If you are upgrading from PingFederate 8.4.4 or earlier, modify the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.common.SqlFilterManager.xml file to enable the safeguard for JDBC datastore queries against backend SQL injection attacks.

  1. Edit the org.sourceid.common.SqlFilterManager.xml file.
  2. Set the <item name="enableSqlFilters"/> element value to true.

    In the following example, the true value has been bolded for visibility.

    <?xml version="1.0" encoding="UTF-8"?>
    <config xmlns="">
        <item name="enableSqlFilters">true</item>
  3. Save the file.
  4. Restart PingFederate.

    If you have a clustered PingFederate environment:

    1. Perform steps 1 to 3 on the console node.
    2. Sign on to the PingFederate administrative console.
    3. Go to System > Server > Cluster Management.
    4. Click Replicate Configuration to push this change to all engine nodes.
  5. Verify your use cases to make sure your search filters return the expected results.