Known issues

  • If PingFederate is sitting behind a proxy and the X.509 certificate is sent encoded by the proxy, PingFederate is not able to decode it and results in a failure. To prevent this, ensure the poxy sends the certificate in RAW format as a header.

Known limitations

  • The browser, browser version, and platform can affect the adapter's ability to obtain the X.509 certificate. If you experience issues using this adapter with a browser, contact Ping Identity support.
    • Users may be prompted to select the certificate even when only one certificate matches the configured Issuer CAs. Some browsers provide a setting that determines whether the user is prompted or the certificate is selected automatically.
    • The adapter has been tested with the following desktop browsers:
      • Firefox (tested with 89)
      • Chrome (tested with 91.0.4472.101)
      • Edge (tested with 91.0.864.54)
      • Safari (tested with 12.1.1 [14607.2.6.1.1])
      • Internet Explorer 11
    • Clients using iOS must use Safari. A limitation in iOS prevents Chrome and Firefox from working with this integration kit.
  • Single logout (SLO) is not supported because it is not possible to force the browser to end the SSL session. The adapter can't force an authenticated user to select a new certificate or prompt the user to authenticate to a smart card again.
  • The client authentication host name functionality is only supported by PingFederate version 8.2 or later.
  • Only attribute type keywords specified in RFC2253 will be correctly parsed out of the subject distinguished name (DN): CN, L, ST, O, OU, C, STREET, DC, UID. The rest will be parsed as object identifiers (OIDs), and the corresponding name-value pairs are not human readable.
  • Attribute type keywords defined in the adapter contract will not work if they are mixed case (i.e, Cn, sT), only all upper-case (CN, ST) or all lower-case (cn, st) will work.
  • The adapter does not support the isPassive or forceAuthn portions of a SAML authentication policy.