PingFederate 11.3 (June 2023) - PingFederate - 11.3

Now you can configure access token managers to include the JSON web token (JWT) access_token claims nbf (not before) and iat (issued at). This enables stronger validations by receiving clients or protected resources that process that access_token. For more information, go to Configuring an access token management instance, and in the JSON web token data model section click the JSON token management tab.

To further improve reliability and robustness, now PingFederate executes retries rather than failover only. PingFederate initiates a single retry if a request fails and it appears the connection has become invalid. For more information, see the Retry Failed Operations field in Setting advanced LDAP options.

For authorization requests, parameters can now be referenced for incoming PAR requests (pushed authorization requests) inside authentication policies. This lets PingFederate process incoming requests independently of how it received them. For more information, see Pushed authorization requests endpoint.

To improve logging, PingFederate now uses a transactionId. For each transaction, this value won't change between the initial request and the final response. This is especially useful for troubleshooting. For more information, see the transactionid field in Security audit logging.

Now you can configure HTML and mail templates with user details. With these details, you can personalize user facing pages and include messages, such as greetings by name, or email addresses that were used for a password recovery flow. The attributes are documented in the templates.

Previously, PingFederate produced notifications to inform administrators about expiring certificates. Now you can configure PingFederate to log upcoming expirations without producing notifications. For more information, see Configuring runtime notifications.

Two major SAML 2.0 messaging improvements align PingFederate closer to EU regulations:

• Now PingFederate can decrypt EncryptedID elements included as SAML attributes. They no longer must be enclosed as an EncryptedAttribute. For more information, see Specifying XML encryption policy (for SAML 2.0).
• To enhance signing capabilities, PingFederate now also supports some of the RSASSA-PSS algorithms. For more information, see Signing algorithms.

Because proxy servers can require credentials for authentication purposes, now you can configure PingFederate with proxy server credentials so that connections can be easily established and secured. For more information, see Configuring forward proxy server settings.

Our continued effort to support Amazon DynamoDB (NoSQL) now lets you use DynamoDB as a source for attribute lookups. The connector supports the DynamoDB query language so you can easily configure it. For more information, see Configuring an AWS DynamoDB datastore.

As regulations for APIs in the context of financial services tighten, it's important to support highly secure API authentication and authorization methods. OAuth DPoP (Demonstrating Proof-of-Possession) is an extension to the OAuth framework and specifies how OAuth tokens are bound to clients. Clients must digitally prove the ownership of these tokens at runtime, which prevents unauthorized clients from misusing them. This extension is useful for any OAuth scenario, not only in financial environments. For more information, see Configuring authorization server settings.

For TLS connections, PingFederate can now log the TLS version that clients use. This gives you an easy way to identify clients that might need updates to use newer versions. For more information, see the tlsversion field in Security audit logging.

In the administrative console, now certificate selection menus show the distinguished name (DN) and expiration date for each certificate, rather than a serial number. This gives you easy access to relevant information.

A new JWT token processor enhances the token exchange capabilities so that you can leverage any configured issuer. Now PingFederate can validate and accept incoming tokens that were created by pre-configured issuers. For more information, see Configuring a JWT Token Processor 2.0 instance.

Complex authentication policies are sometimes challenging to manage. To simplify your work and add flexibility to policies, PingFederate provides several policy enhancements:

• Now the Requested AuthN Context Authentication Selector can determine the authentication context for flows. For more information, see Configuring the Requested AuthN Context Authentication Selector.
• Now you can use Context and Extended Properties for attribute sources when mapping authentication policy contracts and local identity profiles. For more information, see Configuring contract mapping, Configuring local identity mapping, and Defining issuance criteria for contract or local identity mapping.
• Now you can use the Scope and Virtual Server ID attributes for authentication sources in policy rules. For more information, see Scope and Virtual Server ID in Configuring rules in authentication policies.
• Now you can use OGNL expressions to configure more complex policy rules. For more information, see Expression in Configuring rules in authentication policies.

PingFederate now initiates outbound authorization requests using the PAR endpoint of the target authorization server if you expose it. This enhancement lets PingFederate use PAR inbound and outbound, which improves OAuth flow security. For more information, see the Pushed Authorization Request Endpoint field in Configuring OpenID Provider information.

