PingFederate 12.0 (December 2023) - PingFederate - 12.0

OpenID Connect (OIDC) relying party (RP) initiated logout allows OAuth clients to request that the OpenID Provider (OP) perform a federated logout. PingFederate now supports this standard, both when PingFederate acts as the OP as well as when it acts as the RP via an OIDC IdP connection.

For more information, see OAuth Client Management Service, Configuring OpenID Provider information, and OpenID Connect RP-initiated logout endpoint.

You can now add risk provider such as CAPTCHA to Identifier First adapters.

For more information, see Configuring an Identifier First Adapter instance

API-capable IdP adapters can now prevent a redirect to the authentication application if no user interaction is required.

For more information, see Upgrade considerations.

You can now configure runtime notifications to alert you when the number of threads in use exceeds a set threshold. You can also use this feature to initiate and log a thread dump event.

For more information, see Configuring runtime notifications.

You can now configure your authorization server settings for OAuth and OIDC users so that their decisions to grant access can be persisted after a refresh_token is revoked.

For more information, see Authorization Consent in Configuring authorization server settings.

PingFederate will now issue a notification in the admin console before a certificate expires. You can configure the duration of the notification before and after expiry in the Runtime Notifications menu.

Deleted certificates are removed from the notifications menu.

For more information, see Configuring runtime notifications.

We further improved support for self-service and application on-boarding use cases. OAuth applications and SAML connections can now be replicated to PingFederate engine nodes without affecting any dependencies. This enhancement lets development teams manage their applications without the help of PingFederate administrators. For more information, see Cluster management.

Continuing the PingFederate tradition of recognizing open identity standards, it now supports the OpenID Connect Front-Channel Logout specification. This feature enables global sign-off user journeys. It's available in addition to PingFederate’s proprietary front-channel logout protocol. For more information, see Configuring OAuth clients.

For OpenID Connect IDP connections, log files now include more details so that you can analyze and resolve connection problems easier. You can enable this feature just by selecting a check box in the Log Settings. For more information, see Log settings.

Now you can configure PingFederate to enable sessions on shared devices. Devices can be configured as private or public (unspecified) and maintain persistent sessions. This feature is available through the HTML Form Adapter. For more information, see Configuring authentication sessions.

The integration with the CyberArk Secret Manager now allows access to all values available through the CyberArk interface. This gives you more freedom when building user journeys. For more information, see Configuring instances of the secret manager plugin for the CyberArk Credential Provider.

When you use OAuth and OpenID Connect flows with response_mode=pi.flow, users are redirected back to the associated authentication application rather than to PingFederate. This is enables more consistent user journeys. For more information, see Configuring self-service account recovery.

To further support Amazon DynamoDB use cases, now you can also use account linking with this NoSQL database. For more information, see Configuring an Amazon DynamoDB for account-link storage.

This feature simplifies the use of PingFederate policies because it no longer requires input or output contracts for certain fragments. This improves the readability, maintainability, and performance of these policies. For more information, see Defining policy fragments.

Enhancing PingFederate's support for OAuth DPoP, this release includes support for this type of access token. It lets developers learn more about the use and importance of the dpop_bound_access_tokens parameter. For more information about the parameter, see the PingFederate Open Banking Software Assertion Validator plug-in on GitHub.

In rare cases where plugin creation and initialization significantly slows down PingFederate startup, you can now turn off plugin creation and initialization. Plugins will then only be initialized on first use.

The default startup behavior is recommended for most customers. For more information about this option and the tradeoffs involved in enabling it, open a support case.

The PingOne Protect Integration Kit is now bundled with PingFederate.

The PingID Integration Kit has been updated to version 2.26.

The PingOne MFA Integration Kit has been updated to version 2.2.1.

When integrating with Thales Luna Network hardware security modules (HSMs), you can now use Java 17.

For more information, see Integrating with Thales Luna Network HSM

The administrator audit log file (admin.log) now logs any OGNL expression tests performed and the expression variables used with an event type of TEST_EXPRESSION. For more information, see Administrator audit logging.

Now PingFederate supports authentication to Azure SQL Managed Instance through Azure Active Directory without a username and password. For more information, see Configuring a JDBC connection.

Upgraded the BCFIPS library to 1.0.2.4, which now supports enabling BCFIPS mode with Java 17.

For more information, see Bouncy Castle FIPS provider and Integrating Bouncy Castle FIPS providers.

