Previous PingOne for Enterprises releases - PingOne for Enterprise

PingFederate Connection

The latest version of PingFederate available for download through PingOne for Enterprise is 10.3.

You can download later versions of PingFederate from the Ping Identity main download site.

PingOne Connector

• Fixed an issue that caused an error when trying update the population ID attribute.

See Known Issues and Limitations below for important information.

PingOne for Enterprise Directory

Notification emails sent to administrators when new users self-register now include a link to the Users > User Directory > Users menu where you can approve the new user.

For more information, see Approve new directory users.

Azure Conditional Access

Added the MFA_SUBJECT attribute to the Microsoft Azure AD identity repository configuration.

If you're using PingID for Azure Conditional Access, the MFA_SUBJECT attribute in PingOne for Enterprise can be mapped the same as the username attribute in PingID.

For more information, see Connect to Azure and Configuring PingID MFA for Microsoft Azure AD Conditional Access in the PingID documentation.

Office 365 Connector

Migrated the Office 365 Connector from the Azure AD Graph API 1.6 to the Microsoft Graph API 1.0

See Known Issues and Limitations below.

For more information, see the Office 365 Connector documentation.

SSO Admins

Updated the Account > Administrators page to display all single sign-on (SSO) administrative users.

Previously, SSO admins who were also registered in other PingOne for Enterprise accounts did not display.

For more information, see Assign administrative roles.

Office 365 Connector

• Opting out of license management for users is not supported. The connector will clear existing licenses even when the attribute is unmapped.
• Updating mobile attribute requires that the service principal representing the connector be assigned a role with Company Administrator privileges using Powershell.

  See this KB article for more information.

• Updating the Password attribute is not supported.
• User updates containing a manager that has not yet been provisioned or updated by the new version will fail.

  Older version updates will not have the new extended attribute with their distinguished name (DN) from Active Directory.

• If the DoBase64Conversion field is switched to false, conflicts or failures will likely result on federated domains containing pre-existing users provisioned by dirsync/V1.0.
• Only outbound provisioning is supported.
• Group provisioning is not supported.
• Automatic licensing of users is not supported.

PingOne Connector

• Changed the North America region to North America (US)
• Added the North America (Canada) region

See Known Issues and Limitations below for important information.

SSO/SLO

Increased the max-age parameter of the strict-transport-security header for the https://sso.connect.pingidentity.com/sso/ endpoint.

The previous max-age was 1 year. The new max-age is 2 years.

PingOne Connector

• Clearing fields on updates is not supported.
• Multivalued attributes such as email or address are not supported. Multiple values appear as a single array on PingOne.
• Custom attributes are set when the user is initially created, and cannot be updated afterward.

Custom Application Categories

Added the ability to create custom application categories.

Custom application categories let you organize applications in ways that work best for your organization.

For more information, see Creating a custom application category.

PingOne Connector

• Added support for group provisioning
• Added the ability to select a default MFA device during user creation
• Added voice as an option for offline device pairing
• Fixed an issue that prevented all of a user's authentication methods from being provisioned if any of them were invalid.
• Fixed an issue that allowed duplicate local attributes to be defined when configuring an adapter.
• Fixed an issue that could cause an attribute containing an array of objects to be returned in the incorrect format.
• Fixed an issue that caused password validation to fail intermittently when the user's access token had expired.

See Known Issues and Limitations below for important information.

Single Logout

Added support for the optional idpid parameter to all single logout (SLO) endpoints.

If you specify the idpid value, the SLO operation is restricted only to sessions with the specified idpid value.

For more information, see PingOne for Enterprise and SLO.

SSO Admins

Updated the Account > Administrators page to display all single sign-on (SSO) administrative users.

Previously, SSO admins who were also registered in other PingOne for Enterprise accounts did not display.

For more information, see Assign administrative roles.

PingOne Provisioner

Clearing fields on updates is not supported.

Multivalued attributes, such as emails and addresses, are not supported. Multiple values appear as a single-array value in PingOne.

Custom attributes are set when the user is initially created. They cannot be updated after they are set.

PingOne Provisioner

Added support for custom string attributes.

See Known Issues and Limitations below for important information.

PingOne Provisioner

Clearing fields on updates is not supported.

Multivalued attributes, such as emails and addresses, are not supported. Multiple values appear as a single-array value in PingOne.

Custom attributes are set when the user is initially created. They cannot be updated after they are set.

Admin Portal Banner

Added a feature allowing you to display a banner message in the administrative portal.

For more information, see Adding a logo and banner message.

Single Logout Flow

Added a feature allowing administrators to choose how handles single logout (SLO) requests.

For more information, see Configure the dock when using PingOne for Enterprise Directory and Configuring the dock when using an identity bridge.