In the context of OpenID session management, PingFederate now supports back-channel logout. PingFederate supports this feature whether it's configured as an OpenID Connect provider (OP) or a relying party (RP). For more information, see the OpenID Connect Back-Channel Logout 1.0 specification.

Now PingFederate can include JWT header values x5t and typ in the ID tokens it issues. You can include the x5t header with static keys enabled, whereas you can configure the typ header to an appropriate value without a dependency on the types of keys. The x5t header adds another mechanism for verifying the validity of a received JWT. For information about the x5t and typ parameters, see the JSON web key (JWK) and JWT specifications, respectively, and steps 9 and 10 in Configuring policy and ID token settings.

The alg header is now supported in PingFederate's JWKS endpoint. Any elliptic curve keys and all RSA-256 based keys expose this header. This feature lets clients verify that a received JWT has been signed by the advertised algorithm. For information about the alg parameter, see the JWK specification and JSON Web Keys endpoint.

With the client_secret_jwt authentication method, a client can choose to create a signed JWT when authenticating against PingFederate’s token endpoint, introspection endpoint, PAR endpoint, or CIBA endpoint instead of providing the client secret. This feature prevents potential client secret leakage because it's not actively exchanged with any party. PingFederate also supports this feature when it acts as an RP. For more information, see client_secret_jwt in the Open ID Connect specification and Client authentication schemes.

PingFederate now revokes a chain of tokens if a refresh token is revoked or if a refresh token is reused. This includes derived authorization codes and access tokens. For more information, see the Refresh Token settings section of Configuring authorization server settings.

Now you can configure many properties as environment variables instead of setting them in properties files. This is especially important for container environments, which is common practice.

Several enhancements provide more details in PingFederate generated logs. These include the logging of JWT IDs (jti), hashed values of authorization codes, access tokens, and refresh tokens. Also, PingFederate now logs which system has locked out users after multiple, unsuccessful login attempts, so you'll know if it was PingFederate or an LDAP server. PingFederate also adds more details to the administrative API logs, so now there are almost no differences between logs generated when using the administrative console or administrative API. For more information, see Administrator audit logging, Administrative API audit log, and Security audit logging.

Now you can manage OAuth clients in Amazon DynamoDB. With this update, you can use DynamoDB to manage OAuth clients, persistent grants, and persistent authorization sessions. For more information, see Configuring an Amazon DynamoDB for client storage.

PingFederate now supports Apache Velocity Engine 2.3. For more information, see Upgrading in the Apache Velocity Engine documentation.

Now you can include CSP policies for HTML templates without having to implement workarounds. For more information, see Customizable user-facing pages.

Now you can use Velocity templates with more tools, such as cookieTool.

PingFederate now supports Microsoft Azure SQL Managed Instance. For more information, see the Datastore integration table in System requirements, and for more information on how to configure a connection to Microsoft Azure SQL Managed Instance, see Configuring a JDBC connection.

PingFederate now supports mutual TLS (mTLS) client authentication for REST API datastores.

PingFederate now supports mTLS client authentication for LDAP datastores.

Now when you integrate an Entrust nShield hardware security module (HSM) with PingFederate, you can use Java 11.

We added the User Count Utility (UCU) as a bundled component. You can use the UCU to produce unique and active user counts in a PingFederate environment.

We upgraded the following third-party components:

• Upgraded Spring Framework to 5.3.27
• Upgraded jose4j to 0.9.3

Now when multiple entries match the LDAP PCV search filter, the following message appears in the log at DEBUG level: error code 4 - This search operation has sent the maximum of 1 entries to the client

Now multivalued request parameters work as expected in authorization requests for OIDC administrative console authentication.

Now you can use tracked parameters in the Attribute Sources and User Lookup LDAP search filter when using the administrative API.

Now all password entry fields in PingFederate templates have icons that let users show and hide the password they're entering.

When a connection or OAuth client references a deleted extended property, PingFederate no longer throws a null pointer exception. Instead it ignores the extended property and logs an error.

Now PingFederate can use customized messages from external consent adapters in error responses.

When restrictToDefaultAccessTokenManager is enabled on an OAuth client, the client can only get access tokens when being validated by password credential validators that are mapped to the restricted access token manager.

When an OAuth client has Bypass Authorization Approval enabled, now that setting takes precedence over the prompt parameter in requests.

