New PASS-7155

Administrators can now configure signature policies for SP connections when they create templates and applications, and promote applications to PingCentral environments.

Previously, PingFederate administrators had to configure the signature policies after the applications were promoted to PingFederate, which interrupted their workflow and caused unnecessary delays in the process.

Note that signature policy configurations are only visible if the corresponding profiles and artifact binding are enabled in the underlying PingFederate SP connection. To learn more, refer to step 8 in Adding SAML application templates.

Info PASS-7204

If the FIPS-compliant mode is enabled and OpenJDK 21 is being used, OpenJDK version 21.0.10 or higher is required.

Fixed PASS-1323

We’ve fixed the client-side security vulnerability in DOM-based XSS in redirect URI definitions.

Fixed PASS-5852

The Apache Commons Compress has been updated to version 1.26, which resolved the security vulnerability that affected versions 1.0 to 1.21. You can find more information about the CVE-2021-36090 vulnerability on the National Vulnerability Database site.

Fixed PASS-6410

Moment.js has been updated to version 2.29.4, which resolved the path traversal vulnerability that affected versions 1.0.1 to 2.29.1. You can find more information about the CVE-2022-24785 vulnerability on the National Vulnerability Database site.

Fixed PASS-7017

We’ve fixed the Promotion Details page so that it now displays the option to download the SAML IdP metadata if the application was promoted directly from the JSON file.

Fixed PASS-7021

The Swagger UI library has been updated from version 2.9.2 to 3.23.11 to prevent future false-positive scan alerts. You can find more information about the CVE-2019-17495 vulnerability on the National Vulnerability Database site.

Fixed PASS-7132

We’ve fixed the swagger.json endpoint, and it now returns information about the Admin API as expected.

Fixed PASS-7163

We’ve fixed the issue where users encountered a continuous loading screen when they tried to access the API. The API now works as expected and returns a response.

Fixed PASS-7070

The H2 database has been updated to version 2.2.220, which resolved the security vulnerability that affected version 2.1.210. You can find more information about the CVE-2022-45868 vulnerability on the National Vulnerability Database site.

Fixed PASS-7172

The hibernate-ehcache library is no longer used, which resolved the security vulnerability. You can find more information about the CVE-2026-0603 vulnerability on the National Vulnerability Database site.

Fixed PASS-7174

The Socket Appender in Apache Log4j has been updated to version 2.25.3, which resolved the security vulnerability that affected versions 2.0-beta9 through 2.25.2. You can find more information about the CVE-2025-68161 vulnerability on the National Vulnerability Database site.

Fixed PASS-7176

We’ve fixed an issue with SSO, and users are now redirected to the PingFederate sign-on page instead of the PingCentral home page when they sign on.

Fixed PASS-7187

We’ve fixed an issue where redirect URIs were still displayed in OAuth or OIDC applications after the environment referenced in the URI was deleted.

Fixed PASS-7151

Previously, if you were using Java 17 and BC FIPS was enabled, PingCentral failed to start. This issue has been resolved.

Fixed PASS-7153

Previously, the obfuscate.sh <password> command line utility (CLI) did not work out-of-the-box unless you modified the script. Once modified, the script was able to generate an obfuscated password, but if you tried to use this password to connect to an external database, PingCentral would fail to start. The CLI has been fixed and now works as expected.

Fixed PASS-7156

Previously, after upgrading from version 2.3 to 3.0, administrators using a PostgreSQL database received a server error message when they tried to create a new template. This issue has been resolved.

Fixed PASS-7164

Previously, when users attempted to promote new applications and IDs were created with MySQL 8, SQL errors occurred. This issue has been resolved.

Fixed PASS-7169

Previously, users could not create PingAccess applications if the ApplicationResources property was set to null. This issue has been resolved.

New PASS-7124

PingFederate extended properties are single or multi-value fields that are used to store additional information about connections or OAuth clients. These properties are now displayed in PingCentral templates. Administrators can set these property values when they configure templates, and the applications created from these templates inherit those values. Application owners can also update these values unless the extended property is designated as read-only.