PingID Device Administrator Role

Added a new administrative role to manage user PingID Device settings.

For more information, see Assign administrative roles.

Read-Only Administrative Roles

Added a feature allowing you to assign user groups to read-only versions of administrative roles.

Read-only roles allow administrators to access the areas of the admin portal normally allowed by that role, but not to change settings.

For more information, see Configuring SSO to the PingOne for Enterprise admin portal.

Password Policy

Changed the default password requirements for new accounts.

Previous default settings required a minimum password length of 6 characters, with no requirement for special characters.

New default settings require a minimum password length of 8 characters, and a minimum of one special character.

This change only applies to new accounts.

Single Logout Flow

Single logout from the admin portal does not currently support redirect SLO flow.

If you select Redirect SLO flow for your users, your SSO admins should use the Sign Off button at the top right of the admin portal rather than signing off through the PingOne Dock.

Admin-API Client

Removed the ability to use special characters in the Client Name and Description fields when creating API clients.

Special characters in these fields can present a security risk.

If you have existing API clients that include special characters, you will be forced to remove the characters the next time you edit the client.

For more information, see Creating an Admin-API client.

Password Policy Customization

Added a feature giving PingOne for Enterprise for Managed Service Providers administrators the ability to permit their customer accounts to customize password policies.

For more information, see Configuring customer account service settings.

Admin-API Client

Removed the ability to use special characters in the Client Name and Description fields when creating API clients.

Special characters in these fields can present a security risk.

If you have existing API clients that include special characters, you will be forced to remove the characters the next time you edit the client.

For more information, see Creating an Admin-API client.

Password Policy Customization

Added a feature giving PingOne for Enterprise for Managed Service Providers administrators the ability to permit their customer accounts to customize password policies.

For more information, see Configuring customer account service settings.

OAuth Access Token

Increased the allowed number of trusted origins for OAuth access token Cross-Origin Resource Sharing. The previous limit was 10. The current limit is 100.

For more information, see Configuring your OAuth settings.

PingOne for Customers Provisioner

Added a new provisioner for PingOne for Customers.

This provisioner includes:

• Authoritative IdP attribute
• Default nicknames for email and SMS

For more information see PingOne Integration Kit.

Self-Service Password Reset

Reduced the lifetime of self-service user password reset from the sign on screen.

Previously the password reset link was valid for 3 days. Currently the password reset link is valid for 24 hours.

PingOne for Customers Provisioner

Aquera Provisioner

Added a new provisioner for Aquera Connector. This is the initial release for this provisioner.

For more information, see Overview of the Aquera Connector.

SCIM SaaS Provisioner

Fixed application/JSON headers for SCIM 1.1 requests.

Added logic to avoid sending an empty FormattedName attribute.

For more information, see Overview of the SCIM Connector.

ServiceNow Provisioner

Added support for the Orlando and Paris versions of Service Now.

For more information, see Overview of the ServiceNow Connector.

ServiceNow Provisioner

SCIM SaaS Provisioner

Authentication Policy

Added a feature that allows you to choose whether to authenticate SSO admins using their email or their SSO username.

For more information, see Create or update an authentication policy.

Administrator Settings

Added a feature that allows you to change the certificate expiration notification settings for Global and SaaS administrators.

For more information, see Editing administrative roles, permissions, and notifications and Manage your user profile.

Subscription API

Added a new result status to PingID audit events.

UNSUCCESSFUL_ATTEMPT represents an invalid one-time passcode (OTP) attempt that did not result in failed authentication.

For more information about audit events, see Get the audit events for a Poll subscription.

Single Logout

PingOne for Enterprise's single logout (SLO) implementation relies on the ability to send cookies within an iframe. Safari now blocks this function by default, which causes SLO to fail in most scenarios.

We are working to accommodate this new behavior.

You can solve this problem by enabling third-party cookies in the browser settings.

Added a feature that allows you to create Admin-API clients to access subscription endpoints without the need for additional administrator accounts.

For more information, see Creating an Admin-API client

Added a new provisioner for AWS Single Sign-On. This is the initial release for this provisioner.

See Known Issues and Limitations below for important information.

For more information, see Overview of the AWS Single Sign-On Connector.

Added a feature that directs a user to the specified redirect URL if they click on the registration URL after completing the registration process.

For more information about self-registration, see Allow self registration for new directory users.

Added a feature that allows administrators to designate a signing certificate as the default certificate for newly added application connections.

For more information, see Create a signing certificate and View certificate details.

• This integration does not support group provisioning
• Once set, user attributes cannot be cleared, only updated

Added a feature that allows administrators to enable additional directory attributes for use in attribute mapping for IdP, dock, and application configuration.

