PingOne

PingOne Release Notes

Review release notes for the PingOne Cloud Platform and PingOne Services.

Subscribe to get automatic updates: PingOne Release Notes RSS feed

November 2024

November 20

Added Active Directory compatibility to the Reset Password capability

Improved PingOne

The Reset Password capability in the DaVinci LDAP connector is now compatible with Active Directory. Learn more in LDAP Connector.

November 19

User demographic dashboard

New PingOne

The User demographic dashboard shows a summary of user demographic profiles and activity for the selected environment. Learn more in User demographic dashboard.

November 18

Simplified OIDC application configuration and integration

New PingOne

We’ve enhanced the application configuration process for OpenID Connect (OIDC) applications. The new Integrate tab provides access to prefilled code examples, instructions, and sample apps for testing connections. Initial support is available for Node.js Express and the Ping SDK for JavaScript. Learn more in Integrate PingOne with a Node.js Express app or Integrate Ping SDK for JavaScript with PingOne.

November 14

Manually approve a user’s ID

Improved PingOne Verify

You can now manually approve a user’s ID from the transaction log. Learn more in Manually approving a user’s ID.

November 13

Specifying authentication policy for SAML applications using flowPolicyId

New PingOne

PingOne now supports using the flowPolicyId HTTP request parameter to indicate the authentication policy for PingOne to use when authenticating users to a SAML application. You can include the flowPolicyId HTTP request parameter in the Initiate Single Sign-On URL to specify a PingOne authentication policy or a DaVinci flow policy. Learn more in Editing an application - SAML.

Amazon API Gateway integration kit retries for client network errors

New PingOne Authorize

We’ve added a retry mechanism to improve the handling of client network errors caused by connection resets. Use the maxRetries setting in config.js to set the maximum number of retries you want before returning a failed response to the client. The default is 1. Learn more in Configuring Amazon API Gateway for PingOne Authorize integration.

November 12

Language localization

New PingOne Verify

Use language localization to configure one or more languages and modify text fields of PingOne Verify text that is presented to end users in notification and agreements. Learn more in Configuring PingOne Verify language localization.

November 11

Deletion of staging policies when promoting to production

New PingOne Protect

When you promote a staging policy to production, the staging policy will now be automatically deleted from your list of risk policies. You can no longer unlink PingOne Protect staging policies from a production policy. Learn more in Creating and managing staging policies.

November 6

PingOne Protect (Signals) SDK - new versions

New PingOne Protect SDK

We’ve released new versions of the PingOne Protect (Signals) SDK:

  • iOS - 5.2.8

  • Android - 5.1.5

  • Web - 5.4.0

You can find details in the SDK Changelog.

November 5

Support for offline_access scope in OIDC applications

New PingOne

PingOne now supports the offline_access scope for OIDC-based applications. Add offline_access as an allowed scope to enable an application to use the Refresh Token grant type to access previously approved resources when the user is not present and on a per-request basis. This allows the application to drive the decision to request a refresh token based on whether or not it needs a refresh token. Learn more in Editing an application.

October 2024

October 31

Optional sequential character password restrictions added

Improved PingOne

To provide more opportunities to enhance password security, we’ve added options for restricting the use of sequential characters in user passwords. Enforce one or more of these restrictions for your users by adding them to your password policies. Learn more in Password policies.

October 29

SSO into PingOne Advanced Identity Cloud

New PingOne

You can now set up single-sign on (SSO) from the PingOne admin console into PingOne Advanced Identity Cloud. With this capability, you can also now assign Advanced Identity Cloud tenant roles in PingOne for use in SSO. Learn more in Setting up SSO to PingOne Advanced Identity Cloud and Administrator Roles.

AuthnStatement session validity duration for SAML applications

New PingOne

You can now optionally specify a value for the SessionNotOnOrAfter attribute using the new AuthnStatement session validity duration setting in SAML applications. This new capability improves interoperability, especially if the SAML application requires a longer SessionNotOnOrAfter value than the lifetime of the SAML assertion defined in the Assertion Validity Duration setting. Learn more in Editing an application - SAML.

October 24

Enhanced Getting Started experience for customer use cases

Improved PingOne

We’ve updated the Getting Started experience for creating a password-based customer solution. Enhancements include a more flexible configuration that makes it easier to test different authentication, registration, account recovery, and profile management use cases. Additionally, the underlying DaVinci flows used by the Getting Started experience have been updated to follow our best practices for flow creation and user interface standards.

Learn more on the Passwords tab of Building a customer solution.

