- InterReqStateMgmtMapImpl.expiry.mins renamed
- The InterReqStateMgmtMapImpl.expiry.mins setting in the size-limits.conf file has been renamed in PingFederate 8.4.2. If you have previously modified the value of this setting, please refer to Copying customized files or settings for more information.
- An improved index (
IDX_FIELD_NAME
) in the database table for OAuth clients - PingFederate 8.4 has modified an existing index
(
IDX_FIELD_NAME
) in the pingfederate_oauth_clients_ext database table as a general improvement. For information about modifying this index in your existing table, see Reviewing database changes. - Security enhancement to the OAuth token endpoint
- Starting with version 8.3, a new PingFederate installation no longer allows OAuth clients to send access token validation requests to its token endpoint (/as/token.oauth2) by the HTTP GET method.
- SSLv2Hello disabled
- Starting with PingFederate 8.3, SSLv2Hello is disabled. Customers are encouraged to update their applications to use TLSv1, TLSv1.1, or TLSv1.2 when establishing HTTPS connections with PingFederate.
- License management simplification
- Starting with version 8.2, PingFederate no longer maintains its license
information in the
<pf_install>/pingfederate/server/default/data/.pingfederate.lic
file, which is known as the secondary license file in the previous versions of
PingFederate. The .pingfederate.lic, if any, is ignored.
We recommend using the administrative console to simplify the license management aspect of a standalone PingFederate server or a clustered PingFederate environment.
- Security enhancement for a clustered PingFederate environment
- As of PingFederate 8.1, when encryption is enabled for the network traffic sent between nodes in a clustered PingFederate environment, you must provide an authentication password for the cluster as well; otherwise PingFederate aborts during its startup process.
- Metadata signing
- Previously, when no signing certificate was chosen on the Metadata Signing tab on the window, the /pf/sts_mex.ping and /pf/federation_metadata.ping system-services endpoints provided signed WS-Trust and WS-Federation metadata using one of the certificates configured on the window.
- Hostname verification for email server
- For email notification using SSL or TLS, hostname verification of the certificate is available starting with PingFederate 8.1. This option is enabled automatically when the Use SSL or Use TLS check box is selected for a new configuration. When upgrading from a previous version of PingFederate, if email notification had already been configured to use SSL or TLS, the Upgrade Utility preserves the configuration without activating the hostname verification option for compatibility reasons. Administrators should consider activating this new option to improve security.
- New login template file for the HTML Form Adapter
- Previously, when multiple instances of the HTML Form Adapter are chained together (for example, in an instance of the Composite Adapter), the subsequent instance tried authenticating the end user with the credentials from the previous login, which might fail when the HTML Form Adapter instances were configured to use different password credential validators (PCVs). Although this use case is rare, PingFederate 8.1 has corrected the behavior. As a result, the login template file, <pf_install>/pingfederate/server/default/conf/template/html.form.login.template.html, has been modified.
- New connection pool library
- As of PingFederate 8.0, support for BoneCP as the JDBC connection pool library has been deprecated and replaced with Apache Commons DBCP 2, which requires JDBC 4.1 or later drivers.
- Log4j 2 upgrade
- PingFederate 8.0 has upgraded its logging framework from Log4j to Log4j 2.