May 2024 - PingOne Advanced Services - PingOne - PingOne Cloud Platform

PingOne Advanced Services

PingOne Advanced Services
PingOne Advanced Services
PingOne Cloud Platform

Platform version 1.18.2. Updated May 23, 2024.

Product versions:

Platform version: Updated May 6, 2024.

Product versions:

Elasticsearch replaced by OpenSearch


After careful consideration over several years, PingOne Advanced Services has replaced Elasticsearch with OpenSearch, an open source branch of Elasticsearch. OpenSearch provides a much larger and innovative feature set that enables a better path forward for continuing to provide log indexing, search, alerting, single sign-on (SSO), custom dashboards, and role-based access.

Elasticsearch data will not be directly migrated into OpenSearch. Instead, only new logs will be processed during the upgrade to platform version and will be available in your new OpenSearch dashboards. We retain 13 months worth of raw log files, and can reprocess up to 3 months of these files into OpenSearch to allow indexed searches of limited historical data, upon request.

This change should not affect logs sent to your SIEM systems, such as Splunk. Log processing pipelines for your endpoints will remain the same, and logs sent to these endpoints will remain in a raw format for you to process.

Kibana Data Views have also been expanded. Each log generated by an app will now have its own data view, which makes it much easier to know where your logs are based on the name of the log file generated by the app. Custom dashboards will need to be exported as JSON files before the upgrade, and after the upgrade, imported into OpenSearch Dashboards and updated to reflect the changes in the new data views. The change to the data views might also require that you update the dashboard panels with the name of the new data view that previously contained the logs of interest.

PIngDirectory improvements

Several improvements were made to PingDirectory:
  • You can now enable database cache sharing for deployments with multiple backend databases. See the PingDirectory release notes for details.
  • When deployed with multiple backend databases, PingDirectory now performs better than before because preloading has been disabled.
  • PingDirectory pod IPs availability and propagation to DNS has been improved for multi-region support.
  • PingDirectory pods graceful shutdown has been improved and now uses an on-premise software-aligned stop-server script to terminate pods.



The PingFederate admin console, PingAccess admin console, ArgoCD, and OpenSearch SSO has been improved to reduce the number of multi-factor authentications.

CAP permissions have also been improved to support additional fine-grained controls over user permissions. Now, users sign on using SSO to access their OpenSearch, PingFederate, or PingAccess environments. The tasks they can perform depend on the administrative roles they are assigned.

Note: This authentication experience is configured in the PingAccess and PingFederate authentication settings. Changing these settings to use a non-default token provider might delay support because it introduces additional authentication steps for Ping Identity operations resources to review.

PingFederate and PingAccess administrator roles provide fine-grained access to features that allow them to perform specific tasks.

PingFederate administrator roles

  • User Admin: Those with this role can add and remove users, change and reset passwords, and install replacement license keys.
  • Admin: Those with this role can configure partner connections and most system settings, but they cannot manage local accounts or handle local keys and certificates.
  • Expression Admin: Those with this role can map user attributes using Object-Graph Navigation Language (OGNL).
    Note: Only administrators who have both the Admin role and the Expression Admin role can be granted:
    • The User Admin role. This restriction prevents non-Expression Admins from granting themselves the Expression Admin role.
    • Write access to the file system or directory where PingFederate is installed. This restriction prevents a non-Expression Admin user from placing a file containing expressions into the <pf_install>/pingfederate/server/default/deploy directory, which would introduce expressions into PingFederate.]
  • Crypto Admin: Those with this role manage local keys and certificates.
  • Auditor: Those with this role have view-only privileges.

PingAccess administrator roles

  • Administrator: Those with this role can access all features unless someone is assigned the Platform Administrator role. If that role is assigned, the Administrators can't update authorization, user, or environment settings, but can access everything else.
  • Platform Administrator: Those with this role can access everything that an Administrator can access, but they can also update authorization, user, and environment settings and configurations. Use this role in conjunction with the Administrator role to prevent accidental lockouts.
  • Auditor: Those with this role have view-only privileges.