Improved PASS-7098

Several UI modifications have been made that allow you to see entire URLs within text fields. This new functionality makes it easier for users to verify URLs, and helps prevent copy and paste errors.

Improved PASS-7099

Opencsv has been upgraded from version 5.8 to 5.11.2 to prevent future false-positive scan alerts. You can find more information about the CVE-2025-48734 vulnerability on the National Vulnerability Database site.

Improved PASS-7100

Spring Security has been upgraded from version 5.3.39 to 6.2.8 to prevent future false-positive scan alerts. You can find more information in CVE-2024-22243: Spring Framework URL Parsing with Host Validation in the Spring documentation.

Improved PASS-7106

You can now use either Java 17 or Java 21 as the PingCentral runtime environment. Java 11 is no longer supported.

Improved PASS-7134

The Nimbus JOSE + JWT libraries have been upgraded. You can find more information about the CVE-2025-53864 vulnerability on the National Vulnerability Database site.

Fixed PASS-7105

Previously, it was possible to overwrite a connection in PingFederate if you created a PingCentral application with an entity ID that already exists in PingFederate. This issue has been resolved, and it’s no longer possible to create new applications using an entity ID that is already used by a PingFederate connection.

Fixed PASS-7097

Previously, if OIDC single sign-on (SSO) was enabled, PingCentral stopped sending the HSTS header and administrators couldn’t sign on. This issue has been resolved and SSO now works as expected.

Fixed PASS-7101

A number of third-party libraries have been updated to address Common Vulnerabilities and Exposures (CVEs) reported in these libraries. These CVEs weren’t exploitable, but they were updated to avoid unnecessary concerns.

Fixed PASS-7133

PingCentral now enforces consistent validation to ensure that new applications cannot have the same name as existing applications.

Fixed PASS-7135

Previously, when users attempted to configure a PingCentral environment connection to PingFederate and PingAccess using PingOne OAuth app credentials, the database column wasn’t large enough to store the client secret and an error message displayed. The column limit was increased, which resolved the issue.

New PASS-7036

Administrators can now enable PingCentral to run in FIPS-compliant mode, which guarantees that all cryptographic algorithms and protocols meet the U.S. federal standard for security compliance.

To enable this option, access the <PingCentral_install>/conf/application.properties file and set the pingcentral.fips.enabled property value to true. Learn more in Configuring PingCentral to run in FIPS-compliant mode.

PingCentral is currently running FIPS 140-3. Learn more about this version in FIPS 140-3.

Improved PASS-7022

Spring Security has been upgraded from version 5.3.31 to 5.3.39 to prevent future false-positive scan alerts. You can find more information in CVE-2024-38816: Path traversal vulnerability in functional web frameworks in the Spring documentation.

Improved PASS-7031

The d3-color package has been upgraded from version 1.4.1 to 3.1.0, where the security vulnerability was fixed.

Improved PASS-7033

Those who approve promotions can now determine if a promotion approval request is for a new or existing application by viewing the newly added detail on the Promotion Approvals page. Last Promoted or Last Updated now displays next to the date and timestamp that indicates when the application was last promoted or updated.

Improved PASS-7037

All PingCentral scripts have been updated to be DevOps-friendly.

New PASS-7038

Support was added for Java Development Kit (JDK) 21 using language level 11.

Improved PASS-7028

Previously, trusted OGNL expressions could only be assigned to applications one at a time. Now, a Select All checkbox is available to select all applications and assign the selected trusted OGNL expression to them.

Improved PASS-7029

Previously, PingCentral did not allow the signing and encryption certificate the same, which is allowed in PingFederate. When application owners tried to promote and upload the same certificate and use it for both the signing and encryption certificate, users received validation errors. Now, the same certificates can be used in PingCentral.

Improved PASS-7019

Spring Security has been upgraded from version 5.7.11 to prevent future false-positive scan alerts. Learn more about this upgrade in CVE-2024-22257: Possible Broken Access Control in Spring Security With Direct Use of AuthenticatedVoter in the Spring documentation.

Fixed PASS-7020

A number of third-party libraries have been updated to address Common Vulnerabilities and Exposures (CVEs) reported in these libraries. These CVEs were not exploitable, but they were updated to avoid unnecessary concerns.