October 21

Native, Worker, and Device Authorization apps removed from PingID policy

Fixed PID-14123 PingOne

For PingID accounts that are integrated with PingOne environments, the legacy PingID admin portal no longer lists Native, Worker, and Device Authorization apps in the PingID Policy Applications list.

October 16

Enhanced user interface for external groups

Improved PingOne

We’ve enhanced the UI for external groups to make it easier to determine the source of the group at a glance. The details page for external groups has also been updated to provide more information and includes a link to the configuration details so that you can easily make changes if needed. Warning and informational messages have been added to alert you to potential issues.

Updated LDAP Gateway client application

New PingOne

We’ve released LDAP Gateway client application version 3.3.0. This version includes:

  • Support for using a forward web proxy server that requires authentication to handle traffic between the gateway client and PingOne.

  • Upgraded dependencies for better security and stability.

Learn more about using a web proxy server in Starting a gateway instance.

October 15

Custom administrator roles

New PingOne

For increased security and flexibility of role assignment, we’ve introduced the ability to create custom administrator roles in PingOne. PingOne administrators with the proper role assignment can now create, edit, and assign custom roles using any of the permissions available in PingOne. Custom roles can then be assigned to implement delegated administration and to provide least-privileged access to PingOne resources. The new Administrator Roles UI includes enhanced permission descriptions, privileged permissions tags, and labels that ensure you include permissions essential to using the PingOne admin console. Like built-in roles, custom roles can be assigned to users, groups, worker apps, or PingFederate gateways.

October 9

PingOne notifications - sending through an external email service

New PingOneMFA

You can now use an external email service to send notifications to your users. Learn more in Using a custom email provider for notifications.

October 6

Configure the one-time passcode (OTP) length

New PingOne MFA

You can now configure the length of the one-time passcode presented to the user. This feature is available for Email, SMS, and Voice authentication methods. Learn more: Adding an MFA policy

October 4

Multi-factor authentication required for access to admin console - updates

Improved PingOne

As part of our continued efforts to support best practice security measures in PingOne, we have enhanced the multi-factor authentication requirements introduced earlier this year.

The following updates have been made:

  • You can now enable enhanced administrator security on a per environment basis for organizations that were created before July 18, 2024. Go to Settings > Administrator Security and click Enable Enhanced Security. You will be prompted to confirm your choice. If you later want to disable enhanced administrator security before it is required for all environments, click Disable Enhanced Security on the same page, and respond to the prompt.

  • You can now select the MFA authentication methods you want to support for administrators. Learn more in Configuring administrator security.

  • You can now enable enhanced security for environments using PingID and PingOne SSO. Learn more in Configuring administrator security - PingID.

  • The Multi-factor Authentication setting for all existing administrator users has been updated to Enabled so that these users can enroll a second authentication factor if enhanced security is enabled for their environment.

Amazon API Gateway integration kit retries for 5xx errors

New PingOne Authorize

We’ve added a retry mechanism to improve handling of 5xx errors caused by transient network or service issues. Use the maxRetries setting in config.js to set the maximum number of retries you want before returning a failed response to the client. The default is 1. Learn more in Configuring Amazon API Gateway for PingOne Authorize integration.

October 3

Support for Microsoft Entra ID external authentication methods by authentication policies

New PingOne

External authentication methods allow Microsoft Entra ID users to leverage external authentication providers for multi-factor authentication (MFA). You can now enable this integration with PingOne authentication policies. Learn more in Setting up PingOne SSO and PingID as the external MFA provider for Microsoft Entra ID.

October 2

Merge or overwrite memberships in outbound group provisioning

New PingOne

You can now merge or overwrite memberships when a group with the same name exists on the target. Learn more in Configuring outbound group provisioning.

September 2024

September 30

MFA policies - application name in authenticator app

New PingOneMFA

To help users recognize which application the OTP displayed in their authenticator app is for, the MFA policy configuration page now includes an option called Show application name. Use this option to specify the text that should be displayed alongside the OTP in the authenticator app.

September 29

FIDO policies - localhost as relying party

Improved PingOneMFA

To facilitate testing, when you define a FIDO policy in a Sandbox environment in PingOne, you can now set Relying Party ID to localhost.

September 9

Enhanced administrator onboarding experience

New PingOne

We’ve released a significant update in the PingOne Administrators environment to streamline the onboarding process for new PingOne administrators. This release introduces a Getting Started experience tailored to address common points of confusion and help new administrators quickly understand and manage their responsibilities within the platform. Learn more in the Introduction to PingOne.

