Release Notes
New features and improvements in PingOne MFA Integration Kit.
PingOne MFA Integration Kit 2.6 (January 2025)
Enforce Device Selection will be deprecated in the next release
Info P14C-66231
The Enforce Device Selection field will be deprecated in the next release of the PingOne MFA Integration Kit because it duplicates the behavior of the Method Selection field in the PingOne MFA policy.
Enforce Device Selection is still usable in version 2.6, but make sure to set the Method Selection configuration in the MFA policy to Always Display Devices. Otherwise, for example, the user might receive multiple OTPs.
Before upgrading to the next version, check your MFA policy to make sure that Method Selection is configured to reflect the desired behavior. |
Insert an authentication policy into the CIBA flow
New P14C-67740
To insert an authentication policy into the CIBA flow based on runtime parameters, pass the extended contract parameter pingone-mfa-acr into an empty PingOne authentication policy that’s used in the CIBA authentication policy.
A non-empty PingOne authentication policy always takes precedence over pingone-mfa-acr, so make sure that the PingOne authentication policy is empty. |
Improved 429
error handling
Improved P14C-64515
Added clearer error messaging for rate-limiting 429
errors.
Include number of maximum allowed devices in API response
Improved P14C-64509
All API responses that include the devices
field now include a new field, maxAllowedDevices
, which indicates the maximum number of devices that can be paired for a user.
Added support for the prompt parameter for OIDC flows
Improved P14C-64927
Updated the adapter to pass the prompt
parameter to PingOne.
As a prerequisite, you must make sure that PingFederate is tracking the |
Improved error messaging for flow time-outs
Improved P14C-58274
Replaced the generic error message for flow time-outs. The new message makes it clearer that a flow time-out caused the error, not an invalid OTP.
Improved locked device experience
Improved P14C-55624
If the default device becomes locked, you can now return to the Device Selection page and select a different device to use for authentication.
Enhanced MFA policy field configuration
Improved P14C-66230
The MFA policy for registration field in the adapter configuration is now a list instead of a textbox. This expedites selecting the desired policy and prevents typos from invalidating the configuration.
Added extra validation when pairing a user’s first device
Security P14C-59819
Added validation to the device pairing flow when pairing a user’s first device to confirm that no other devices were added during the session.
Updated a method to double-check if pairing process was initiated
Security P14C-63038
Updated a method to double-check if the pairing process was initiated to address potential security concerns.
Added tighter restrictions on cookie paths
Security P14C-53794
Added tighter restrictions on cookie paths to address potential security concerns.
Updated third-party libraries
Security P14C-61311, P14C-66921, and P14C-62241
Updated third-party libraries and removed an unused package to address potential security concerns.
Fixed an issue with configuring incorrect proxy settings
Fixed P14C-57761
Fixed an issue that caused the PingOne MFA IdP Adapter to get stuck if you saved the adapter configuration with incorrect proxy settings. For example, the wrong host or IP address.
Fixed an issue with page presentation when bypassmfa
is set to false
Fixed P14C-65478
Fixed an issue that caused the Device Pairing and OTP Required pages to present an error message after clicking Cancel, if bypassmfa
was set to false
. Now:
-
If you click Cancel on the Device Pairing page, the adapter presents the Device Selection page.
-
If you click Cancel on the OTP Required page, the adapter presents the Device Pairing page.
Fixed error messaging for expired OTPs
Fixed P14C-66403
Fixed an issue that caused expired OTP error responses to display an irrelevant error message.
PingOne MFA Integration Kit 2.5 (September 2024)
Added support for the PingOne FIDO Device Aggregation feature
New P14C-57629
Added support for the PingOne FIDO Device Aggregation feature. FIDO Device Aggregation is part of the FIDO policy in PingOne. When this feature is enabled and a user has multiple FIDO2 devices, the user will see only one passkey device on the device selection screen. This device is an aggregation of all the user’s FIDO2 devices. During authentication, the authenticator suggests the best-suited FIDO device to the user.
View PingOne mobile application name in authentication API response
New P14C-61861
You can now view the PingOne mobile application name in the PingFederate authentication API response.