Fixed PASS-7023

Previously, when upgrading from PingCentral 2.0.2 to 2.1.0, users received a warning message regarding their APIs. This issue has been resolved, and this message no longer displays when the upgrade is performed.

Fixed PASS-7026

Previously, when users tried to delete SAML applications, either through the PingCentral UI or API, and they selected the Delete from PingFederate in all environments option, the application was not deleted in PingFederate. This issue has been resolved and now works as expected.

Fixed PASS-7027

Previously, when syncing a PingCentral application with a server-side PingFederate application, data within the advancedEditPromotionJson field was being deleted. This issue has been resolved, and the data within that field is now preserved.

New PASS-6911

Application owners now have more control over which client secrets are used when promoting OAuth and OIDC applications from PingCentral to PingFederate. If the application is configured to use a client secret for authentication, and the environment to which the application is being promoted requires that a random secret be used, users can choose to either generate a new client secret or retain the existing client secret. See Promoting OAuth and OIDC applications for details.

New PASS-6915

Mutual TLS (mTLS) can now be used for admin API authentication from PingCentral to PingFederate. To set up this connection, access the new Client TLS Key Pair page, import the key pair that you want to use for authentication, and configure the environment to use the client certificate you specify. The TLS Key Pair page has also been renamed to Server TLS Key Pair to clearly differentiate between them. See Configuring MTLS for details.

New PASS-6918

Rocky Linux version 9.3 and later is now a supported enterprise operating system.

New PASS-6967

The email parameter has been added to all PingCentral user accounts, which will let you extract users’ email addresses and notify them about important events, such as upgrades, and maintenance windows. The Email Address field now displays on the Add and Edit User pages, an email property has been added to the API, and for SSO configurations, PingCentral will derive the user’s email from the email claim defined by the email scope.

Improved PASS-6904 and PASS-6910

If you have many different applications in many different environments, or if you have many groups using SSO to access PingCentral, you will notice that performance has been greatly improved with this release. Now, when you filter your applications, you will only see managed applications (created from or promoted to PingCentral environments) by default, which improves page loading speeds. The application owner search functionality has also been improved, which makes it faster and easier to configure owners for applications.

Improved PASS-6913

Previously, when application owners used SSO to sign on to PingCentral and group memberships were also supplied, application owners could select any group as an owner of their application, which gave all group members the ability to manage it. Now, application owners can only select a group as an owner if the application owner is a member of the group.

Improved PASS-6917

When promoting SAML applications, the names of the signing certificates available now include the valid date range, which makes it easier to discern between certificates.

Fixed PASS-2114

Previously, all application owners were listed on the application Summary tab, regardless of the number of owners. If an application had a large number of owners, the list would be long and difficult to read. Now, if the list is large, Show More and Show Less buttons are available to help you navigate the list.

Fixed PASS-6941

Previously, when importing metadata for a SAML application, the Change Template button would disappear. This issue has been fixed, and the Change Template button continually displays as expected.

Fixed PASS-6966

Previously, under certain circumstances, server errors were encountered when JSON-based promotions occurred. This issue has been resolved.

Fixed PASS-6970

Previously, when configuring an environment and uploading a signing certificate, if an existing keystore file (*.p12) was selected, the matching password provided could be too long for PingCentral to accept. This password limit has been increased.

Fixed PASS-6985

Previously, if an application was configured with an assertion encryption certificate, the certificate would disappear from the Promote to Environment modal when the application was being promoted, and users had to upload the certificate again. This issue has been resolved.

Fixed PASS-6905

Previously, if PingCentral had at least one (service provider) SP connection or one PingAccess template, upgrades from version 1.14 to 2.0 would fail. This issue has been resolved and upgrades now work as expected.

Fixed PASS-6906

Previously, if applications were created from SAML templates that contained at least 1 OGNL expression, the expressions could not be updated, nor could new expressions be added for attribute mapping. This issue has been resolved, and expressions can now be added and updated as needed.