August 2024

August 22

Updated API gateway integration kits

New PingOne Authorize

We’ve released new versions of the following API gateway integration kits:

  • Amazon API Gateway integration kit 1.1.0

  • Apigee integration kit 1.1.0

  • Kong integration kit 1.1.0

These versions improve how the integration kits handle rate limiting to achieve more reliable and stable authorization services. Learn more about connecting your API gateway to PingOne Authorize in PingOne Authorize API gateway integrations.

August 21

Default MFA status for new users setting enabled by default

Improved PingOne

The Default MFA status for new users setting on the MFA Settings page is now enabled by default in all new environments. This setting allows just-in-time registration of new multi-factor authentication (MFA) methods for PingOne administrators the first time they sign-on to the admin console. Learn more in Configuring MFA settings.

August 19

New risk predictor - Traffic Anomaly

New PingOne Protect

A new risk predictor called Traffic Anomaly has been added in order to detect traffic anomalies in terms of variables such as users, devices, and sessions.

The Traffic Anomaly predictor will eventually include a variety of rules, some of which you can select to enable or disable. In this initial release of the predictor, PingOne Protect detects situations where there are a large number of risk evaluations requested for a single user within a short period of time, and optionally can also detect situations where the number of users per device during a given period is suspicious.

When a risk level of High is calculated for the Traffic Anomaly predictor, it is recommended that you deny access because the suspicious activity is likely due to malicious behavior.

For details, see Predictors, Configuring predictors, and the Risk Predictors section of the PingOne API documentation.

User IP from Signals (Protect) SDK payload

Improved PingOne Protect

Due to the use of corporate proxies and other network tools, the user’s true IP was often masked by an internal IP, reducing the benefit provided by risk predictors that factor in the IP or user location. To handle such situations, if PingOne Protect encounters an internal IP, it now uses the user IP that is included in the Signals (Protect) SDK payload. This feature requires version 5.2.7 or later of the Signals SDK for Web.

Deprecation of User Risk Behavior (organization-wide) predictor

Info PingOne Protect

The User Risk Behavior (organization-wide) predictor has been deprecated. The predictor can still be used in existing PingOne environments, but is not available in new environments.

August 9

Updated LDAP Gateway client application

New PingOne

We’ve released LDAP Gateway client application version 3.2.2, which includes improved support for unauthenticated proxy for LDAP gateway provisioning sync.

August 7

Updated LDAP Gateway client application

New PingOne

We’ve released LDAP Gateway client application version 3.2.0. This version includes:

  • Support for using a forward web proxy server to handle WebSocket traffic between the gateway client and PingOne

  • Debug logging improvements

  • Bug fixes

Learn more about using a web proxy server in LDAP gateways and Starting a gateway instance.

August 5

User group conditions in composite predictors

New PingOne Protect

When creating composite risk predictors, you can now include conditions that check what PingOne user groups the user belongs to. For details, see Adding composite predictors and the example in the PingOne API documentation.

New admin alert - suspicious traffic

New PingOne Protect

You can now add an alert to receive an email notification if PingOne Protect detects a pattern of suspicious traffic that requires your attention. For details on adding alerts, see Adding an alert.

Bot detection enhancement

New PingOne Protect

The Bot Detection predictor now has an option that you can select to expand the types of bot activity that PingOne Protect can detect. For details, see Configuring predictors and the Risk Predictors section of the PingOne API documentation.

July 2024

July 30

RADIUS Gateway enhancements

New PingOne

  • We’ve updated the RADIUS Gateway client application to version 1.2.0. This version supports running a standalone RADIUS Gateway as a Windows service.

  • We’ve added the option to configure the RADIUS Gateway port and also added support for PAP protocol when integrating the RADIUS Gateway with a Network Policy Server (NPS).

  • Some minor issues were fixed in the following flows:

Learn more: RADIUS gateways.

July 26

Updated defaults for new single page applications

Improved PingOne

When adding a new single page application, PingOne creates the application with the following new defaults to align with current security best practices:

  • Response Type: Code

  • Grant Type: Authorization Code

  • PKCE Enforcement: S256_REQUIRED

Existing single page applications will not be updated to use the new defaults. You can update the settings for new and existing single page applications as needed. Learn more in Editing an application - Single page.

July 22

Dynamic linking for registration of FIDO devices

New PingOne MFA

For MFA, the PingOne API now includes an option to use dynamic linking to attach a unique identifier to the registration of a FIDO device.

For details, see the FIDO2 devices data model table under MFA devices in the PingOne API documentation.