• Upgraded Jetty to version 9.4.53.v20231009.

• Upgraded JGroups to version 4.2.24.Final.

Fixed a potential security vulnerability described in SECADV040.

Fixed a Server-Side Request Forgery vulnerability in the Initial Setup Wizard described in security advisory SECADV041.

For fresh installs, we changed the default value of pf.cluster.TCPPING.return_entire_cache in jgroups.properties from true to false.

This prevents an issue where remote procedure calls (RPCs) can be dropped in large clusters that use TCPPING.

For more information, see Upgrade considerations.

Fixed an issue with the administrative API doc on the /oauth/accessTokenMappings endpoint not matching the actual endpoint response.

Now log messages about illegal characters in API calls are logged at the DEBUG level rather than the WARN level.

Added the value none to /.well-known/openid-configuration/token_endpoint_auth_methods_supported

The id_token_jti property is no longer included in token endpoint responses.

Fixed an administrative API defect when a fragment rule had Default to Success disabled

Fixed an issue that was returning a 404 error if the /idp/startSLO.ping endpoint was hit while a virtual issuer was configured. You can now configure virtual issuers with a context path.

Clients that maintain a JWKS endpoint can now use private key JWT based authentication when requesting an access token.

Checking for existing but expired grants with DynamoDB no longer causes a null pointer exception error (NPE).

Fixed an issue preventing PingFederate from closing connections after receiving a 401 or 403 response from PingOne MFA.

You can now turn off server-side sorting via a configuration option.

You can now copy and paste a policy contract below a selector node.

Fixed an issue where decryption of an encrypted SAML element could fail if a KeyName was specified.

When using redirectless mode, now the one-time link (OTL) in password-reset email messages returns users to the authentication API application configured for the policy, rather than to PingFederate.

When a service provider (SP) authentication policy fails, PingFederate now renders the sp.sso.error.page.template.html page instead of the idp.sso.error.page.template.html page.

Fixed a defect where an OAuth client created with dynamic client registration (DCR) couldn't be updated with DCR after it was modified with the administrative console.

Now PingFederate closes idle JDBC datastore connections until the minimum pool size is reached instead of closing and recreating all of them.

The id_token_jti property is no longer included in token endpoint responses.

Fixed an administrative API defect when a fragment rule had Default to Success disabled

Resolved an issue that caused PingFederate to send email notifications for licensing events even though they were disabled in the Runtime Notifications configuration.

We upgraded the Jetty library, resolving CVE-2022-2047 and CVE-2022-2048.

Using submit and onSubmit as OAuth scope names in the administrative UI drop-down no longer causes front-end JavaScript errors.

Policy fragments with valid authentication sources no longer fail with an Invalid Configuration error during runtime.

PingFederate, when configured with PingDirectory as an outbound provisioning data source, no longer sends redundant group updates in each provisioning cycle when the entry remains unchanged.

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

We fixed an issue so that PingFederate as a Windows service now runs on Java 17. When updating to the latest maintenance release using an in-place update method (for example, from 11.3.0 to 11.3.x), in addition to the steps in Updating to the latest maintenance release, you must remove the existing PingFederate Windows service. After removal, re-install the PingFederate Windows Service to apply this fix.

When an OIDC identity provider (IdP) connection fails in an authentication policy, PingFederate now continues on to the fail path of the authentication policy.

We resolved an issue that incorrectly produced an administrative API validation error when the fragment mapping references context.RequestedUser as the mapping source.

PingFederate now processes authorization details within a rich authorization request (RAR) as a JSON Array in a JWT request. Additionally, PingFederate no longer supports authorization details sent as stringified JSON arrays.

Resolved a replication issue that, in rare cases, caused an engine node in a cluster to start without replication data from other nodes.

Resolved an issue that prevented user sessions from being revoked through the session management API when using persistent sessions.

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

When utilizing the PingFederate administrative API to create or update a fragment that includes another fragment, the API will no longer produce a validation error when fragment mapping involves an input source type.

The message-template-end-user-password-change.html template now contains the USERNAME variable.

We've resolved a potential security vulnerability that is described in security advisory SECADV037.

We fixed a policy evaluation issue that occurred when ui_locales was present in an authentication request.

We updated the administrative UI to include certification serial number in the drop-down, thus preventing import errors for certifications sharing the same Subject DN and expiration date combination.

We fixed an attribute lookup error that occurred when different DynamoDB attributes shared an overlapping path.

