Known issues and limitations - PingFederate - 10.1
PingFederate Server
- bundle
- pingfederate-101
- ft:publication_title
- PingFederate Server
- Product_Version_ce
- PingFederate 10.1
- category
- Product
- pf-101
- pingfederate
- ContentType_ce
Known issues
- Administrative API
-
- /sp/idpConnections
- For IdP connections, the administrative API connection support is
limited to Browser SSO, WS-Trust STS, and OAuth Assertion Grant
connections. As a result, when updating an IdP connection using the
administrative API, it is possible to lose inbound provisioning settings
previously configured using the administrative console.
- /bulk
- Only resource types currently supported by the administrative API are
included in the exported data. Resources not yet supported include:
- Identity Store Provisioners
- Inbound provisioning settings from IdP connections
- PingOne for Enterprise settings
- SMS Provider settings
- WS-Trust STS settings
- Hardware security modules (HSM)
- When using PingFederate with an HSM and Oracle Java 8u261 (or later) or Amazon
Corretto Java 8u272 (or later), if an HSM certificate is used as an SSL server
certificate, browsers might not be able to connect to the server. To resolve this
issue, add RSASSA-PSS to the
jdk.tls.disabledAlgorithms
list in
the java.security file under the
JAVA_HOME directory.
Known limitations
- Updating Java 8 to 11
- Updating Java version 8 to version 11 results in an error when PingFederate is
already installed and running. To work around this issue, uninstall and reinstall
the PingFederate Windows service by running the
UninstallPingFederateService.bat and
InstallPingFederateService.bat files located in
<pf_install>/pingfederate/sbin/wrapper.
- Administrative console and administrative API
-
- Previously, the administrative API did not accurately reflect a
Persistent Grant Max Lifetime setting of 29 days
(or shorter) with the selection of the Grants Do Not Timeout Due
To Inactivity option. As a result, if you have configured
such OAuth authorization server settings and have generated a bulk export in
version 10.0 through 10.0.2, we recommend that you re-generate a new bulk
export after upgrading to version 10.0.3 (or a more recent version). The
newly exported data does not contain the aforementioned flaw, and you can
safely import it to version 10.0.3 (or a more recent version).
- When enabling mutual TLS certificate-based authentication, administrators
often configure a list of acceptable client certificate issuers. When an
administrator uses a browser to access the console or the administrative API
documentation, PingFederate returns to the browser the list of acceptable
issuers as part of the TLS handshake. If the browser's client certificate
store contains multiple client certificates, the browser often presents to
the user only the certificates whose issuer matches one of the acceptable
issuers. However, when PingFederate runs in a Java 11 environment, Chrome
presents to the administrator all its configured client certificates,
regardless of whether the issuer matches one of the acceptable issuers or
not.
- Prior to toggling the status of a connection with the administrative API,
an administrator must ensure that any expired certificates or no longer
available attributes are replaced with valid certificates or attributes;
otherwise, the update request fails.
- When creating or updating a child instance of a hierarchical
plugin, the administrative API retains objects with an
"inherited":
false
name/value pair (or without such name/value pair
altogether), ignores those with a value of true
, and
returns a 200 HTTP status code. No error messages are returned for the
ignored objects.
- Using the browser's navigation mechanisms (for example, the
Back button) causes inconsistent behavior in the
administrative console. Use the navigation buttons provided at the bottom of
windows in the PingFederate console.
- If authenticated to the PingFederate administrative console using
certificate authentication, a session that has timed out might not appear to
behave as expected. Normally (when using password authentication), when a
session has timed out and a user attempts some action in the console, the
browser is redirected to the login page, and then back to the administrative
console once authentication is complete. Similar behavior applies for
certificate authentication, in principle. However, because the browser might
automatically resubmit the certificate for authentication, the browser might
redirect to the administrative console and not the login page.
- Upgrading PingFederate
- It is not possible to perform a rolling upgrade from PingFederate 10.1.0 to a
later maintenance release of 10.1. Upgraded nodes will hang on start-up until the
entire cluster has been upgraded. This issue only affects 10.1.0. It does not
affect upgrading from 10.1.1 or later to a subsequent maintenance release.
- Hardware security modules
-
- PingFederate must be deployed with Oracle Server JRE (Java SE Runtime
Environment) 8, or Amazon Corretto 8.
- When using PingFederate with an HSM from Gemalto or nCipher, it is not
possible to use an elliptic curve (EC) certificate as an SSL server
certificate.