July 18

Multi-factor authentication required for access to admin console

New PingOne

As part of our ongoing commitment to enterprise security and supporting best practices, multi-factor authentication (MFA) is now mandatory for PingOne administrators in organizations created after July 18, 2024. If your organization was created before July 18, 2024, you will be able to opt in for this requirement on a per-environment basis in the coming months. A message in the admin console will indicate when the early access period begins. In 2025, this requirement will be enabled in all organizations, for all environments. Learn more in Administrator security and the PingOne administrators MFA requirement - FAQ.

July 3

Signals (Protect) SDK - authenticity check

New PingOne Protect

It is now possible to have the device data in the Signals SDK payload converted to a signed JWT, to ensure that the content has not been tampered with.

When defining a Suspicious Device predictor in your PingOne environment, you can specify that any risk policies containing the predictor will require that the Signals SDK payload use the signed JWT option, with the signature being verified before proceeding with risk evaluation.

Currently, the option of providing the SDK payload as a signed JWT can be enabled in the initialization code for the SDK or via the option that has been added to the skrisk component used in DaVinci flows.

For details, see Configuring predictors, the documentation for the web version of the Signals SDK, the Risk Predictors section of the PingOne API documentation, and the documentation for the PingOne Protect DaVinci connector.

June 2024

June 28

Verify policy enable AAMVA

New PingOne Verify

We’ve added a new feature for Verify policies, Enable AAMVA. This allows verification of ID information against the issuing agency database. Learn more in Creating a Verify Policy.

June 26

Delegated administration for applications

New PingOne

We’ve created the Application Owner role to limit administrator access to specific applications. Use this role to provide application developers with access only to the applications they manage. This role provides no other administrator permissions in PingOne. Learn more in Administrator Roles and Managing user roles.

User interface updates

Improved PingOne

To ensure consistent terminology throughout the product, two user interface (UI) updates have been made:

  • In the sidebar, under Directory, Roles is now Administrator Roles.

  • In the Users UI, the Roles → Administrative Roles tab is now Roles → Administrator Roles.

June 25

Verify policy fail expired IDs

New PingOne Verify

We’ve added a new feature for Verify policies, Fail expired IDs. This allows users to fail verification when an ID expires. Learn more in Creating a Verify Policy.

June 20

Updated LDAP Gateway client application

New PingOne

We’ve released LDAP Gateway client application version 3.1.2. This version includes:

  • Docker image support for ARM-based hardware and virtual environments, providing more flexibility on how you run your LDAP gateway. Docker automatically pulls the right image, so no action is required.

  • Bug fixes for external password policy enforcement

  • Logging enhancements

June 18

Specifying flow subtype for risk evaluations

New PingOne Protect

When creating risk evaluations, you can now provide additional detail about the context of the flow by specifying a flow subtype in addition to the flow type. For details, see the description of the new flow.subtype field in the PingOne API documentation.

June 17

Providing feedback for risk evaluations

New PingOne Protect

A new endpoint, riskFeedback, has been added to the PingOne API to allow you to provide feedback on the accuracy of specific risk evaluations that were carried out. Each such call can include feedback for up to 100 risk evaluations, and for each evaluation you can specify a feedback category and a reason for including the evaluation in that category. For details, see Providing feedback for risk evaluations in the API documentation.

June 14

Population overview

Improved PingOne

We’ve updated the Populations UI into corresponding sections to easily help navigate through various configurations. Admins can now see details attached to a population within the populations UI, along with the ability to navigate to corresponding configurations in Password Policy and External IdP when needed. Learn more in Managing populations.

June 11

CORS support extended

Improved PingOne

We’ve extended support for cross-origin resource sharing (CORS) to additional endpoints in PingOne. CORS allows devices on one domain to access resources on another domain. Learn more in Cross-origin resource sharing and in the Cross-origin resource sharing section of the PingOne API documentation.

June 4

Dynamic linking for FIDO transactions

New PingOne MFA

For MFA, the PingOne API now includes an option to use dynamic linking to attach a unique identifier to a FIDO transaction. For details, see Create a request property JWT and Device authentications data model in the PingOne API documentation.

June 3

Allow user to add device nickname during pairing

Improved PingOne MFA

We’ve added the option to allow the user to add a device nickname during the pairing flow. After successfully pairing the device, a popup window is shown, asking them if they want to define a device nickname. If the user does not edit the text field, the default nickname is applied.

For more information, see Adding an MFA policy.

May 2024

May 22

Social login with PingOne Forms for DaVinci now supported

Improved PingOne

When creating or editing a form in User Experience → Forms, you can now add a social login button from the Toolbox. For details, see Form toolbox.