PingFederate versions 11.1.4, 11.1.5, 11.2.1, and 11.2.2 contain version 3.0.2 of the PingID password credential validator (PCV). That version of the PCV has known issues that you should review before upgrading. For more information, see Known issues in PingID RADIUS PCV 3.0.2.

• Although PingFederate 11.3 and later support DPoP, a known limitation is that the following features don't support DPoP when PingFederate is the RP:
  • The administrative console authentication scheme using OIDC
  • The administrative API authentication scheme using OAuth 2.0
• /bulk: Only resource types currently supported by the administrative API are included in the exported data. We don't intend to introduce administrative API support to the following areas:
  • SAML 2.0 IdP Discovery
  • SAML 2.0 SP Affiliation
  • SMS Provider
• Previously, the administrative API did not accurately reflect a Persistent Grant Max Lifetime setting of 29 days (or shorter) with the selection of the Grants Do Not Timeout Due To Inactivity option. As a result, if you have configured such OAuth authorization server settings and have generated a bulk export in version 10.0 through 10.0.2, we recommend that you re-generate a new bulk export after upgrading to version 10.0.3 (or a more recent version). The newly exported data does not contain the aforementioned flaw, and you can safely import it to version 10.0.3 (or a more recent version).
• When enabling mTLS certificate-based authentication, administrators often configure a list of acceptable client certificate issuers. When you use a browser to access the console or the administrative API documentation, PingFederate returns to the browser the list of acceptable issuers as part of the TLS handshake. If the browser's client certificate store contains multiple client certificates, the browser often presents you only the certificates whose issuer matches one of the acceptable issuers. However, when PingFederate runs in a Java 11 environment, Chrome presents you all its configured client certificates, regardless of whether the issuer matches one of the acceptable issuers or not.
• When using mTLS authentication to authenticate to an LDAP server for administrative console or administrative API access, PingFederate doesn't support using a Microsoft Active Directory server.
• Prior to toggling the status of a connection with the administrative API, you must ensure that any expired certificates or no longer available attributes are replaced with valid certificates or attributes; otherwise, the update request fails.
• When creating or updating a child instance of a hierarchical plugin, the administrative API retains objects with an "inherited": false name/value pair (or without such name/value pair altogether), ignores those with a value of true, and returns a 200 HTTP status code. No error messages are returned for the ignored objects.
• Using the browser's navigation mechanisms (for example, the Back button) causes inconsistent behavior in the administrative console. Use the navigation buttons provided at the bottom of windows in the PingFederate console.
• Using the PingFederate console in multiple tabs on one browser might cause inconsistent behavior which could corrupt its configuration.
• If authenticated to the PingFederate administrative console using certificate authentication, a session that has timed out might not appear to behave as expected. Normally (when using password authentication), when a session has timed out and a user attempts some action in the console, the browser is redirected to the sign-on page, and then back to the administrative console after authentication is complete. Similar behavior applies for certificate authentication, in principle. However, because the browser might automatically resubmit the certificate for authentication, the browser might redirect to the administrative console and not the sign on page.

For Java versions that don't support TLSv1.3 (meaning versions earlier than 8u261), PingFederate fails on start up with a NoSuchAlgorithmException exception. To resolve this error, remove TLSv1.3 from the following settings in the run.properties file:

• pf.tls.client.protocols
• pf.tls.runtime.server.protocols
• pf.tls.admin.server.protocols

PingFederate's TLS cipher suites can be customized by modifying com.pingidentity.crypto.SunJCEManager.xml (or a similarly-named file if BCFIPS or an HSM is configured). After updating the file and replicating, all cluster nodes must be restarted for the change to take effect.

• CloudHSM is not supported when using Java 17.
• Updating Java version 8 to version 11 results in an error when PingFederate is already installed and running on Windows. To work around this issue, uninstall and reinstall the PingFederate Windows service by running the UninstallPingFederateService.bat and InstallPingFederateService.bat files located in <pf_install>/pingfederate/sbin/wrapper.

• It is not possible to use an elliptic curve (EC) certificate as an SSL server certificate.
• TLS 1.3 is not currently supported.

• JWT token decryption using ECDH-ES may fail. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key.
• It is not possible to use an EC certificate as an SSL server certificate.
• TLS 1.3 is not currently supported.

