PingFederate 11.3.1 (August 2023) - PingFederate - 11.3

We introduced new settings in the cluster-config-replication.conf file to improve configuration retrieval reliability during engine startup. By setting publish.replication.data.on.startup to true, the administrative console automatically publishes the last replicated configuration upon startup, eliminating the need to initiate replication through the administrative UI or API after a console restart. Additionally, you can configure engines to fail startup if they cannot retrieve configuration data by setting require.replication.data.on.startup to true. This setting proves beneficial in DevOps deployments, where fresh engine nodes are frequently created without any initial configuration. For more information, see the publish.replication.data.on.startup and require.replication.data.on.startup property descriptions in Cluster management.

We upgraded the Jetty library, resolving CVE-2022-2047 and CVE-2022-2048.

Using submit and onSubmit as OAuth scope names in the administrative UI drop-down no longer causes front-end JavaScript errors.

Policy fragments with valid authentication sources no longer fail with an Invalid Configuration error during runtime.

PingFederate, when configured with PingDirectory as an outbound provisioning data source, no longer sends redundant group updates in each provisioning cycle when the entry remains unchanged.

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

We fixed an issue so that PingFederate as a Windows service now runs on Java 17. When updating to the latest maintenance release using an in-place update method (for example, from 11.3.0 to 11.3.x), in addition to the steps in Updating to the latest maintenance release, you must remove the existing PingFederate Windows service. After removal, re-install the PingFederate Windows Service to apply this fix.

When an OIDC identity provider (IdP) connection fails in an authentication policy, PingFederate now continues on to the fail path of the authentication policy.

We resolved an issue that incorrectly produced an administrative API validation error when the fragment mapping references context.RequestedUser as the mapping source.

PingFederate now processes authorization details within a rich authorization request (RAR) as a JSON Array in a JWT request. Additionally, PingFederate no longer supports authorization details sent as stringified JSON arrays.

Resolved a replication issue that, in rare cases, caused an engine node in a cluster to start without replication data from other nodes.

Resolved an issue that prevented user sessions from being revoked through the session management API when using persistent sessions.

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

When utilizing the PingFederate administrative API to create or update a fragment that includes another fragment, the API will no longer produce a validation error when fragment mapping involves an input source type.

The message-template-end-user-password-change.html template now contains the USERNAME variable.

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

We fixed a policy evaluation issue that occurred when ui_locales was present in an authentication request.

We updated the administrative UI to include certification serial number in the drop-down, thus preventing import errors for certifications sharing the same Subject DN and expiration date combination.

We fixed an attribute lookup error that occurred when different DynamoDB attributes shared an overlapping path.