This feature is in limited release. Contact Ping support to request access to this feature.

May 15

PingOne MFA mobile SDK 1.10.1 (iOS only)

New PingOne Mobile SDK

Version 1.10.1 of the PingOne MFA mobile SDK for iOS has been released.

This version contains a single bug fix. For details, see Release notes - iOS version.

May 9

Application role assignment enhancements

New PingOne Authorize

We’ve made it easier to assign application roles to users. Now you can assign application roles on the Users page, in addition to assigning users to roles when you create an application role. Learn more in Managing user roles.

May 7

Updated UI for Alerts

Improved PingOne

The user interface (UI) for Alerts in PingOne has been updated with a new look and feel. You can now add a name for alerts and search/sort by alert name.

May 6

New domain for Australia region

New PingOne

We’ve added a new .com.au domain for our Australia region that reflects Australian data residency. Organizations created for our Australia region after May 6, 2024 will use the new .com.au domain name. Organizations created before that date must continue to use the .asia domain name. Learn more about regional domains in Introduction to PingOne.

April 2024

April 25

New Kerberos Check audit event types

New PingOne

We’ve added two new event types for PingOne gateways configured to use the Kerberos protocol for authentication:

  • Kerberos Check Succeeded

  • Kerberos Check Failed

You can review these events in the PingOne Audit log. Learn more in Event types.

April 24

Microsoft 365 application Subject NameIdentifier Format enhancements

New PingOne

When adding or editing a Microsoft 365 application, you can now configure the Subject NameIdentifier Format format value and also configure a mapping for the value to a PingOne attribute. Learn more in Adding Microsoft 365 to PingOne.

Application permissions in access tokens

New PingOne Authorize

Now you can include a permissions claim in access tokens created for your APIs and custom resources. This enables you to retrieve and enforce permissions for application features and API resources developed by your organization. Learn more in Application permissions.

Additional protocols supported in custom theme footers

Improved PingOne

The tel and sms protocols are now supported in HTML footers used in customize themes. Learn more in Customizing a theme.

April 16

Custom data group properties in PingOne Directory

New PingOne

We’ve made it easier to add custom properties to groups in PingOne Directory. Now you can simply add metadata properties as key-value pairs in the user interface for creating or updating groups. Learn more in Creating a group.

April 10

Verify dashboard

New PingOne Verify

The Verify dashboard shows identity verification transaction activity for your organization. Learn more in Verify dashboard.

Ability to upload and download a complete language pack

Improved PingOne

Previously, when uploading or downloading a language pack in User Experience > Languages, you could only download the translatable keys for each module. Now, you can download or upload the complete language pack.

April 8

Verify policy document authentication provider

New PingOne Verify

You can now configure a document authentication provider in your verify policy. Learn more in Creating a verify policy.

April 4

Verify policy retry attempts

New PingOne Verify

We’ve added two new features for Verify policies: Government ID Retry Attempts and Selfie Retry Attempts. This allows users to retake pictures of a government ID or selfie if the previous image had a quality problem.

Learn more about government ID retry and selfie retry in Creating a verify policy.

April 3

Automatic verification of "sender" email address

New PingOne

The requirement of responding to a verification email when adding a "sender" email address made it difficult to add an address that does not have an inbox. Now, when you create a trusted email domain, PingOne creates an additional text record that reflects the association of the domain with the specific PingOne environment. If you add this new record to your DNS, any sender email address belonging to the domain is set to active status as soon as you create it, with no need for a verification email.

April 2

Unique theme IDs and names added to Branding and Themes

New PingOne

Branding and Themes now have unique Theme IDs for themes that can be copied and pasted directly into the PingOne Forms connector. A unique theme name will also be generated by default to prevent having duplicate themes in the environment.

Learn more in PingOne Forms connector.

Aggregate passkey devices per user during authentication

New PingOne MFA

We’ve added the ability to aggregate all FIDO2 devices associated with a user’s account during authentication. This simplifies authentication, as the user is presented with a single FIDO2 authentication method representing all of their paired FIDO2 devices, rather than seeing each device listed separately. If the user chooses to authenticate with the aggregated FIDO2 authentication method, the OS of the accessing device selects the most appropriate method for them to use to authenticate.

Learn more at Adding a FIDO policy.