For more information, see Manage directory attributes.

• Changed name from PingOne for Customers Provisioner to PingOne Provisioner
• Added the ability to manage PingOne MFA Email and SMS devices

• Clearing fields on updates is not supported.
• Outbound Group Provisioning and Memberships is not supported.
• Patch updates to SCIM-enabled target applications are not supported.
• There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address).
• Unexpected behavior may occur if the SaaS application does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the application may not be removed during an update, and the desired value may not be correctly set as primary.
• SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behavior that is not consistent with the intended use of the SCIM SaaS provisioner.

• Fixed an issue that prevented users from being updated in Concur.
• See Concur Connector Guide for more information.

• Initial release
• Includes SAML 2.0 support for IdP- and SP-initiated SSO
• Included support for user provisioning
• Included configuration for deprovisioning actions
• See Overview of the Atlassian Cloud Connector for more information.

• Added the ServiceNow URL field and removed the ServiceNow Instance Name field
• Fixed an issue that caused an error when assigning a role that was not also assigned to the provisioning user account
• Added support for the Orlando version of ServiceNow
• See Overview of the ServiceNow Connector for more information

• Clearing fields on updates is not supported
• This integration does not support group provisioning
• Once set, user attributes can only be updated, not cleared

• Initial release.
• Included support for user provisioning.
• See Overview of the PingFederate Code42 integration for more information.

• Initial release.
• Included support for user provisioning.
• Included configuration for deprovisioning actions.
• See Overview of Zscaler integrations for more information.

• User attributes cannot be cleared once set. They can only be updated.
• This integration does not support group provisioning.
• Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend not deleting the administrative user and not managing this user through the provisioner.

• This integration does not support group provisioning.
• Once set, user attributes can only be updated, not cleared.
• Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend not deleting the administrative user and not managing this user through the provisioner.

• Added a feature allowing administrators to view and manage AD Connect nodes from PingOne portal. See View and manage AD Connect agent nodes for more information.

• Added a feature to generate a shareable metadata URL for applications and the configured SAML IdP. See Adding or updating a SAML application and Connecting to a custom SAML provider for more information.

• Added a setting to the Setup > Dock menu allowing administrators to set the time that a user session can be idle before the session is automatically signed out.

• Added Support for handling rate-limiting responses from Slack.

• Initial release.
• Included support for user provisioning.
• Included support for Zoom attributes.
• Included support for API key and secret authentication.
• Included configuration options for deprovisioning actions.
• See Overview of the Zoom Connector for more information.

• This integration does not support group provisioning.
• Once set, user attributes can only be updated, not cleared.
• Zoom only allows a single value for the Roles attribute.
• Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group created by the provisioner. We recommend not deleting the administrative user and not managing the user through the provisioner.
• Due to a limitation in Zoom, if a user's attributes change at the same they are enabled or disabled, only the disabled status is updated in Zoom. The attributes are updated the next time a change is made to that user.
• Zoom does not allow users with the admin role to be disabled or deleted. Change the user's role first.

• Added support for the application/scim+json HTTP header type
• Improved the SCIM URL field in the connection configuration to work either with or without a trailing slash (/) in the URL

• Renamed the integration to "Zscaler Internet Access" to match official branding
• Added the ability to update the username attribute in Zscaler
• Improved error handling and reporting when encountering a user that does not have an ID

• Added support for the London, Madrid, and New York versions of ServiceNow.
• Added support for mapping users to departments in ServiceNow.
• Improved user ID validation when updating and deleting users.
• Removed support for the Jakarta and Istanbul versions of ServiceNow.

• For departments that contain the "^" (caret) character in the name, the ServiceNow API causes the creation of multiple departments with the same name.
• For the department object, the ServiceNow API ignores capitalization. When provisioning a user that matches multiple departments in ServiceNow (such as, Accounting and accounting), PingOne provisions the user with an empty department attribute and logs an error in the Dashboard Report.
• Outbound Group Provisioning and Memberships are not supported.
• User attributes cannot be cleared once set. They can only be updated.
• When provisioning to ServiceNow, all user accounts in ServiceNow must have an assigned username (User ID) value. This is not a required field in ServiceNow. However, because the provisioner must use this field to sync with pre-existing users in ServiceNow, it is required for provisioning to function. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), the accounts will be linked. Currently, if users exist in ServiceNow without an assigned UserName value, this will cause errors in provisioning. In this case, you can resolve the issue by ensuring every user has an assigned UserName, even if they are not intended to be managed by the provisioner.
• When provisioning users, the username attribute must contain only URL-safe characters.
• When synchronizing roles with users, the role attribute must contain only URL-safe characters.
• If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information assigned.
• Due to limitations with the ServiceNow API, a role can be added to a user but not removed, which may cause a user’s role in the source data store to become out of sync with the user’s role in ServiceNow. For more information, see Adding the Ping Identity provisioning role in ServiceNow.
• When mapping the roles attribute, multiple calls to ServiceNow must be made to sync the user role information. This may impact provisioning performance.