Updated the file permissions of legal documents.

The memoryoptions script no longer allocates excessive JVM heap on Windows systems.

For the Device Authorization grant type, if Check Activation Code is set to Before Authentication, then authorization detail is set in the input parameters map when IdpAuthenticationAdapterV2 in the SDK is invoked.

Now when PingFederate retrieves a binary attribute from a PingOne LDAP gateway datastore, it correctly converts the attribute value to the specified format (base64, SID, hex).

When more than one trusted CA matches the issuer DN of an OAuth client, now PingFederate only flags the trusted CA as in use if its certificate hasn't expired and its subject DN matches the client’s configured issuer DN.

Removed a potential information disclosure vulnerability.

Now PingFederate allows Jetty to precompress resources such as images and CSS.

When a system-level issue causes a data source attribute lookup to fail during OAuth flows, if the <pf_install>/pingfederate/server/default/data/config-store/org.sourceid.saml20.domain.AttributeMapping.xml file's AbortOnAttrLookupFailure attribute is set to true, now PingFederate returns a 500 error instead of a 400 error.

When you run the Usercount Utility's aggregate command:

• If all .ucu files contain tracking IDs, the utility generates a user count for each event, like before.
• If no .ucu files contain tracking IDs, now the utility generates a user count for each application.
• If some .ucu files contain tracking ids but others don't:
  • for the files without tracking IDs, now the utility generates a user count for each application.
  • for the files with tracking IDs, now the utility generates a user count for each event.

Now when the CPU load is 0, heartbeat pages display the value with digits instead of as “N/A”.

We resolved an issue that caused an unexpected carriage return in audit logs during SP-initiated single sign-on (SSO) if an identity provider responded with a non-success status.

PingFederate versions 11.1.4, 11.1.5, 11.2.1, and 11.2.2 contain version 3.0.2 of the PingID password credential validator (PCV). That version of the PCV has known issues that you should review before upgrading. For more information, see Known issues in PingID RADIUS PCV 3.0.2.

• Although PingFederate 11.3 and later support DPoP, a known limitation is that the following features don't support DPoP when PingFederate is the RP:
  • The administrative console authentication scheme using OIDC
  • The administrative API authentication scheme using OAuth 2.0
• /bulk: Only resource types currently supported by the administrative API are included in the exported data. We don't intend to introduce administrative API support to the following areas:
  • SAML 2.0 IdP Discovery
  • SAML 2.0 SP Affiliation
  • SMS Provider
• Previously, the administrative API did not accurately reflect a Persistent Grant Max Lifetime setting of 29 days (or shorter) with the selection of the Grants Do Not Timeout Due To Inactivity option. As a result, if you have configured such OAuth authorization server settings and have generated a bulk export in version 10.0 through 10.0.2, we recommend that you re-generate a new bulk export after upgrading to version 10.0.3 (or a more recent version). The newly exported data does not contain the aforementioned flaw, and you can safely import it to version 10.0.3 (or a more recent version).
• When enabling mTLS certificate-based authentication, administrators often configure a list of acceptable client certificate issuers. When you use a browser to access the console or the administrative API documentation, PingFederate returns to the browser the list of acceptable issuers as part of the TLS handshake. If the browser's client certificate store contains multiple client certificates, the browser often presents you only the certificates whose issuer matches one of the acceptable issuers. However, when PingFederate runs in a Java 11 environment, Chrome presents you all its configured client certificates, regardless of whether the issuer matches one of the acceptable issuers or not.
• When using mTLS authentication to authenticate to an LDAP server for administrative console or administrative API access, PingFederate doesn't support using a Microsoft Active Directory server.
• Prior to toggling the status of a connection with the administrative API, you must ensure that any expired certificates or no longer available attributes are replaced with valid certificates or attributes; otherwise, the update request fails.
• When creating or updating a child instance of a hierarchical plugin, the administrative API retains objects with an "inherited": false name/value pair (or without such name/value pair altogether), ignores those with a value of true, and returns a 200 HTTP status code. No error messages are returned for the ignored objects.
• Using the browser's navigation mechanisms (for example, the Back button) causes inconsistent behavior in the administrative console. Use the navigation buttons provided at the bottom of windows in the PingFederate console.
• Using the PingFederate console in multiple tabs on one browser might cause inconsistent behavior which could corrupt its configuration.
• If authenticated to the PingFederate administrative console using certificate authentication, a session that has timed out might not appear to behave as expected. Normally (when using password authentication), when a session has timed out and a user attempts some action in the console, the browser is redirected to the sign-on page, and then back to the administrative console after authentication is complete. Similar behavior applies for certificate authentication, in principle. However, because the browser might automatically resubmit the certificate for authentication, the browser might redirect to the administrative console and not the sign on page.

