PingFederate 11.3.1 (August 2023) - PingFederate - 11.3

PingFederate Server

bundle
pingfederate-113
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 11.3
category
Administrator
Administratorguide
Audience
Capability
ContentType
DeploymentMethod
Guide
Product
Productdocumentation
SingleSignonSSO
Software
SystemAdministrator
pf-113
pingfederate
ContentType_ce
Guide > Administrator Guide
Guide
Product documentation

Enhancements and resolved issues in PingFederate 11.3.1.

Configuration retrieval on engine start up

ImprovedPF-33667

We introduced new settings in the cluster-config-replication.conf file to improve configuration retrieval reliability during engine startup. By setting publish.replication.data.on.startup to true, the administrative console automatically publishes the last replicated configuration upon startup, eliminating the need to initiate replication through the administrative UI or API after a console restart. Additionally, you can configure engines to fail startup if they cannot retrieve configuration data by setting require.replication.data.on.startup to true. This setting proves beneficial in DevOps deployments, where fresh engine nodes are frequently created without any initial configuration. For more information, see the publish.replication.data.on.startup and require.replication.data.on.startup property descriptions in Cluster management.

Jetty library upgrade

FixedPF-31865

We upgraded the Jetty library, resolving CVE-2022-2047 and CVE-2022-2048.

OAuth scope names

FixedPF-33056

Using submit and onSubmit as OAuth scope names in the administrative UI drop-down no longer causes front-end JavaScript errors.

Policy fragment validation error

FixedPF-33156

Policy fragments with valid authentication sources no longer fail with an Invalid Configuration error during runtime.

Eliminating redundant group updates

FixedPF-33441

PingFederate, when configured with PingDirectory as an outbound provisioning data source, no longer sends redundant group updates in each provisioning cycle when the entry remains unchanged.

Potential security vulnerability

FixedPF-33449

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

PingFederate as a Windows service

FixedPF-33450

We fixed an issue so that PingFederate as a Windows service now runs on Java 17. When updating to the latest maintenance release using an in-place update method (for example, from 11.3.0 to 11.3.x), in addition to the steps in Updating to the latest maintenance release, you must remove the existing PingFederate Windows service. After removal, re-install the PingFederate Windows Service to apply this fix.

Authentication policy fail path

FixedPF-33519

When an OIDC identity provider (IdP) connection fails in an authentication policy, PingFederate now continues on to the fail path of the authentication policy.

Fragment mapping validation error

FixedPF-33722

We resolved an issue that incorrectly produced an administrative API validation error when the fragment mapping references context.RequestedUser as the mapping source.

Authorization details within a RAR

FixedPF-33863

PingFederate now processes authorization details within a rich authorization request (RAR) as a JSON Array in a JWT request. Additionally, PingFederate no longer supports authorization details sent as stringified JSON arrays.

Cluster engine nodes starting without replication data

FixedPF-33881

Resolved a replication issue that, in rare cases, caused an engine node in a cluster to start without replication data from other nodes.

Server error when revoking user sessions

FixedPF-33920

Resolved an issue that prevented user sessions from being revoked through the session management API when using persistent sessions.

Potential security vulnerability

FixedPF-33935

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

Fragment mapping validation errors

FixedPF-33957

When utilizing the PingFederate administrative API to create or update a fragment that includes another fragment, the API will no longer produce a validation error when fragment mapping involves an input source type.

Updated template variable

FixedPF-34016

The message-template-end-user-password-change.html template now contains the USERNAME variable.

Potential security vulnerability

FixedPF-34017

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

Policy evaluation issue

FixedPF-34051

We fixed a policy evaluation issue that occurred when ui_locales was present in an authentication request.

Certificate import improvements

FixedPF-34074

We updated the administrative UI to include certification serial number in the drop-down, thus preventing import errors for certifications sharing the same Subject DN and expiration date combination.

DynamoDB attribute lookup error

FixedPF-34099

We fixed an attribute lookup error that occurred when different DynamoDB attributes shared an overlapping path.