View a OTP’s lifetime in the authentication API
New P14C-62073
The PingFederate authentication API response now includes a new field (called otpLifetime
) for the OTP_REQUIRED
status. The otpLifetime
field shows how long the OTP will remain valid.
Include more information in the PingOne logs for adapter authentication attempts
Improved P14C-44523
The PingOne MFA IdP adapter now forwards application and device information for authentication attempts made through the adapter to PingOne. To view this information in the PingOne admin console:
-
Go to Directory → Users and click on a user.
-
Click the Services tab, select Authentication, and go to the Sessions section.
Use dynamic linking to give a unique identifier to a FIDO device pairing attempt
Improved P14C-62023
Added the ability to give a unique identifier to a FIDO device pairing attempt. Learn more on dynamic linking in the “Use dynamic linking to give a unique identifier to a FIDO device authentication attempt” release note entry in PingOne MFA Integration Kit 2.4 (August 2024).
Upgraded TLS support
Security P14C-57813
The PingOne MFA IdP adapter now supports only TLS 1.2 and later.
Fixed double AUTHENTICATION_REQUIRED
response
Fixed P14C-51451
Fixed an issue that caused the AUTHENTICATION_REQUIRED
response to be returned twice for some specific scenarios in the PingFederate authentication API.
Fixed an authentication API response for selectDevice
when OTP limit is reached
Fixed P14C-56520
Fixed an issue that caused the authentication API to provide an incorrect error response when a user switched from a mobile device to an OTP-based device and reached the OTP limit (as defined in notification policies in the PingOne admin console). OTP-based devices include:
-
SMS
-
Voice
-
Email
-
WhatsApp
Fixed an issue with locked OTP-based devices in HTML templates
Fixed P14C-59939
Fixed an issue that caused the HTML template to allow users to keep entering OTPs (which wouldn’t actually be submitted) after they became locked out from a device. Now, when a user is locked out, the adapter displays a new screen to inform the user that the device is locked and present a Change Device button.
PingOne MFA Integration Kit 2.4.1 (August 2024)
PingOne MFA Integration Kit 2.4 (August 2024)
Use basic velocity template variables in the PingOne MFA templates
New P14C-57293
Made basic variables that are available in most PingFederate HTML templates available in the PingOne MFA templates.
Pair and authenticate a test device
New P14C-58742
Added the ability to pair a test device when adding a multi-factor authentication method and authenticating with it. A test device causes an OTP to be returned directly in the OTP_REQUIRED
response.
Test devices are supported only when initiating OpenID Connect (OIDC) flow in the authentication API. |
To pair and authenticate with a test device, you must:
-
Add the
pi.testDevice
parameter to the OIDC request with a value ofallow
. -
Sign the request object with your OIDC client credentials.
-
When submitting the device target in the authentication API request, add the
testMode
field to the request with a value oftrue
.This applies to the following action models:
submitEmailTarget
,submitSmsTarget
, orsubmitVoiceTarget
. Learn more in Models, objects, and error codes.
Use dynamic linking to give a unique identifier to a FIDO authentication attempt
New P14C-58753
Added the ability to use a custom challenge when authenticating with FIDO (webAuthn) devices. This enables you to attach meaningful information to the authentication of a FIDO device.
To provide a custom challenge for FIDO authentication, you must:
-
Add the
pi.webAuthn.challenge
parameter to the OIDC request with the custom challenge as the value. -
Sign the request object with your OIDC client credentials.
Rename device during pairing
Improved P14C-52773
Added the ability to give a device a unique nickname during device pairing:
-
Use the PingOne administrative console to configure this setting in the PingOne MFA policy.
-
After you configure the ability to rename devices, users will be presented with a new screen before authentication ends. The user can either enter a nickname and click Done to complete the process, or click Skip if they do not want to give the device a nickname.
-
If you are using the authentication API, a new state (
UPDATE_NICKNAME
) and two new actions (updateDeviceNickname
andskipUpdateDeviceNickname
) are available. Learn more in Models, objects, and error codes.
View remaining OTP attempts in HTML templates and authentication API responses
Improved P14C-57444
Added the ability to view the number of one-time passcode (OTP) attempts remaining after entering an invalid OTP.
