Page created: 28 Dec 2019
|
Page updated: 2 May 2022
The following are known issues or limitations for the X.509 Certificate Integration Kit.
Known issues
- If PingFederate is sitting behind a proxy and the X.509 certificate is sent encoded by the proxy, PingFederate is not able to decode it and results in a failure. To prevent this, ensure the poxy sends the certificate in RAW format as a header.
Known limitations
- The browser, browser version, and platform can affect the adapter's ability to obtain the
X.509 certificate. If you experience issues using this adapter with a browser,
contact Ping Identity support.
- Users may be prompted to select the certificate even when only one certificate matches the configured Issuer CAs. Some browsers provide a setting that determines whether the user is prompted or the certificate is selected automatically.
- The adapter has been tested with the following desktop browsers:
- Firefox (tested with 89)
- Chrome (tested with 91.0.4472.101)
- Edge (tested with 91.0.864.54)
- Safari (tested with 12.1.1 [14607.2.6.1.1])
- Internet Explorer 11
- Clients using iOS must use Safari. A limitation in iOS prevents Chrome and Firefox from working with this integration kit.
- Single logout (SLO) is not supported because it is not possible to force the browser to end the SSL session. The adapter can't force an authenticated user to select a new certificate or prompt the user to authenticate to a smart card again.
- The client authentication host name functionality is only supported by PingFederate version 8.2 or later.
- Only attribute type keywords specified in RFC2253 will be correctly parsed out of the subject distinguished name (DN): CN, L, ST, O, OU, C, STREET, DC, UID. The rest will be parsed as object identifiers (OIDs), and the corresponding name-value pairs are not human readable.
- Attribute type keywords defined in the adapter contract will not work if they are mixed case (i.e, Cn, sT), only all upper-case (CN, ST) or all lower-case (cn, st) will work.
- The adapter does not support the ‘isPassive’ or ‘forceAuthn’ portions of a SAML authentication policy.