Fixed PASS-6907

Previously, when administrators tried to change the templates associated with SAML applications, the change would not be saved. This issue has been resolved, and SAML applications can now be updated with new templates.

Fixed PASS-6940

Previously, if PingCentral had a SAML template with expressions or PingAccess templates, database errors would occur when upgrading from version 1.14 to 2.0. The issue has been resolved and upgrade processes now work as expected.

Fixed PASS-6865

Previously, when administrators reviewed application promotion requests and compared the submitted JSON to the most recently promoted version, the original version was displayed instead of the most recently promoted version. This issue has been resolved, and the most recently promoted version now displays in the approval window.

Fixed PASS-6900

Previously, if application owners updated the underlying application JSON in their OIDC applications, and administrator approval was required to promote them, the updated JSON was not reflected in PingFederate. This issue has been resolved and the updated JSON now displays in PingFederate as expected.

Fixed PASS-6901

Previously, when OIDC applications were synchronized to the most up-to-date configurations available, they were saved as OAuth applications. This issue has been resolved, and the synchronization process now works as expected.

New PASS-6730

Administrators can now synchronize OAuth, OIDC, SAML, and PingAccess templates to ensure that their templates are based on the most up-to-date configurations available. Applications based on out-of-date templates have Outdated Template icons displayed next to them, which inform application owners that newer versions of the templates are available.

Administrators can also now revert SAML SP connections and PingAccess application templates to previous versions. You can find details on the Reverting templates to previous versions tab on the Managing templates.

Note that when you upgrade to PingCentral 2.0, SAML and PingAccess application templates will have base revisions created for them. OAuth and OIDC templates created prior to version 2.0 cannot be synced with the most recent configurations available. Recreate the template in version 2.0 to use the sync feature going forward.

New PASS-6670

To accommodate a wide variety of promotion needs, application owners can now edit the application JSON for their applications when they promote them.

Note that providing application owners with this ability can be risky, so it’s highly recommended that approvals are enabled for the environment. Administrators can review the submitted application JSON and compare it to the original application JSON before approving the promotion request.

Also note that:

New PASS-6731

To prevent application owners from accidentally deleting applications from PingFederate (and PingAccess, when applicable) environments, you can enable a new option that allows only administrators to delete applications from the environment.

Improved PASS-6733

To help manage promotion approvals, both administrators and application owners can now hide promotion approvals that are in a canceled, promoted, or rejected status that display on the Promotion Approvals page. The Visible filter is enabled by default.

Improved PASS-6732

Administrators can add multiple approval expressions for an environment, which are evaluated sequentially from top to bottom in an IF/ELSE chain. Now, administrators can change the order in which these expressions display in the list by dragging and dropping them into different locations within the list instead of copying and pasting them between fields.

Issue PASS-6705

Previously, PingCentral was unable to handle a service provider (SP) connection with multiple Authentication Policy Contracts (APC) mapped within it. The PingCentral 1.14 release enables users to select from multiple mapped contracts when adding an application as a managed application or a template.

However, due to a known synchronization limitation, if you update an existing single APC SP connection already managed by PingCentral to include a second APC and subsequently synchronize the application, you won’t find an option to specify your preferred APC.

To simplify your workflow and mitigate potential challenges, we recommend refraining from using synchronization to modify multi-APC connections. Instead, consider creating a new SP connection that aligns with your desired APC configuration. This approach grants you control over APC selection, ensuring a smoother and more efficient process.

Issue PASS-3613 PingFederate

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Issue PASS-4948 PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue PASS-5663 PingAccess

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue PASS-5977

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue PASS-6466

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

Fixed PASS-6820

We fixed an error that prevented API documentation from loading when using OIDC single sign-on (SSO) with PingCentral.

New PASS-6666 and PASS-6683

PingCentral administrators can now disable referenced PingFederate environments for any reason, such as PingFederate being unavailable due to maintenance tasks. Additionally, we added a new environment status bar that indicates if an environment is offline. In such cases, application owners will receive a notification indicating that the environment is disabled or offline rather than encountering a UI error. For more information, see step 1 of the Updating environments tab in Managing environments.