-
In authentication API responses, the
attemptsRemaining
field displays this information. -
In HTML templates that require an OTP, the following error message appears:
This passcode is invalid or has expired. You have <number_of_attempts> attempts remaining.
Bypass MFA for device management operations
Improved P14C-60088
Added the ability to bypass MFA when performing device management operations. Be cautious with using this attribute if you only have one adapter in the authentication policy. This results in bypassing MFA in the authentication flow entirely, and can lead to a security breach.
Additionally, the Bypass MFA For Device Pairing Attribute field is now the Bypass MFA For Device Management Attribute field.
Learn more in the PingOne MFA IdP Adapter settings reference.
Overwrite only specific authentication methods
Improved P14C-62072
Added the ability to overwrite only the devices that share a device type with a newly provided device if the adapter identifies new values for SMS, voice or email devices via Update Authentication Methods.
Additionally, the Overwrite Authentication Methods checkbox is now the Overwrite Authentication Methods Configurations list.
There are three Overwrite Authentication Methods Configurations settings:
-
None (default)
-
All (SMS, Voice, and Email)
-
Specific Methods
Learn more in the PingOne MFA IdP Adapter settings reference.
Fixed default method persistence
Fixed P14C-55013
Fixed an issue that caused Overwrite Authentication Methods (now Overwrite Authentication Methods Configurations) to change the default device designation. This was applicable when a new device of the same type as the default device was provided, and the default device was overwritten.
Fixed empty device nickname issue
Fixed P14C-58407
Fixed an issue that caused devices to save with an empty nickname instead of reverting to the default device name. This was applicable in configurations where Allow Users to Manage Authentication Methods was selected, if a user clicked Edit Name but cleared the field.
Fixed an issue with FIDO usernameless authentication flow ignoring the PingOne authentication policy
Fixed P14C-60584
Fixed an issue that caused the adapter to always use the default multi-factor authentication (MFA) policy in FIDO usernameless authentication flow instead of the PingOne MFA policy configured in the PingOne Authentication Policy field.
Fixed device registration limit issue with MFA bypass in the authentication API
Fixed P14C-61122
Fixed an issue that caused users who had already exceeded the device registration limit to proceed several steps into device registration flow before the flow failed instead of presenting the MAXIMUM_ALLOWED_METHODS_LIMIT
error message at the beginning of the flow. This issue was relevant to configurations that had the Bypass MFA for Device Pairing Attribute checkbox (now Bypass MFA For Device Management Attribute) selected.
PingOne MFA Integration Kit 2.3.1 (March 21, 2024)
PingOne MFA Integration Kit 2.3 (January 2, 2024)
Control default to first behavior at policy level instead of environment level
Info
In version 2.2.1 and earlier of the PingOne MFA Integration Kit, the first device in the list was set as the default device. In 2.3 and later, default device behavior depends on what Method Selection in the PingOne MFA policy is set to.
To replicate default to first behavior in 2.3 and later, set Method Selection to User Selected Default.
Language customization for notifications
Improved
-
To customize the language for notifications, you no longer have to provide
pi.template
as a JSON object to change the locale when defining the contract for the adapter. You can just specify the locale usingpi.template.locale
. See Transaction approval setup. -
If you have not specified a locale with
pi.template
orpi.template.locale
, notifications will use the default browser’s language. This requires that the relevant language be enabled in both PingOne and PingFederate.
Use of dynamic variables in pairing flows
Improved STAGING-19855
Previously, the values provided in the pi.template
object for notification customization were used only in authentication flows. Now, customization (including dynamic variables) is applied also to pairing flows, one-time device flows, and change device flows.
User-provided nicknames for devices
New
When authenticating, users who are authorized to manage their devices can now edit the nicknames used for their various authentication devices. This capability is also supported in the PingFederate authentication API (action is called updateDeviceNickname
).
Use of custom proxies in MFA adapter
Fixed STAGING-18848
Previously, if you defined a custom proxy for an adapter, the host specified with Custom proxy host was not used for OAuth tokens (the token
endpoint). These requests used the system default proxy instead, causing the request to fail. This issue has been fixed.
