Upgrade considerations - PingFederate

Upgrade considerations - PingFederate - 11.0

PingFederate Server

bundle

pingfederate-110

ft:publication_title

PingFederate Server

Product_Version_ce

PingFederate 11.0

category

Product

pf-110

pingfederate

ContentType_ce

The following modifications since PingFederate 11.0 might affect existing deployments.

Dynamic discovery settings

Previously, administrators could only define dynamic discovery settings to discover cluster membership in the server/default/conf/tcp.xml file. Version 11 provides a new configuration file for these settings, jgroups.properties in the bin directory. This new approach streamlines future upgrade experiences. For new installations, we recommend defining dynamic discovery settings in the jgroups.properties file. While upgraded environments will continue to look for dynamic discovery settings from the tcp.xml file, we recommend performing a one-time migration to ease the upgrade experiences in the future. For more information, see Migrating cluster discovery settings.

Velocity HTML templates

If any of the default Velocity HTML templates for user-facing windows were modified, the upgrade utility migrates them to the new installation and renames the corresponding default templates in the new installation with the following format: <template_name>-default-<PF-version>.<ext>. For more information, see User-facing windows.

Kerberos authentication

When the new Retain Previous Keys on Password Change check box on the Manage Domain/Realm window is selected, PingFederate saves the encryption keys associated with the password of the current Kerberos service account. The check box is selected by default. However, PingFederate will not save the encryption keys until you re-save the configuration of the domain or realm. To facilitate seamless rotation of the service account password for existing domains, click Save on the Manage Domain/Realm window before you update the password in the domain controller. For more information, see Adding domains.

IWA IdP adapter

PingFederate no longer supports the integrated Windows authentication (IWA) IdP adapter. The IWA integration kit for Kerberos has been replaced with a PingFederate adapter for Kerberos. See Migrating from the Integrated Windows Authentication Integration Kit to the PingFederate Kerberos adapter.

Private key JSON web token authentication

When authenticating an OAuth client that uses the private key JSON web token (JWT) authentication scheme, PingFederate now validates that the issuer and subject claims in the JWT have the same value.

The following administrative API endpoint exposes the validation on/off switch:

https://{{pf_base_host_port}}/pf-admin-api/v1/configStore/oauth-credentials-validator/issuerMustBeEqualToClientId

To disable validation, send an HTTP POST request with the following body to the endpoint:

{
  "id": "issuerMustBeEqualToClientId",
  "stringValue": "false",
  "type":"STRING"
}

Authentication API applications

The new Restrict Access to Redirectless Mode check box on the Authentication API Applications window now lets you restrict which authentication API applications can use redirectless mode. To avoid impacting existing deployments, this check box is not selected on upgrade. However, we strongly recommend that you enable this setting. For more information, see Managing authentication applications.

Jetty agent

If your PingFederate server is running on a Java version prior to 8u252, you must modify your run.sh, run.bat, or PingFederateService.conf script to include the new Jetty agent in PingFederate 11.0.

Add the following Java argument to the script:

-javaagent:/server/default/lib/jetty-alpn-agent.jar

Example for run.sh:

"$JAVA" $JAVA_OPTS \
$ERROR_FILE \
$HEAP_DUMP \
${GC_FILE:+$GC_FLAG"$GC_FILE"$GC_OPTIONS} \
$ENDORSED_DIRS_FLAG \
-javaagent:$PF_HOME/server/default/lib/jetty-alpn-agent.jar \
-Dlog4j2.AsyncQueueFullPolicy=Discard \

Example for run.bat:

"%JAVA%" %PF_JAVA_OPTS% %JAVA_OPTS% %GC_OPTION% -javaagent:%PF_HOME%/server/default/lib/jetty-alpn-agent.jar -Dlog4j2.AsyncQueueFullPolicy=Discard

Example for PingFederateService.conf (note the extra ../ because this is located in pingfederate/sbin/wrapper):

# Java Additional Parameters
wrapper.java.additional.1=-Dlog4j.configurationFile=../../server/default/conf/log4j2.xml

...... (omitted lines 2-13 to save space) ......

wrapper.java.additional.14=-javaagent:../../server/default/lib/jetty-alpn-agent.jar

Specifying a maximum size for inbound runtime requests

If you have previously specified a value for maxFormContextSize in jetty-runtime.xml, you should now use pf.runtime.http.maxRequestSize in the run.properties file to control the maximum size for inbound runtime requests. For more information, see Configuring PingFederate properties.

Java 8

As we continue to improve our products and HSM integrations, we encourage our customers to migrate off of Java 8. We intend to remove Java 8 support from our qualification process in May 2023. For more information, including Java 11 support, see System requirements.

Third-party integrations

As we continue to improve PingFederate, we intend to remove the following product releases from our qualification process after the release of PingFederate 11.3 in June 2023:

Oracle Linux 7.9 (Red Hat-compatible Kernel)
Red Hat Enterprise Linux 7.9
Microsoft SQL Server 2016 SP2
Oracle Database 12c Release 2
Microsoft Windows Server 2012 R2
Microsoft Active Directory 2012 R2

We encourage you to upgrade these products to more recent versions, such as:

Oracle Linux 8.5 (Red Hat-compatible Kernel)
Red Hat Enterprise Linux 8.5
Microsoft SQL Server 2017
Oracle Database 19c
Microsoft Windows Server 2016
Microsoft Active Directory 2016

For a more complete list of qualified third-party solutions, see System requirements.