New PASS-6667

All attributes defined in a SAML SP connection are now integrated into the PingCentral application. This enhancement eliminates a limitation and is expected to enhance usability significantly. For more information, see step 3 in Using SAML 2.0 templates.

New PASS-6696

We added the ability to effortlessly initiate an application synchronization in PingCentral. Now, when you make external modifications to an application configuration, you can seamlessly update the application information within PingCentral. This removes the need to manually update application information and introduces a more streamlined and efficient process. For more information, see step 2 in Updating applications.

New

Fixed PASS-6591

We resolved an issue where H2 database migration fails during an upgrade if there are spaces in the installation path for the existing or new instance.

Fixed PASS-6690

We fixed an issue where utilizing single sign-on (SSO) to access the PingCentral console incorrectly triggered a timeout based on an ID token’s lifetime.

Issue PASS-6705

Previously, PingCentral was unable to handle a service provider (SP) connection with multiple Authentication Policy Contracts (APC) mapped within it. The PingCentral 1.14 release enables users to select from multiple mapped contracts when adding an application as a managed application or a template.

However, due to a known synchronization limitation, if you update an existing single APC SP connection already managed by PingCentral to include a second APC and subsequently synchronize the application, you won’t find an option to specify your preferred APC.

To simplify your workflow and mitigate potential challenges, we recommend refraining from using synchronization to modify multi-APC connections. Instead, consider creating a new SP connection that aligns with your desired APC configuration. This approach grants you control over APC selection, ensuring a smoother and more efficient process.

Issue PASS-3613 PingFederate

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Issue PASS-4948 PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue PASS-5663 PingAccess

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue PASS-5977

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue PASS-6466

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

New PASS-6479

Previously, PingCentral did not allow an administrator to require approval for a non-administrator to promote an application to an environment. As of now, administrators can use Spring Expression Language (SpEL) based rules to trigger an approval requirement if an expression is or isn’t met. Administrators will find a bell icon indicating active approval requests, and developers are informed when their requests are approved. For more information, see xref:pingcentral_for_iam_administrators:

Learn more in Managing approvals (administrators).

Improved PASS-6500

Administrators can now enforce a strong client secret for applications by requiring that PingCentral generate the client secret. With this feature enabled, when developers promote an application, they won’t be able to create a client secret manually. This avoids the usage of weak client secrets. For more information, see Managing environments.

New PASS-6609

When promoting SAML applications, developers can adjust and configure single logout (SLO) URLs. This adds flexibility and removes the need to manage multiple SAML applications only because different SLO URLs are required. For more information, see Promoting SAML applications.

New

We added support for Java Development Kit (JDK) 17.

Fixed PASS-5630

To set up a service provider (SP) connection, PingCentral now accepts SAML metadata files exported from other SP connections. These files are used to extract the following information: entity IDs, ACS URLs, SLO service URLs, certificates, and attributes.

Issue PASS-3613 PingFederate

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Issue PASS-4948 PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue PASS-5663 PingAccess

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue PASS-5977

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue PASS-6466

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

New

When creating a new client, PingCentral now generates OAuth client secrets compatible with PingFederate. For more information, see Promoting OAuth and OIDC applications.

New

You can now configure multiple Assertion Consumer Service (ACS) URLs during SAML application creation. This new feature simplifies application development since the same application can use different URLs simultaneously. For more information, see Using SAML 2.0 templates.

New

When promoting an application between environments, you can now configure an application name for OAuth and OpenID Connect (OIDC) clients, SAML connections, and PingAccess applications. For more information, see Promoting applications.

Improved

You can now choose to delete applications from PingFederate or PingAccess in addition to PingCentral. This feature is flexible because you can select which environments to delete the application from. For more information, see Managing applications.

Improved

Instead of using administrator credentials for basic authentication, you can now configure PingCentral to use OAuth client credentials to connect to PingFederate or PingAccess. will request an access_token to use whenever it connects to PingFederate or PingAccess. For more information, see Configuring PingFederate and PingAccess for SSO.

Security

Along with other dependencies (libraries), we’ve upgraded the H2 database from v1 to v2. For more information, see Upgrading PingCentral.

