Enhancements and resolved issues in PingFederate 11.2.5. When upgrading to PingFederate 11.2.5, before you start the PingFederate engines, perform replication on the administrative console.
We've improved logging validation.
Multi-value request parameters for OIDC for console login
We fixed an issue where multi-value request parameters were not working as expected when using OIDC for console login.
Preservation of changes to certain validation rules
We fixed an issue where PingFederate did not preserve changes to certain validation rules in the http-request-parameter-validation.xml file upon upgrade.
SAML login session tracking
We improved SP-Initiated SAML login session tracking. This security improvement can affect existing SAML SP connections that rely on multiple session states in a single transaction.
For more information about how your configuration can be affected, and the steps to resolve issues, see Solicited SAML Response Validation in the Ping Identity Support Portal.
OTL reset page error messaging
The one-time link (OTL) reset page now displays an error message when the link is expired.
Access token bug fix
We resolved an issue where an access token may not include the
pi.sri claim after refresh. This issue only occurs when
reuse of existing access grants is enabled.
In OAuth and OpenID Connect (OIDC) flows, external consent adapters can now retrieve attributes from the chained attributes map.
LDAP bug fix
We fixed an LDAP issue where new access grant records were not created with new scopes when Reuse Existing Persistent Access Grants for Grant Types was enabled.
ID token ACR claim
We resolved an issue where an ID token would not include the Authentication Context Class Reference (ACR) claim if an old client secret was used during the retention period.
Redundancies in key algorithm generation
We fixed an issue that affected cluster replication when PingFederate was deployed with AWS CloudHSM. When replication was initiated, engines generated a number of temporary key pairs, and the increased load on the HSM could trigger SSO errors.