For Java versions that don't support TLSv1.3 (meaning versions earlier than 8u261), PingFederate fails on start up with a NoSuchAlgorithmException exception. To resolve this error, remove TLSv1.3 from the following settings in the run.properties file:

• pf.tls.client.protocols
• pf.tls.runtime.server.protocols
• pf.tls.admin.server.protocols

PingFederate's TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

• As of PingFederate 11.1, BC-FIPS and HSMs are not supported when using Java 17.
• Updating Java version 8 to version 11 results in an error when PingFederate is already installed and running on Windows. To work around this issue, uninstall and reinstall the PingFederate Windows service by running the UninstallPingFederateService.bat and InstallPingFederateService.bat files located in <pf_install>/pingfederate/sbin/wrapper.

• It is not possible to use an elliptic curve (EC) certificate as an SSL server certificate.
• TLS 1.3 is not currently supported.

• JWT token decryption using ECDH-ES may fail. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key.
• It is not possible to use an EC certificate as an SSL server certificate.
• TLS 1.3 is not currently supported.

• JWT token decryption using ECDH-ES may fail. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key.
• It is not possible to import a PKCS12- or PEM-formatted EC certificate.
• It is not possible to use an EC certificate as an SSL server certificate.
• TLS 1.3 is not currently supported.

• When consuming SAML metadata, PingFederate does not report an error when neither the validUntil nor the cacheDuration attribute is included in the metadata. Note that PingFederate does reject expired SAML metadata as indicated by the validUntil attribute value, if it is provided.
• The anchored-certificate trust model cannot be used with the Single log off (SLO) redirect binding because the certificate cannot be included with the logout request.
• If an IdP connection is configured for multiple virtual server IDs, PingFederate will always use the default virtual server ID for IdP Discovery during an SP-initiated SSO event.

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it's possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

• LDAP referrals return an error and cause provisioning to fail if the user or group objects are defined at the DC level, and not within an OU or within the Users CN.
• The totalResults value in SCIM responses indicates the number of results returned in the current response, not the total number of estimated results on the LDAP server.

• If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth's persistent grant USER_KEY attribute, the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.
• Even if a source attribute has been configured for masking in an IdP adapter and the source attribute is mapped as the adapter's unique user key, the user key attribute is not masked in the server or audit logs.

• If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth's persistent grant USER_KEY attribute, the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.
• Even if a source attribute has been configured for masking in an IdP adapter and the source attribute is mapped as the adapter's unique user key, the user key attribute is not masked in the server or audit logs.

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.

Ping Identity commits to deliver the best experience for administrators and users. As we continue to improve our products, we encourage you to migrate off of Microsoft Internet Explorer 11. Starting with PingFederate 11.0, Internet Explorer 11 is no longer included in the PingFederate qualification process for administrators or users. For a list of supported browsers, see System requirements.

As of PingFederate 10.2, these features have been deprecated and will be removed in a future release.

As Oracle ended its Premier Support for Oracle Directory Server Enterprise Edition (ODSEE 11g) in December 2019, we no longer include ODSEE as part of the PingFederate qualification process (starting with PingFederate 10.2). We continue to qualify against Oracle Unified Directory (www.oracle.com/middleware/technologies/unified-directory.html) and other supported directory servers. For a full list, see System requirements.

Starting with PingFederate 10.2, monitoring and reporting through the SNMP has been removed.

Starting with PingFederate 10.1, roles and protocols are always enabled and no longer configurable through the administrative console and API.

Starting with PingFederate 10.1, the S3_PING discovery protocol has been deprecated. Customers running on AWS infrastructure should instead use NATIVE_S3_PING.

Starting with PingFederate 10.0, the Red Hat Enterprise Linux install script is no longer available. To install PingFederate 10.0 for Linux, you must download and extract the product distribution .zip file.