• Provisioning to Salesforce Community Cloud (customer, partner, and custom communities).
• Provisioning to custom Salesforce domains.
• Version 46.0 of the Salesforce REST API.
• Configuring options to manage permission sets by merging or overwriting.
• Additional salesforce attributes.
• Improved error handling and reporting for cases where users in the target application do not have an ID.
• Improved error handling and reporting for cases where groups are updated or deleted but do not exist in the target application.

• The provisioner cannot clear user attributes once they have been set.
• This provisioner does not support custom attributes.
• The Salesforce provisioner does not support hard deleting users in Salesforce. When users are enabled/disabled or deleted in your user store, the user will only be soft deleted (enabled/disabled) accordingly in Salesforce.
• The username attribute must be in an email format.
• The alias attribute can be no more than 8 characters.
• Group provisioning is not supported.
• Deprovisioning:
  • When deprovisioning a Salesforce customer or partner user, the provisioning connector does not unlink the user from the associated contact.
  • If a customer or partner user is unlinked in Salesforce from the associated contact, any changes to the user in the data store will cause the provisioner to create a new user in Salesforce and link it to the existing contact.
  • Guest users in Salesforce cannot be frozen. If Freeze users instead of Disable is selected in your provisioning options, the guest user will not be disabled or frozen.
• Salesforce Communities:
  • The provisioner can link users to "customer" and "partner" business accounts, but not to "person" accounts. See Accounts in the Salesforce documentation.

• Fixed an issue that prevented users with special characters from being provisioned to WebEx.
• Improved error handling and reporting for cases where users in the target application do not have an ID.
• Improved error logging security.
• Fixed an issue that caused a user to be recreated when the provisioning engine tried to delete or disable a user that was already deleted in WebEx.

• Support for the AWS 2.0 API.
• Support for the Password and PasswordResetRequired attributes.
• Support for updating the UserName attribute.
• Improved error-handling and reporting behavior.

• The provisioner cannot re-enable user meeting types that have been disabled through the Webex administration console. If the provisioner tries to update the user's meeting types in this scenario, it can cause all meeting types for that user to be disabled.
• The WebEx ID attribute is not updateable in PingOne.
• The MeetingType attribute is limited to one value in PingOne (not a multivalued attribute).
• Due to API Limitations, WebEx doesn't allow a user to be created in a suspended state. WebEx will automatically activate the user after it is created.

• Group Provisioning is not supported.
• Deprovisioning:
  • AWS does not support disabled users. These users are deleted instead.
• Attributes:
  • When a user is created with a passwordResetRequired value other than "true" or "TRUE", the provisioning connector sets the value to "false" in AWS.
  • Clearing fields on updates is not supported.

• Amazon Web Services
• Box
• Concur
• Dropbox
• Egnyte
• Github
• Google
• Lucidchart
• Office 365
• Ping IDaaS Directory Provisioner
• PingOne for Customers Provisioner
• Ping IDaaS Generic Scim Provisioner
• Salesforce
• ServiceNow Jakarta
• Slack
• WebEx
• Workplace by Facebook
• Zendesk
• Zscaler

• Fixed an issue that prevented users with empty attributes from being provisioned to PingOne for Customers.
• Removed support for obsolete scopes from the provisioner.

• Clearing fields on updates is not supported.
• Outbound Group Provisioning and Memberships is not supported.
• Patch updates to SCIM-enabled target applications are not supported.
• There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address).
• Unexpected behavior may occur if the SaaS application does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the application may not be removed during an update, and the desired value may not be correctly set as primary.
• SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behaviour that is not consistent with the intended use of the SCIM SaaS provisioner.

• Configuration options for the Unique User Identifier (userName or workEmail) which is used to search for users in the target application.

• Clearing fields on updates is not supported.
• Outbound Group Provisioning and Memberships is not supported.
• Patch updates to SCIM-enabled target applications are not supported.
• There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address).
• Unexpected behavior may occur if the SaaS application does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the application may not be removed during an update, and the desired value may not be correctly set as primary.
• SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behaviour that is not consistent with the intended use of the SCIM SaaS provisioner.

