Customer IAM
Mandatory email ownership verification
Administrators now have the option to make email ownership verification a requirement in their customer IAM configurations. If configured, PingFederate prompts the newly registered users to verify the email address they provided, and until the users complete the verification process, they won’t be able to SSO to their target applications. This optional capability can improve the data quality of customer identities as well as unify the end-user experience in the area of email ownership verification process.
Session Management API
Query and revoke by user identifiers
PingFederate 10.3 allows OAuth applications to query PingFederate authentication sessions based on user identifiers. When multiple session identifiers exist—a user has signed on using multiple browsers, for example—PingFederate groups session information by session identifiers. Equipped with this information, applications can better understand the behavior of their users.
Version 10.3 also allows OAuth applications to revoke all sessions associated with a given user. This bulk revocation capability provides an easy way to close server-side authentication sessions on a per-user basis, perhaps because of changes in employment conditions or security concerns as a result of compromised credentials. This new capability can improve access security because once revoked and without valid credentials, such end-users will not be able to fulfill authentication requirements and access protected resources.
Delete individual session data
When responding to a query, the Session Management API groups session information per authentication source; each session data block comes with its unique identifier. Version 10.3 allows OAuth applications to remove individual session data based on those unique identifiers. This enhancement allows applications to clean up after themselves without affecting applications.
OpenID Connect
Virtual issuers
Administrators can now define multiple virtual issuers for OpenID Connect. If configured, when minting ID tokens, PingFederate populates the issuer (iss) claim based on the Virtual Issuers configuration as well as the initial authorization requests. If the relying parties use the private key JWT authentication scheme, the same configurations apply when validating the audience (aud) claim from the inbound JWTs.
ID token signing keys
PingFederate 10.3 allows administrators to create multiple ID token signing key sets, each associated with one or more virtual issuers. When minting an ID token, PingFederate signs the ID token with a key from the applicable key set based on the Token Signing Keys configuration, the Virtual Issuers configuration, and the destination of the initial authorization request.
For customers who participate in Open Banking or need to maintain multiple brands, the Virtual Issuers and Token Signing Keys configurations eliminate the need for separate environments, thus significantly lowering the total cost of ownership.
Bundled integration kits
We have added more integration kits to our product distribution for the following scenarios:
  • Identity risk scoring (PingOne Protect)
  • Multi-factor authentication (PingOne MFA)
For more information, see Integration Directory.
Security Enhancements
Bouncy Castle FIPS Provider
PingFederate 10.3 now includes the Bouncy Castle FIPS (BCFIPS) Provider as part of the installation. As needed, customers can operate PingFederate using only FIPS-approved algorithms that satisfy cryptographic-related FedRAMP data processing controls.
PKCE relying party support
Both the IdP connections using the OpenID Connect protocol and the SSO-via-OpenID Connect authentication scheme for the administrative console now support the Proof Key for Code Exchange (PKCE) open standard (RFC7636). This enhancement helps mitigate the authorization code interception attack.
Other improvements
  • The character set used by the Email One-Time Password option, part of the self-service password reset (SSPR) configuration, is now customizable.
  • Email templates are now configurable per HTML Form Adapter instance.
  • Password management and username recovery HTML templates now come with additional variables, such as $adapterId and $client_id, for maximum flexibility in customization and branding.
  • In the context of OIDC authentication for the administrative console, the domain portion of the redirect URL that PingFederate sends to an OpenID Provider is now customizable through a new setting (pf.admin.baseurl) in the run.properties file, most suitable for environments where the network device—a reverse proxy server or a load balancer—fronting the console uses a different hostname, port number, or both.
  • The PingFederate SDK now supports custom storage for persistent authentication sessions. Look for the SessionStorageManager interface in our SDK documentation for more information.
We also updated the following bundled components and third-party dependencies:
  • Apache Commons BeanUtils 1.9.4
  • Apache JSP 8.5.54
  • Apache Taglibs 1.2.5
  • Jackson-Databind 2.11.4
  • Jetty 9.4.40.v20210413
  • jose4j 0.7.8
  • UnboundID LDAP SDK 5.1.3

Resolved issues

Ticket ID Description
PF-24719 The $CurrentPingFedBaseURL variable in the HTML error page template is now correctly set with the virtual hostname.
PF-24720 Resolved an issue where email templates did not use virtual hostnames specified in the request.