April 1

Environments UI enhancements

Improved PingOne

We’ve updated the Environments page to include search and sort capabilities that make it easier to find the environment you need. We’ve also added the ability to upload a custom icon to make an environment stand out visually in the list. Additionally, you can now view and edit environment details without leaving the Environments page. The Environment Properties page has also been updated, providing a consistent experience. Learn more at Getting started with PingOne and Environment properties.

March 2024

March 26

Integration of a PingID account with PingOne

Improved PingOne

We’ve improved the process for integrating an existing PingID account with PingOne. PingOne now performs more comprehensive validations during the integration process, enabling Administrators to fix issues and ensure license compliance before starting the integration. Learn more at Integrating a PingID account with a new PingOne environment.

RADIUS Gateway enhancements

New PingOne

We’ve updated the RADIUS Gateway client application to version 1.1.1. This version has a lighter footprint, improves security, and reduces dependencies. RADIUS Gateway 1.1.1 supports Java 17.0.8 or later.

March 20

Role assignment UI enhancements

Improved PingOne

We’ve streamlined the user interface for viewing and assigning roles. This update reduces scrolling and clarifies the context in which the user or group has roles assigned. Learn more at Managing user roles and Managing group roles.

March 12

LDAP Gateway user attribute updates on every authentication

New PingOne

We’ve added the ability for PingOne to always update PingOne user attribute changes from an external directory on every successful authentication through the LDAP Gateway client. Learn more about enabling user attribute updates in Adding a user type.

March 7

Password Check audit event descriptions enhanced

Improved PingOne

The descriptions for the Password Check Succeeded and Password Check Failed audit events in PingOne have been enhanced to include more information for users signing on through a PingOne gateway and to improve the troubleshooting experience, as described in the following table:

PingOne gateway user? Event type Previous description New description

Yes

Password Check Succeeded

Check Succeeded Password <userId>

Password check succeeded for Gateway User <userId> through Gateway <gatewayId> using User Type <userTypeId>

Yes

Password Check Failed

Check Failed Password <userId>

Password check failed for Gateway User <userId> through Gateway <gatewayId> using User Type <userTypeId>

No

Password Check Succeeded

Check Succeeded Password <userId>

Password check succeeded for User <userId>

No

Password Check Failed

Check Failed Password <userId>

Password check failed for User <userId>

Learn more about audit events in Event types.

March 5

User Updated audit event enhancements

Improved PingOne

The User Updated audit event in PingOne has been enhanced to include information about most user attributes that were changed, added, or removed during the update. Learn more about auditing events in Event types. Learn more about user attributes.

PKCE support added for custom OIDC identity providers

New PingOne

You can now enable Proof Key for Code Exchange (PKCE) for custom OIDC identity providers in PingOne. PKCE helps to secure communication with the provider and can prevent authorization code interception attacks. Learn more at Adding an identity provider - OIDC.

March 4

New risk predictor - Email Reputation

New PingOne Protect

The use of disposable email addresses is a common characteristic of fraudulent activity. PingOne Protect now has a risk predictor to detect the use of disposable email addresses during registration.

You can add the predictor to your risk policies, and you can also define a specific course of action if the result.recommendedAction field in the risk evaluation response indicates the use of a disposable email address.

PingOne API - field added to risk evaluation response

Info PingOne Protect

For risk evaluations that use a risk policy with the New Device predictor, the API response now includes a field that represents the date and time that the device was last seen. For details, see Risk Evaluations in the API documentation.

March 1

New API Access Management audit event types

New PingOne Authorize

We’ve added the following new API Access Management event types:

  • API Service Created

  • API Service Updated

  • API Service Deployed

  • API Service Deleted

You can review these events in the PingOne Audit log or create webhooks to ensure management of API Services is working correctly. Learn more in Viewing API Access Management events in your PingOne environment audit log.

February 2024

February 28

OAuth 2.0 device authorization grant support added

New PingOne

We’ve added support for the device authorization grant type, which you can use to enable users to authorize access to a protected resource on a device with limited user input capabilities, such as a smart TV, using a browser on a second device, such as a smartphone or computer.

PingOne API - resend OTP for pairing device

New PingOne MFA

To cover situations where a user did not receive the one-time passcode (OTP) that was sent for pairing a device, the PingOne API now provides a request for resending the OTP. For details, see Resend Pairing OTP in the API documentation.

Updated UI for sender configuration

Improved PingOne MFA

The user interface for configuring senders for email and SMS/voice has been updated to be more streamlined and intuitive.

February 20

User verification field added to User Devices report

Improved PingOne MFA

When you generate a User Devices report, the report now include a field called fidoUserVerification, which indicates whether user verification has been performed successfully with a FIDO device during registration or authentication. For more information on user verification, see Adding a FIDO policy.