• Support for user provisioning.
• Support for user attributes: Username, Email, Population ID, Account ID, City, Country, External ID, First Name, Force Change Password, Full Name, Honorific Prefix, Honorific Suffix, Job Title, Last Name, Locale, Middle Name, Mobile Phone, Nickname, Password, Preferred Language, Primary Phone, Profile Image, State/Region, Street Address, Timezone, User Type and ZIP Code.

• Clearing fields on updates is not supported.

• Added support for user provisioning.
• Added support for user attributes: Username, Email, First Name, Last Name and External ID.

• Configure the reply-to email address used for PingOne Directory user invitations. For more information, see Allow self registration for new directory users.
• Enable or disable the password expiry and password lockout notification emails sent to PingOne Directory users. For more information, see Allow self registration for new directory users.

• Improved error handling and reporting when Workplace by Facebook users contain no ID.
• Improved check connection call by not retrieving a list of users.

• Clearing fields on updates is not supported.
• Enabling a previously deleted user in GitHub will trigger a create operation.
• When a user is deleted from GitHub they are removed from the organization. The user will still have a GitHub account but no access to the organization's resources.
• Due to GitHub API limitations, provisioning with multiple threads or making more than 5000 requests per hour may trigger GitHub’s abuse detection mechanism, rate-limiting, or both. This will prevent requests from being completed. For more information, see Github rate-limiting.

• Clearing fields on updates is not supported.
• Due to API limitations with matching a user’s manager using the display name, if multiple matches occur the first match will be used. This could be an issue if multiple employees in the Workplace by Facebook account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the manager attribute to a manager’s email.
• Due to LDAP limitations, when you update a manager's name it does not update their Distinguished Name (DN). The provisioner uses the distinguished name to match a manager in Workplace by Facebook and may not find the correct match. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.
• Due to SaaS API limitations, adding a manger may require a search of all Workplace by Facebook users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

• Configure the reply-to email address used for PingOne Directory user invitations. For more information, see Allow self registration for new directory users.
• Enable or disable the password expiry and password lockout notification emails sent to PingOne Directory users. For more information, see Allow self registration for new directory users.

• Improved error handling and reporting when Workplace by Facebook users contain no ID.
• Improved check connection call by not retrieving a list of users.

• Clearing fields on updates is not supported.
• Due to API limitations with matching a user’s manager using the display name, if multiple matches occur the first match will be used. This could be an issue if multiple employees in the Workplace by Facebook account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the manager attribute to a manager’s email.
• Due to LDAP limitations, when you update a manager's name it does not update their Distinguished Name (DN). The provisioner uses the distinguished name to match a manager in Workplace by Facebook and may not find the correct match. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.
• Due to SaaS API limitations, adding a manger may require a search of all Workplace by Facebook users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

For , you can make PingOne OIDC applications available on the PingOne dock. The applications are also selectable in access and authentication policies.

• Support for user attributes: Display Name and External ID.
• Support for the Evernote SCIM 2.0 API.
• Removed support for hard delete (feature deprecated by Evernote).
• Removed support for reactivating a disabled user (feature deprecated by Evernote).

See Known Issues and Limitations for important information.

• Fixed issue where SCIM v2 requests included SCIM v1.1 schema URN’s.
• Fixed issue where the NO_CONTENT HTTP response code was not being handled.
• Fixed issue where the SERVER_ERROR HTTP response code was not being handled.
• Fixed issue where the user’s active status was not updated correctly on update requests.
• Fixed issue where SCIM v2 error descriptions were not logged correctly.
• Fixed issue where an empty return body on a user PUT operation caused a JSON parsing exception.

See Known Issues and Limitations for important information.

• Support for user provisioning.
• Support for these user attributes: Username, Display Name, Email, External ID, First Name, Last Name and Roles.

See Known Issues and Limitations for important information.

• Support for hard-deleting users.

See Known Issues and Limitations for important information.

• Clearing fields on updates is not supported.
• Provisioning disabled users from an LDAP user repository to Evernote is not supported.
• Due to Evernote API limitations, a deactivated user cannot be reactivated using SCIM.
• Due to Evernote API limitations, new users cannot be created with the same username as a previously deactivated user.

• Clearing fields on updates is not supported.
• Outbound Group Provisioning and Memberships is not supported.
• Patch updates to SCIM-enabled target applications are not supported.
• There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address).
• Unexpected behavior may occur if the SaaS application does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the application may not be removed during an update, and the desired value may not be correctly set as primary.
• SCIM-compliant service providers may implement or interpret the SCIM standards differently. This can result in behaviour that is not consistent with the intended use of the SCIM SaaS provisioner.

