PingFederate has some known issues and limitations.
Known issues
- Administrative API
-
- /sp/idpConnections
- For IdP connections, the administrative API connection support is limited to Browser SSO, WS-Trust STS, and OAuth Assertion Grant connections. As a result, when updating an IdP connection using the administrative API, it is possible to lose inbound provisioning settings previously configured using the administrative console.
- /bulk
- Only resource types currently supported by the administrative API are
included in the exported data. Resources not yet supported include:
- Identity Store Provisioners
- Inbound provisioning settings from IdP connections
- SMS Provider settings
- WS-Trust STS settings
Known limitations
- Updating Java 8 to 11
- Updating Java version 8 to version 11 results in an error when PingFederate is already installed and running. To work around this issue, uninstall and reinstall the PingFederate Windows service by running the UninstallPingFederateService.bat and InstallPingFederateService.bat files located in <pf_install>/pingfederate/sbin/wrapper.
- Administrative console and administrative API
-
- Previously, the administrative API did not accurately reflect a Persistent Grant Max Lifetime setting of 29 days (or shorter) with the selection of the Grants Do Not Timeout Due To Inactivity option. As a result, if you have configured such OAuth authorization server settings and have generated a bulk export in version 10.0 through 10.0.2, we recommend that you re-generate a new bulk export after upgrading to version 10.0.3 (or a more recent version). The newly exported data does not contain the aforementioned flaw, and you can safely import it to version 10.0.3 (or a more recent version).
- When enabling mutual TLS certificate-based authentication, administrators often configure a list of acceptable client certificate issuers. When an administrator uses a browser to access the console or the administrative API documentation, PingFederate returns to the browser the list of acceptable issuers as part of the TLS handshake. If the browser's client certificate store contains multiple client certificates, the browser often presents to the user only the certificates whose issuer matches one of the acceptable issuers. However, when PingFederate runs in a Java 11 environment, Chrome presents to the administrator all its configured client certificates, regardless of whether the issuer matches one of the acceptable issuers or not.
- Prior to toggling the status of a connection with the administrative API, an administrator must ensure that any expired certificates or no longer available attributes are replaced with valid certificates or attributes; otherwise, the update request fails.
- When creating or updating a child instance of a hierarchical
plugin, the administrative API retains objects with an
"inherited": false
name/value pair (or without such name/value pair altogether), ignores those with a value oftrue
, and returns a 200 HTTP status code. No error messages are returned for the ignored objects. - Using the browser's navigation mechanisms (for example, the Back button) causes inconsistent behavior in the administrative console. Use the navigation buttons provided at the bottom of windows in the PingFederate console.
- Using the PingFederate console in multiple tabs on one browser might cause inconsistent behavior which could corrupt its configuration.
- If authenticated to the PingFederate administrative console using certificate authentication, a session that has timed out might not appear to behave as expected. Normally (when using password authentication), when a session has timed out and a user attempts some action in the console, the browser is redirected to the login page, and then back to the administrative console after authentication is complete. Similar behavior applies for certificate authentication, in principle. However, because the browser might automatically resubmit the certificate for authentication, the browser might redirect to the administrative console and not the login page.
- Hardware security modules (HSM)
-
- PingFederate must be deployed with Oracle Server JRE (Java SE Runtime Environment) 8, or Amazon Corretto 8.
- When using PingFederate with an HSM from Thales or Entrust, it is not possible to use an elliptic curve (EC) certificate as an SSL server certificate.
- When using PingFederate with an HSM from Thales, it is not possible to generate a self-signed elliptic curve (EC) certificate.
- When using PingFederate with an HSM from Thales, it is not possible to use an elliptic curve (EC) certificate as a signing certificate.
- SSO and SLO
-
- When consuming SAML metadata, PingFederate does not report an error when neither the validUntil nor the cacheDuration attribute is included in the metadata. Note that PingFederate does reject expired SAML metadata as indicated by the validUntil attribute value, if it is provided.
- The anchored-certificate trust model cannot be used with the SLO redirect binding because the certificate cannot be included with the logout request.
- If an IdP connection is configured for multiple virtual server IDs, PingFederate will always use the default virtual server ID for IdP Discovery during an SP-initiated SSO event.
- Composite Adapter configuration
-
- SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.
- Self-service password reset
- Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.
- OAuth
- PingFederate does not support a case-sensitive
naming convention for OAuth client ID values when client records are stored in a
directory server. For example, after creating a client with an ID value of
sampleClient
, PingFederate does not allow the creation of another client with an ID value ofSampleClient
. - Customer identity and access management
- Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.
- Provisioning
-
- LDAP referrals return an error and cause provisioning to fail if the user or group objects are defined at the DC level, and not within an OU or within the Users CN.
- The totalResults value in SCIM responses indicates the number of results returned in the current response, not the total number of estimated results on the LDAP server.
- Logging
- If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth's persistent grant USER_KEY attribute, the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.
- Database logging
- If PingFederate cannot establish a Java Database Connectivity (JDBC) connection at startup, PingFederate will continue to write log messages to the failover log file, despite the failover and resume configuration. When the JDBC connectivity issue is resolved, restart PingFederate. On restart, PingFederate will start writing log messages to the database.
- RADIUS NAS-IP-Address
- The RADIUS NAS-IP-Address is only included in Access-Request packets when the
pf.bind.engine.address
is set with an IPv4 address. IPv6 is not supported.