PingOne MFA User Devices chart

New PingOne MFA

We’ve added the User Devices chart to the PingOne MFA dashboards. The User Devices chart is comprised of the following two charts (in the drill-down view):

  • User Devices: view the number or percentage of devices used by the authentication method.

  • App Version: view mobile applications by version.

You can filter the results by primary or secondary device, and OS version (Android or iOS).

For more information, see User devices and app version charts.

February 14

Support for client secret JWT and private key JWT in OIDC applications and custom resources

New PingOne

OIDC-based applications and custom resources in PingOne now support client secret JWT and private key JWT for token introspection endpoint authentication method. OIDC applications also now support asymmetric request object signing algorithms. You must provide either the JSON Web Key Set (JWKS) itself or the URL where PingOne can retrieve the JWKS to use private key JWT for authentication and for an OIDC application to send asymmetrically signed request objects.

February 12

New risk predictor - Adversary-in-the-Middle (AitM)

New PingOne Protect

To further enhance its ability to prevent account takeover, PingOne Protect now has a dedicated risk predictor to handle Adversary-in-the-Middle attacks.

AitM is a variant of Man-in-the-Middle attacks in which a malicious actor uses a reverse proxy to position themselves between a user and an online service in order to obtain user credentials and session tokens. This type of attack circumvents the protection usually provided by OTP-based multi-factor authentication, and of late has become a common technique in phishing attempts.

PingOne Protect dashboard - event details table

Improved PingOne Protect

For the individual charts included in the PingOne Protect dashboard (other than Risk Heat Map) the event details table now includes all risk evaluation events, even those where all the risk predictors in the policy indicated low risk.

Risky IP chart - bot detection

Improved PingOne Protect

The bot detection predictor is now taken into account when categorizing IPs as risky.

On the Risky IP chart, when you click View Details to see why an IP was categorized as high-risk, you may see bot detection given as a reason.

February 6

Outbound Group Provisioning

New PingOne

PingOne now supports outbound group provisioning. Use PingOne provisioning to sync groups along with its memberships out of PingOne to a connected software as a service (SaaS) application. For more information, see Outbound group provisioning.

February 1

New LDAP Gateway service connection

New PingOne Authorize

With the new Gateway service, you can retrieve user profile information stored in on-premise and external LDAP directories, such as PingDirectory or Microsoft Active Directory, for use in authorization policies. User data is cached for improved performance. For more information, see Authorization services.

January 2024

January 16

Support for multiple client secrets in OIDC applications and custom resources

Improved PingOne

After you update a client secret in PingOne, you must ensure that any applications or resources that use the secret are updated. Previously, if there was lag time between when a new client secret was generated and when application or resource owners updated the application or resource to use the new secret, errors could occur because the old secret was invalidated immediately. Now you can choose to retain the previous client secret for up to 30 days, giving application or resource owners time to update the secret without end users experiencing errors in the meantime. Additionally, you can immediately revoke the previous client secret at any time during the retention period if it is no longer needed.

Multiple client secret support applies only to OIDC-based applications and custom resources at this time. You can use the PingOne admin console or the PingOne API to generate a new client secret and define a retention period for the previous secret. For more information, see Rotating the client secret for an application and Rotating the client secret for a resource.

Use the policy request parameter with the PingOne Application Portal

New PingOne

You can now use the optional policy request parameter to specify which policy to use for the Application Portal application. The authentication policy defines the sign-on requirements for accessing the Application Portal. For more information, see Applying authentication policies to the Application Portal.

PingOne Signals SDK 5.2.10 (web only)

New PingOne

Version 5.2.10 of the PingOne Signals SDK for web has been released.

This version contains performance improvements for initialization of the SDK.

January 11

Application permissions and roles

New PingOne Authorize

Managing permissions in your custom applications is now as easy as checking a box. Now you can:

  • Define permissions for application features and APIs without changing your application code

  • Centralize permissions enforcement through your API gateway

  • Manage permissions assignment with roles

  • Extend permissions with custom policies

For more information, see Application permissions.

January 8

PingID users can manage their devices from PingOne MyAccounts page

New PingOne MFA

We’ve added the following features to allow PingID users to manage their devices from the PingOne MyAccount page, rather than the PingID Devices page:

  • Self Service: We’ve added the Manage PingID Devices via MyAccount option to enable PingID workforce users to manage their devices through the MyAccount app.