PF-26977 The PingFederate Authentication API now supports external password management. A new state has been added to the SDK that can be used by adapters that support redirection to an external password management system.
PF-27822 When PingFederate cannot connect to the Google reCAPTCHA verify service, a debug message is now logged containing the verify service URL.
PF-27918: A reflected cross-site scripting (XSS) issue in the registration functionality of Local Identity Profiles has been resolved.
PF-27946 Increased the security around the Forgot Username functionality in the HTML Form Adapter.
PF-28136 Client JWT Authentication now returns a 400 response code when the sub claim in the client assertion is unknown.
PF-28204 Resolved a problem causing RSASSA-PSS signing algorithms to fail for HSM providers using Java 8u261 or later.
PF-28233 Resolved an issue causing the administrative console to become locked during concurrent console requests involving data sources and plugins.
PF-28254 Dynamic Client Registration Management (DCRM) now handles the context path for the registration_client_uri attribute correctly.
PF-28312 Resolved a problem causing provisioning to fail when querying timestamps in PingDirectory.
PF-28315 Resolved an issue causing null attributes to result in an UnsupportedOperationException in the UserInfo endpoint.
PF-28331 Fixed Authentication API error messages for certain Local Identity Profile registration flows when an account has already been linked.
PF-28350 Using the administrative API to import an adapter that uses a datasource no longer throws a validation error when X-BypassExternalValidation is set to true.
PF-28351 Resolved an issue that prevented PingFederate from starting up post-upgrade when a connection-based override existed for a Reference ID adapter instance.
PF-28459 Twilio exceptions detected by PingFederate when it tries to send an SMS using the Twilio service are now logged accurately rather than erroneously indicating the SMS was sent successfully.
PF-28466 When /idp/userinfo.openid is called with an invalid access token, the endpoint now returns the correct error response in JSON format, and audit.log records a failure status.
PF-28477 Resolved a problem causing provisioning to fail when the timestamp attribute had a null value.
PF-28478 Removed an erroneous warning message that was logged after upgrading Java runtime.
PF-28503 Resolved a problem causing a scheduled metadata update not to finish downloading from an external URL.
PF-28678 Resolved a problem causing a dependency error to display erroneously when Save was clicked on the IdP Adapter page.
PF-28687 Resolved a problem where changes made to the datastore configurations used for OAuth Grants do not take effect until restart.
PF-28691 Resolved a problem where configuration data could be corrupted in a PingFederate cluster by the replication of partially modified files. This could occur if a configuration change was made through the administrative console or API while replication was in progress.
PF-28720 PasswordValidationException is now logged at DEBUG level rather than WARN level.
PF-28766 JQuery has been updated to 3.5.1.min.js.
PF-28781 Updated PingFederate's mechanism for determining whether to display the current password field in profile management to a more secure alternative.
PF-28807 Resolved a problem causing an OAuth refresh grant request to fail if the request issued a refresh token alongside the access token. This was occurring when PingFederate was configured to use external consent management.
PF-28813 Resolved a problem causing OpenID Connect’s ui_locales parameter not to enforce the specified language on the Forgot Password (or any SSPR) page. On those pages, the language would default back to the default setting.
PF-28825 Resolved a problem causing PingFederate to send a request security token response (RSTR) without the actual security token to Microsoft Office 365 when WS-Trust 1.3 was in use.
PF-28832 Resolved a problem that occurred when a user attempted logging in using the HTML Form Adapter after an administrator had reset their password through PingDirectory. PingFederate redirected the user to the Change Password form without verifying their credentials. The current password was, however, validated at the Change Password form. Now if the user enters an invalid password, PingFederate does not redirect them to the Change Password form.
PF-28845 The java.security.krb5.conf property is no longer set automatically unless one or more Kerberos realms is defined. This ensures that the system-wide krb5.conf will take effect if Kerberos realms are not managed within PingFederate.
PF-28846 Enhanced security by no longer allowing the PingFederate web service to serve the files contained in <pf_install>/pingfederate/server/default/conf/template.
PF-28885 Enhanced security by adding HTML output escaping to the OAuth Default Scope Description.
PF-28915 Resolved an issue where username was listed as "unknown" in the admin-api.log file when using certificate authentication for Administrative API.
PF-29026 Resolved a problem causing every authentication selector and authentication policy to be validated when a user navigated to the cluster replication page from the selector page. The validation now runs only when a specific selector is saved.