• Clearing fields on updates is not supported.
• Due to Lucidchart API limitations, there will be a performance impact to creating users when mapping External ID or Roles. Both External ID and Role may fail to be added to a user on the initial create. If this happens, an error will be logged and the update to External ID and Roles will be retried up to three times.
• Due to Lucidchart API limitations, attempting to update a user immediately after creating them may result in user not found exceptions. This is due to a delay in Lucidchart between creating a user and being able to modify the user. Failed attempts to update the user will be re-attempted up to three times.

• Opting out of license management for users is not supported. The provisioner will clear existing licenses even when the attribute is unmapped.
• Updating the mobile attribute requires that the service principal representing the provisioner (where the user gets the client key and secret) be assigned a role with Company Administrator privileges (using Powershell). See this KB article for more information.
• Updating the Password attribute is not supported.
• User updates containing a manager that has not yet been provisioned or updated by the new version will fail, because the manager will not have the new extended attribute holding their distinguished name from Active Directory.
• If the DoBase64Conversion field is switched to “false”, expect conflicts or failures on federated domains containing pre-existing users provisioned by dirsync or V1.0.
• Only outbound provisioning is supported.
• Group provisioning is not supported.
• Automatic licensing of users is not supported.

• Support for user provisioning.
• Support for these user attributes: Username, Display Name, Department, Email, External ID, First Name and Last Name.

See Known Issues and Limitations for important information.

See Reports and subscriptions for more information.

See Add and configure a new SAML applicationfor more information.

See Add or update a SAML-enabled application for more information.

• Clearing fields on updates is not supported.
• Due to a Zscaler limitation, a user's username cannot be updated.
• Deleting the administrative user that is set up for provisioning may lead to undesired consequences. The provisioner makes the administrative user the owner and member of each group that is created by the provisioner. We recommend that this administrative user is not managed through the provisioner and is not deleted.

• Configuration options for the create/read/update/delete (CRUD) capabilities.
• Configuration options for provisioning disabled users.
• Support for Istanbul, Jakarta, and Kingston.

See Known Issues and Limitations for important information.

• An option to create personal folders on user creates.
• An option to force delete users with managed content.

See Known Issues and Limitations for important information.

• Outbound Group Provisioning and Memberships are not supported.
• User attributes cannot be cleared once set. They can only be updated.
• When provisioning to ServiceNow, all user accounts in ServiceNow must have an assigned username (User ID) value. This is not a required field in ServiceNow. However, because the provisioner must use this field to sync with pre-existing users in ServiceNow, it is required for provisioning to function. If a user in ServiceNow resolves to sAMAccountName (the "standard" mapping in the provisioning channel), the accounts will be linked. Currently, if users exist in ServiceNow without an assigned UserName value, this will cause errors in provisioning. In this case, you can resolve the issue by ensuring every user has an assigned UserName, even if they are not intended to be managed by the provisioner.
• When provisioning users, the username attribute must contain only URL-safe characters.
• When synchronizing roles with users, the role attribute must contain only URL-safe characters.
• If a new user is created with the same username as an existing user, a duplicate user will not be created. Instead, the existing user will be updated with any information assigned.
• Due to limitations with the ServiceNow API, a role can be added to a user but not removed, which may cause a user’s role in the source data store to become out of sync with the user’s role in ServiceNow. For more information, see Enable User Role Removal.
• When mapping the roles attribute, multiple calls to ServiceNow must be made to sync the user role information. This may impact provisioning performance.

• Clearing fields on updates is not supported.
• The login attribute cannot be updated through provisioning.
• The Inactive Status Default user attribute has no effect if the Box connector is configured to delete (hard-delete) users instead of disable (soft-delete) users when de-provisioning. Additionally, deleting a user in an LDAP repository will always set the status for the user as "inactive" in the Box application.
• Outbound Group Provisioning and Memberships are not supported.
• A Box API limitation prevents login credentials from being updated by the provisioner when the character case differs. For example, "USER@TEST.COM", cannot be updated to "user@test.com". When the case differs, the Box API omits the login from the API operation. So, in an update operation, when the case differs, the login is omitted, but any other attributes that may have changed are provisioned and updated.
• Due to Box API requirements, only primary, validated email addresses can be used to sync users.
• Enabling Personal Folder functionality will diminish initial synchronization provisioning performance.

• Clearing fields on updates is not supported.
• Due to API limitations with matching a user’s manager using the display name, if multiple matches occur, the first match will be used. This may be an issue if multiple employees in the Workplace by Facebook account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the Manager attribute to a manager’s email address.
• Due to LDAP limitations, when you update a manager's name it does not update their Distinguished Name (DN). The provisioner uses the DN to match a manager name in Workplace by Facebook, so may not find the correct match. To avoid this, you can use a custom attribute mapping to link the Manager attribute to a manager’s email address.
• Due to SaaS API limitations, adding a manger may require a search of all Workplace by Facebook users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the Manager attribute to a manager’s email address.