  • MyAccount app reduced scopes: The Allow user actions according to granted authentication scopes check box provides a limited subset of scopes for users that have not yet authenticated. When this option is selected users are required to authenticate to get a more complete set of scopes that allow them to add or change a device. When the Manage PingID Devices via MyAccount option is selected in Self-Service, this option is automatically selected. For information, see Self service.

  • Reordering the device list: We’ve added the ability to drag and drop devices to reorder them in the MyAccount device list.

January 7

User Devices report

New PingOne MFA

You can now view and export reports that list the details of MFA devices, such as the username and user ID associated with the device, using a number of device-related filters. For example, you can generate a report listing all email devices or a report containing all of the devices whose phone number starts with a certain country code. Results can be exported in csv or json format.

For details, see User Devices report.

January 4

Composite predictors - user ID and user name

New PingOne Protect

When composing a composite predictor, you can now include user name and user ID as criteria. You can use this feature to assign a different risk level for user names or user IDs that contain specific strings, for example, a specific domain name.

For details, see Adding composite predictors and the Risk Predictors section in the API documentation.

January 3

CORS support added

Improved PingOne

We’ve added support for cross-origin resource sharing (CORS) to PingOne. CORS allows devices on one domain to access resources on another domain. Configure CORS settings to enable your OIDC or SAML application to access third-party resources, such as cross-origin images, scripts, and stylesheets. For more information, see Cross-origin resource sharing.

December 2023

December 27

PingOne MFA mobile SDK 1.11 (Android only)

New PingOne Mobile SDK

Version 1.11 of the PingOne MFA mobile SDK for Android has been released.

This version contains a number of bug fixes.

PingOne MFA mobile SDK sample app - use of passkeys

Improved PingOne Mobile SDK

The sample app for the PingOne MFA mobile SDK has been updated to demonstrate support of passkeys. This applies to both the Android and iOS versions of the sample app.

December 21

Kong Konnect integration

Improved PingOne Authorize

Now you can extend Kong’s authorization capabilities with an integration kit that supports Kong Konnect. This integration allows you to centrally manage your authorization requirements using PingOne Authorize’s external policy evaluation service, controlling access to APIs with simple rules and fine-grained policies. For more information, see Integrating PingOne Authorize with Kong Konnect.

December 18

Leverage existing resources in API services

Improved PingOne Authorize

We’ve made it easier to add runtime authorization controls to your existing PingOne configuration. In PingOne, a resource represents your API for OAuth authorization purposes. Now you can assign existing PingOne resources to API services, adding runtime API Access Management controls around your previously modeled APIs. For more information, see Defining your API in PingOne Authorize.

December 14

New filtering of groups

New PingOne

You can now filter groups by external source, such as an external identity provider or LDAP Gateway, and by population. For more information, see Searching for groups.

Set a default identity provider for a population

New PingOne

To simplify user configuration after you add a large number of users to PingOne, you can now set a default identity provider for a population. This setting applies to any users in the population who do not have Authoritative Identity Provider defined in the their user profile, and applies only as long as the user remains in the population. This setting does not affect the Authoritative Identity Provider setting on the user profile. For more information, see Managing populations.

Inspection Type for government ID verify policy

New PingOne Verify

PingOne Verify now supports inspection type for government ID. Inspection type determines the type of inspection performed on government-issued documents and offers automatic, manual, and step-up to manual options. For more information, see Creating a verify policy.

December 6

Updated LDAP Gateway client application

Improved PingOne

We’ve released LDAP Gateway client application version 3.0.4. This version improves performance, and requires Java 17.0.8 (or later) or Java 21 LTS (or later). For more information, see LDAP gateways.

December 4

New Device Paired notification template

New PingOne MFA

When you customize the template for the message that is sent to notify a user when a new device is paired for their account, you can now include a variable called report.fraud. If you include this variable, the message will include a link that the user can click to report fraudulent pairing attempts. PingOne records these reports and you can view them in the Audit log. The event type for these reports is Fraud Reported.

Message explicitly informing administrators of SMS and Voice call charges

Info PingOne MFA

We’ve added a warning message to MFA policy to ensure administrators are aware that using the Ping sender account for SMS and Voice calls incurs charges. The popup message also appears when switching from a custom sender account to Ping’s sender account. To discourage the use of less secure authentication methods when creating a new MFA policy, the Voice authentication method is not selected by default.

Deprecated User Data endpoint in Verify service

New PingOne Verify

The PingOne Neo Verify User Data endpoint and its only call, Read User Verification Data, are deprecated. The endpoint and request will be removed December 2024. For more information, see User Data and GET Read User Verification Data.