- When using PingFederate with an HSM from Gemalto, it is not possible to
generate a self-signed EC certificate or use an EC certificate as a signing
certificate. Furthermore, if only GCM cipher suites are enabled, any attempt
to connect to PingOne for Enterprise will result in a "Cipher suite cannot
be null" error condition.
- When using PingFederate with an HSM from Gemalto in FIPS approved mode, it
is not possible to generate an RSA key with a key size of 1,024.
- SSO and SLO
-
- When consuming SAML metadata, PingFederate does not report an error when
neither the validUntil nor the
cacheDuration attribute is included in the metadata.
Note that PingFederate does reject expired SAML metadata as indicated by the
validUntil attribute value, if it is provided.
- The anchored-certificate trust model cannot be used with the SLO redirect
binding because the certificate cannot be included with the logout
request.
- If an IdP connection is configured for multiple virtual server IDs,
PingFederate will always use the default virtual server ID for IdP Discovery
during an SP-initiated SSO event.
- Composite Adapter configuration
- SLO is not supported when users are authenticated through a Composite Adapter
instance that contains another instance of the Composite Adapter.
- Self-service password reset
- Passwords can be reset for Microsoft Active Directory user accounts without the
permission to change password.
- OAuth
- PingFederate does not support case-sensitive naming convention for OAuth client
ID values when client records are stored in a directory server. For example, after
creating a client with an ID value of
sampleClient
, PingFederate
does not allow the creation of another client with an ID value of
SampleClient
.
- It is worth noting that while it is possible to create clients using the same ID
values with different casings when client records are stored in XML files, a
database server, or custom storage (if implemented), we recommend not doing
so to avoid potential record migration issues.
- Customer identity and access management
- Some browsers display a date-picker user interface for fields that have been
designed for date-specific inputs. Some browsers do not. If one or more
date-specific fields are defined on the registration page or the profile
management page (or both), end users must enter the dates manually if their
browsers do not display a date-picker user interface for those fields.
- Provisioning
-
- LDAP referrals return an error and cause provisioning to fail if the
user or group objects are
defined at the DC level, and not within an OU or within the Users CN.
- The totalResults value in SCIM responses indicates the
number of results returned in the current response, not the total number of
estimated results on the LDAP server.
- Logging
- If a source attribute has been configured for masking in an IdP adapter or IdP
connection and the source attribute is mapped to OAuth's persistent grant
USER_KEY attribute, then the USER_KEY
attribute will not be masked in the server logs. Other persistent grant attributes
will be masked.
- Database logging
- If PingFederate cannot establish a Java Database Connectivity (JDBC) connection
at startup, PingFederate will continue to write log messages to the failover log
file, despite the failover and resume configuration. When the JDBC connectivity
issue is resolved, restart PingFederate. On restart, PingFederate will start
writing log messages to the database.
- If PingFederate is able to establish a JDBC connection at startup, PingFederate
will be able to write log messages to the failover log when it encounters a JDBC
connectivity issue and resume writing log messages to the database when it
re-establishes the JDBC connection.
- RADIUS NAS-IP-Address
- The RADIUS NAS-IP-Address is only included in Access-Request packets when the
pf.bind.engine.address
is set with an IPv4 address. IPv6 is
not supported.
- Configcopy
-
- When the configcopy tool is used to copy all
connections, channels, data sources, adapters, or token translators, the
overridden properties are applied to all instances. Proceed cautiously when
applying overrides for copy-all operations.
- The configcopy tool supports copying only a single
reference for each of the following configuration items that are defined for
a given connection: adapter, data source, Assertion Consumer Service URL,
Single Logout Service URL, and Artifact Resolution Service URL. When
multiple items are associated with a given connection, only the first
reference to each is copied.
- The configcopy tool does not support creation of
configuration data that does not exist in the source. If an override
parameter is set for a parameter that does not exist in the source
configuration, the behavior of the target system is not guaranteed.
- The configcopy tool, when used for copying plugin
configurations (including adapters, token translators, and other data
stores), does not currently support overrides of complex data structures,
including tables, extended contract attributes, and masked fields.
- When the configcopy tool is used to copy connection
data, any SOAP Single logout (SLO) endpoints defined in the source are not
copied to the target, even if the SOAP SLO endpoint is the only SLO endpoint
defined at the source. These must be manually added to the target.