Issue PASS-3613 PingFederate

PingCentral promotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.

When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.

To resolve these issues, configure the APC mappings within PingFederate.

Issue PASS-4948 PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue PASS-5663 PingAccess

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:

Environment’staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.

To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue PASS-5977

After upgrading to 1.8, 1.9, 1.10, or 1.11, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue PASS-6466

Templates created in 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

Issue PASS-6591

If the installation path has any spaces in the existing or new instance, the H2 database is not migrated during upgrade. Upon removing the spaces from the file path, the migration is successful.

New PASS-2017

If you are an administrator, you can now update the grant types, scopes, and policy contracts in OAuth and OpenID Connect (OIDC) templates to further customize them to meet your needs.The history of these templates is also available to review and compare with previous versions. You can see which administrator modified the template configuration or policy contract, when it was modified, and details regarding these modifications. You can also revert templates to previous versions, if necessary. See Managing templates for details.

New PASS-6007

If an application is based on an outdated template, an Outdated Template icon now displays next to its name in the applications list. Edit the template and click the Update Template button. See Updating applications for details.

New PASS-5202 and PASS-6018

You can now use SSO to access PingFederate and PingAccess from PingCentral. For details, see Configuring PingFederate and PingAccess for SSO.

Improved PASS-6388

Account lockout mechanisms that prevent users from accessing the application or API after a specified number of failed sign-on attempts were added to this release. Specify the number of failed attempts that are allowed before users are locked out and the lockout period in the application.yaml file.

Issue PASS-6466

Templates created in version 1.2 or earlier do not store the environment ID, so you cannot update their grant types, scopes, or policy contracts, nor can you revert them to previous versions.

Security PASS-6387 and PASS-6378

Resolved a potential security vulnerability that is described in security bulletin SECBL022 (requires sign-on).

Issue PASS-6316 PingFederate

PingCentralpromotes access token mappings and authentication policy contracts (APCs) with OIDC applications, but the APC mappings that link the APCs to the access token managers are not currently promoted with them. If the APC mappings do not already exist in the target PingFederate environments, applications do not function as expected.When new APCs are promoted in PingCentral, access token mapping referencing the APC is created, but persistent grant mapping is not established, so the configurations are invalid.To resolve these issues, configure the APC mappings within PingFederate.

Issue PASS-5663 PingFederate

When promoting SAML applications, PingFederate does not allow you to use the same certificate as both a service provider (SP) certificate and an assertion encryption certificate. Instead of preventing the promotion to continue, you receive a message similar to the following:Environment’staging': PingFederate. This certificate either has the same ID or the same content as the certificate with index 0.To continue the promotion, ensure that the SP certificate and the assertion encryption certificate are different.

Issue PASS-4948 PingAccess

Customized authentication challenge responses, which support single-page applications, are available in PingAccess 6.2 or later. Applications with this type of policy can be added to PingCentral, but cannot be promoted to another environment unless the authentication challenge policy, with the same UUID, also exists in the target environment.

Issue PASS-5977

After upgrading to 1.8, 1.9, or 1.10, PingCentral fails to start if $\{pingcentral.home} is used in the trust store path. To prevent this from happening, change the home path to be the absolute trust store path and delete the Certificates table in the database.

Issue PASS-5009

If you attempt to add a SAML application to PingCentral from an existing application through the API, and the connection JSON contains identity attribute names and placeholders, you receive an error message advising you to nullify the Names field. However, even if you nullify this field, you still receive an error message because the JSON contains placeholders. Remove these placeholders before you proceed.

Issue PASS-5001 and PASS-5002

When creating, updating, or validating an environment through the API, you receive a server error message if the environment Name or Password fields are null or missing. API requests cannot be processed without this information, so ensure that these fields contain valid values.You will also receive a misleading error message if the PingAccess Password field is null. Rather than informing you that the information in this field is invalid, it informs you that you cannot connect to the PingFederateadministrative console, which is misleading.Requests to connect PingAccess to a PingCentral environment cannot be processed without this information, so ensure that this field contains a valid value.