• JWT token decryption using ECDH-ES may fail. This issue only arises if PingFederate is configured with static OAuth and OpenID Connect keys, a static key is stored on the HSM, and PingFederate is consuming a token encrypted with this key.
• It is not possible to import a PKCS12- or PEM-formatted EC certificate.
• It is not possible to use an EC certificate as an SSL server certificate.
• TLS 1.3 is not currently supported.

• When consuming SAML metadata, PingFederate does not report an error when neither the validUntil nor the cacheDuration attribute is included in the metadata. Note that PingFederate does reject expired SAML metadata as indicated by the validUntil attribute value, if it is provided.
• The anchored-certificate trust model cannot be used with the Single log off (SLO) redirect binding because the certificate cannot be included with the logout request.
• If an IdP connection is configured for multiple virtual server IDs, PingFederate will always use the default virtual server ID for IdP Discovery during an SP-initiated SSO event.

SLO is not supported when users are authenticated through a Composite Adapter instance that contains another instance of the Composite Adapter.

Passwords can be reset for Microsoft Active Directory user accounts without the permission to change password.

PingFederate does not support a case-sensitive naming convention for OAuth client ID values when client records are stored in a directory server. For example, after creating a client with an ID value of sampleClient, PingFederate does not allow the creation of another client with an ID value of SampleClient.

Although it's possible to create clients using the same ID values with different casings when client records are stored in XML files, a database server, or custom storage, we recommend not doing so to avoid potential record migration issues.

Some browsers display a date-picker user interface for fields that have been designed for date-specific inputs. Some browsers do not. If one or more date-specific fields are defined on the registration page or the profile management page (or both), end users must enter the dates manually if their browsers do not display a date-picker user interface for those fields.

• LDAP referrals return an error and cause provisioning to fail if the user or group objects are defined at the DC level, and not within an OU or within the Users CN.
• The totalResults value in SCIM responses indicates the number of results returned in the current response, not the total number of estimated results on the LDAP server.

• If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth's persistent grant USER_KEY attribute, the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.
• Even if a source attribute has been configured for masking in an IdP adapter and the source attribute is mapped as the adapter's unique user key, the user key attribute is not masked in the server or audit logs.

• If a source attribute has been configured for masking in an IdP adapter or IdP connection and the source attribute is mapped to OAuth's persistent grant USER_KEY attribute, the USER_KEY attribute will not be masked in the server logs. Other persistent grant attributes will be masked.
• Even if a source attribute has been configured for masking in an IdP adapter and the source attribute is mapped as the adapter's unique user key, the user key attribute is not masked in the server or audit logs.

The RADIUS NAS-IP-Address is only included in Access-Request packets when the pf.bind.engine.address is set with an IPv4 address. IPv6 is not supported.

When deploying PingFederate with a forward proxy, plugins based on the AWS SDK, such as the Amazon SNS Notification Publisher, will only honor the http.proxyHost, http.proxyPort, http.proxyUser, and http.proxyPassword properties in run.properties. The plugin will rely on these properties even if the service URL is https.

As of PingFederate 12.0, these features have been deprecated, and will be removed in a future release.

Starting with PingFederate 12.0, self-service password reset (SSPR) has been removed.

Starting with version 12.0, PingFederate no longer supports upgrading from PingFederate version 6.x and 7.x.

Ping Identity commits to deliver the best experience for administrators and users. As we continue to improve our products, we encourage you to migrate off of Microsoft Internet Explorer 11. Starting with PingFederate 11.0, Internet Explorer 11 is no longer included in the PingFederate qualification process for administrators or users. For a list of supported browsers, see System requirements.

As of PingFederate 10.2, these features have been deprecated and will be removed in a future release.

As Oracle ended its Premier Support for Oracle Directory Server Enterprise Edition (ODSEE 11g) in December 2019, we no longer include ODSEE as part of the PingFederate qualification process (starting with PingFederate 10.2). We continue to qualify against Oracle Unified Directory (www.oracle.com/middleware/technologies/unified-directory.html) and other supported directory servers. For a full list, see System requirements.

Starting with PingFederate 10.2, monitoring and reporting through the SNMP has been removed.

Starting with PingFederate 10.1, roles and protocols are always enabled and no longer configurable through the administrative console and API.

Starting with PingFederate 10.1, the S3_PING discovery protocol has been deprecated. Customers running on AWS infrastructure should instead use NATIVE_S3_PING.

Starting with PingFederate 10.0, the Red Hat Enterprise Linux install script is no longer available. To install PingFederate 10.0 for Linux, you must download and extract the product distribution .zip file.