We've added a feature on the Authentication Policy page in the admin portal to enable and require PingID multi-factor authentication (MFA) for PingOne administrators who access the PingOne admin portal. Included is an option to specify an administrator who can access the admin portal without requiring MFA.

See SSO to the PingOne for Enterprise admin portal with multi-factor authentication for more information.

• Added support for user provisioning.
• Added support for the user attributes: userName, givenName, familyName, workEmail, password, locale, timeZone, workPhone, externalContributor, federated and location.

See Known Issues and Limitations for important information.

• Clearing fields on updates is not supported.
• Outbound Group Provisioning and Memberships is not supported.
• Due to a Jive limitation, a user’s username cannot be updated.
• Due to a Jive limitation, the externalContributor attribute cannot be updated.
• Due to a Jive limitation, when a user is created their email address must be unique. However, after creation their email address can be updated to match that of an existing user.
• Deleting the administrative user that is set up for provisioning can lead to undesired consequences, because the provisioner makes the admin user the owner and member of each group that is created by the provisioner. We recommend that this admin user is not managed through the provisioner and is not deleted.

• Support for SCIM 1.1 and 2.0
• Support for user provisioning
• SCIM core and enterprise attributes
• Support for Basic Authentication, OAuth 2 Bearer Token and OAuth 2 Client Credentials Authentication
• SCIM Overrides (Filter Expression, Authorization Header Type, Users API Path)

See Known issues and limitations for important information.

See Known issues and limitations for important information.

• Clearing fields on updates is not supported.
• Outbound Group Provisioning and Memberships is not supported.
• Due to an API limitation, a user name cannot be updated.
• Due to an API limitation, users cannot be created in a deactivated state. For example, if a user is disabled in your user store it will not be created in Slack by the provisioner.
• For more information on Slack provisioning limitations, see the Slack API documentation.

• Clearing fields on updates is not supported.
• Outbound Group Provisioning and Memberships is not supported.
• Patch updates to SCIM enabled target applications are not supported.
• There is a limit of one value per type (such as, home, work, other) for multivalue attributes (email, phone, address).
• Unexpected behavior may occur if the SaaS does not specify either type and primary information, or both type and primary information for multivalue attributes (email, phone, address). Also, existing attributes on the SaaS may not be removed during an Update, and the desired value may not be correctly set as primary.
• SCIM-compliant service providers may implement or interpret the SCIM standards differently which can result in behaviour that is not consistent with the intended use of the SCIM SaaS Provisioner.

• Clearing fields on updates is not supported.
• Outbound Group Provisioning and Memberships is not supported.
• The password, external id, profilePhotoUrl, profileThumbnailUrl, role, certificates and entitlements attributes cannot be mapped from the source. A default literal value can be used for setting values in the target PingOne tenant.

• Signed AuthN requests.
• SAML single logout (SLO), either IdP-initiated or SP-initiated.

• Improved exception handling and reporting
• Added support for Google Admin SDK v1.22.0
• Updates to the password and includeInGlobalAddressList attributes

• Added Support for updating user emails

We've also updated the IdP Discovery popup window to display the application logo and your corporate logo (if you've configured this).

The user support message is displayed to your users when they click the Need Help? link in the dock.

JIT Provisioning (just-in-time) is not impacted by this change.

• Support for approximately 150 additional user attributes.

• Support for Salesforce REST v37.0 API.

• Support for OAuth Authentication with the OAuth Configuration Service (OCS).

• Support for custom subdomains.

• You now have the option to freeze user accounts, rather than deactivating them.

• Improved exception handling and reporting.

• Support for Salesforce disabling TLS 1.0.

• User attributes cannot be cleared once they have been set.
• You cannot delete permission set assignments.
• Custom attributes are not supported.
• If you enable/disable or delete a user in your user store, the Salesforce provisioner can only disable the corresponding user in Salesforce as it cannot perform a hard delete of the user entry in Salesforce.
• Username attribute must be entered in email format only.
• Alias attribute entries can be a maximum of 8 characters in length.

• You can now use any Top Level Domain (TLD) URL as a connection configuration URL, in addition to those that are defined by Internet Assigned Numbers Authority (IANA).
• We've increased the number of records you can download from the report log, and added a progress bar to the Reports tab. You can now download up to 500,000 records to a .csv file.

• You can now run detailed reports from the PingOne admin portal. PingOne provides a number of predefined reports, and also gives you the ability to run your own custom ad hoc report. You can view the results directly in the PingOne admin portal, or export the results in .csv format.
• We've also added the ability to view SSO activity per application, via the API.

