred when a user attempted logging in using the HTML Form Adapter after an administrator had reset their password through PingDirectory. PingFederate redirected the user to the Change Password form without verifying their credentials. The current password was, however, validated at the Change Password form. Now if the user enters an invalid password, PingFederate does not redirect them to the Change Password form. |
PF-28845 | The java.security.krb5.conf property is no
longer set automatically unless one or more Kerberos realms is
defined. This ensures that the system-wide
krb5.conf will take effect if Kerberos realms
are not managed within PingFederate. |
PF-28846 | Enhanced security by no longer allowing the PingFederate web service to serve the files contained in <pf_install>/pingfederate/server/default/conf/template. |
PF-28885 | Enhanced security by adding HTML output escaping to the OAuth Default Scope Description. |
PF-28915 | Resolved an issue where username was listed as "unknown" in the admin-api.log file when using certificate authentication for Administrative API. |
PF-29026 | Resolved a problem causing every authentication selector and authentication policy to be validated when a user navigated to the cluster replication page from the selector page. The validation now runs only when a specific selector is saved. |