We've added the ability for a Managed Service Provider (MSP) to delete a custom email template in the PingOne admin portal.

• We've provided admins the ability to remove a verification certificate from a PingOne application connection.
• We've added the ability to promote a secondary verification certificate to a primary verification certificate when editing an application connection or a third party SAML identity repository.
• Primary and secondary certificates now display the common name and expiry date for the certificate.

• Glassdoor
• Wells Fargo CEO portal
• 8x8 Virtual Office
• 8x8 Account Manager

Performance enhancements were applied to the Certificate Management page.

Certificate expiry dates are now displayed in a 4 digit format.

SSD-3121

• Entity ID.
• Application description or part of the description.
• Application name.

• Create new signing certificates.
• Migrate individual connections to different signing certificates.
• Add certificate expiration notifications.
• Verify certification for failover and migration.
• Share certificates.

See Overview of signing and verification certificates for more information.

Chinese, Dutch, English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Thai.

• There's a new user interface, with application categories, frequently used applications and quick access to account information.
• A new search bar to help you find applications and install new ones.
• More options for you to customize and brand the interface. This includes use of company logos, custom background images, definitions of application categories, and colors of navigation panes, fonts and the search bar.
• And improved display quality of application icons.

See Introducing the PingOne for Enterprise dock for more information.

See Known Limitations for more information.

• Clearing fields on updates is not supported.
• Due to API limitations with matching a user’s manager using the display name, if multiple matches occur the first match will be used. This could be an issue if multiple employees in the Facebook at Work account have the same first and last names. To avoid conflicts, you can use a custom attribute mapping to link the manager attribute to a manager’s email.
• Due to LDAP limitations, when you update a manager's name it does not update their Distinguished Name (DN). The provisioner uses the distingushed name to match a manager in Facebook At Work and may not find the correct match. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.
• Due to SaaS API limitations, adding a manger may require a search of all Facebook At Work users. This will impact provisioning performance. To avoid this, you can use a custom attribute mapping to link the manager attribute to a manager’s email.

• Additional user attributes.
• WebEx API v10.0 SP3.
• Improvements to error handling and logging.

See Known Limitations for more information.

• The WebEx ID attribute is not updateable in PingOne.
• The MeetingType attribute is limited to one value in PingOne (not a multivalued attribute).
• Due to API Limitations, WebEx doesn't allow a user to be created in a suspended state. WebEx will automatically activate the user after it is created.

• Additional user attributes.
• Improvements to error handling and logging.

See Known Limitations for more information.

• Once set, you cannot clear user attributes.
• The login attribute cannot be updated through provisioning.
• The Inactive Status Default user attribute has no effect if the Box connector is configured to delete (hard-delete) users instead of disable (soft-delete) users when de-provisioning. Additionally, deleting a user in an LDAP repository will always set the status for the user as "inactive" in Box.

• Clearing fields on updates is not supported.
• Due to API limitations, a user’s email cannot be updated until the user has activated their account.
• Due to API limitations, a user cannot be suspended or unsuspended until the user has activated their account.
• Due to API limitations, if a user’s given name or surname fails to update due to the new value containing unsupported characters (* | : " < > ?), an error may not be reported in the provisioning logs.

• Clearing fields on updates is not supported.
• Due to API limitations, a user’s email cannot be updated until the user has activated their account.
• Due to API limitations, a user cannot be suspended or unsuspended until the user has activated their account.
• Due to API limitations, if a user’s given name or surname fails to update due to the new value containing unsupported characters (* | : " < > ?), an error may not be reported in the provisioning logs.

• Making attributes create-only isn't supported.
• Clearing fields on updates isn't supported.
• The roles field supports only a single value.

• Provisioning additional user attributes.
• Azure Active Directory Graph API v1.6 (updated from version v1.5).
• Clearing of licenses on updates.
• Improved exception handling and reporting.

• Opting out of license management for users is not supported. The provisioner will clear existing licenses even when the attribute is unmapped.
• User delete is not supported. However, you can disable users.
• Users cannot be created in a disabled state. They must first be created in an active state and then disabled.
• Updating the mobile attribute requires that the service principal representing the provisioner (the place the user gets the Client ID and Secret) be assigned a role with Company Administrator privileges (using PowerShell). See this Ping Knowledge Base article for more information.
• Updating the ImmutableID and Password attributes is not supported.
• User updates containing a manager that has not yet been provisioned or updated by the new version will fail because the manager will not have the new extended attribute holding their Active Directory distinguished name.
• If the DoBase64Conversion field is set to “false”, expect conflicts or failures on federated domains containing pre-existing users provisioned by Dirsync or a Ping product.
• Only outbound provisioning is supported.
• Automatic licensing of users is not supported.