Event tracking IDs in PingOne Audit log
Improved STAGING-19417
In the PingOne Audit log, events triggered by the MFA adapter now include IDs that can be used to locate events in the PingFederate log. The trackingid
field from PingFederate is represented in the PingOne Audit log as sessionId
. If you are using version 11.3 or higher of PingFederate, then the transactionid
field from PingFederate is also included in the PingOne Audit entry, appearing there as transactionId
.
Limiting email and SMS pairing info to directory values
New STAGING-19722
By default, when pairing an email or SMS device, users can enter the email address or phone number. However, the adapter configuration now includes an option called Allow only predefined values for phone or email devices. This option allows you to limit the values to the email addresses and phone numbers stored for the user. If you enable this option, the relevant email address or phone number is already filled in when the user tries to add a device, and the user cannot modify the address/phone number.
PingOne MFA Integration Kit 2.2.1 (September 2023)
Specify a PingOne registration policy
New P14C-51600
Added the ability to specify a PingOne MFA policy to use for device pairing. For more information, see the PingOne Registration Policy field.
Make sure to use a registration policy that is compatible with your authentication policy or policies. |
Previously, the adapter would always use the default MFA policy for PingOne pair device API calls. Because there wasn’t a configuration option for the MFA policy used in pair device API calls, you couldn’t pair the type of device that you specified in your PingOne Authentication Policy if it wasn’t also included in the default MFA policy. The ability to configure a registration policy fixes this issue.
Configure usernameless authentication flow using a FIDO2 device
New P14C-53908
Added support for FIDO2 to the FIDO usernameless authentication flow.
Fixed security vulnerability
Security P14C-53455
Fixed a security vulnerability that allowed for the creation of new devices.
PingOne MFA Integration Kit 2.2 (July 2023)
Use passkeys for second-factor authentication
New
Added the ability to use passkeys as a second-factor authentication method.
Remove authentication methods
Improved
Added support for removing authentication methods. If the Allow Users To Manage Additional Authentication Methods check box is selected, users can now remove authentication methods when they sign on.
PingOne MFA Integration Kit 2.1 (May 2023)
PingID SDK adapter migration
New
Added support for the PingID SDK adapter migration scenario. Supported flows:
-
Device authorization
-
Authentication
-
Registration
-
CIBA authentication
Parameter attributes
New
Added support for the following dynamic parameter attributes:
-
pingIdSdkAdapterContext
-
pingIdSdkSkipSuccessScreens
-
pingIdSdkSkipErrorScreens
-
pingIdSdkSkipTimeoutScreens
PingOne MFA Integration Kit 2.0 (November 2022)
PingOne MFA Integration Kit 1.8 (June 2022)
Use authentication codes in authentication API flows
New
Added support for authentication API flows that use authentication codes. For information about flows, see Authentication API Support.
Log browser and device information
New
Added support for audit logging of browser and selected device information
PingOne MFA Integration Kit 1.7 (April 2022)
Force users to select a device during sign on
New
Added support for enforcing device selection during authentication. See the Enforce Device Selection setting in PingOne MFA IdP Adapter settings reference.
Previous releases
The following is the change history for the PingOne MFA Integration Kit.
PingOne MFA Integration Kit 1.6 — January 2022
-
Added support for passwordless login using FIDO browser management.
-
Added the ability to display additional platform information when a user pairs a new biometric device.
-
Added the ability to provision users and add authentication methods separately.
-
Fixed an issue that caused an error for users on iOS or Safari when attempting authentication or pair using FIDO.
-
Fixed an MFA vulnerability. See security bulletin SECADV029.
PingOne MFA Integration Kit 1.5.2 — November 2021
-
Fixed an issue that prevented pairing security keys and biometrics when the authentication API or JavaScript Widget was hosted on an external domain.
PingOne MFA Integration Kit 1.5.1 — September 2021
-
Fixed an issue that caused an error when the PingOne MFA IdP Adapter was used with other adapters in a password reset flow.
-
Fixed an issue that could cause an error when pairing devices for users identified with a PingOne user ID.
PingOne MFA Integration Kit 1.5 — August 2021
-
Added support for the PingOne device integrity check. For details, see Authentication method management.
If you’re upgrading from PingOne MFA Integration Kit 1.4.1 or earlier and want to use the device integrity check feature, update the API Request Timeout in your adapter configuration. To provide time for the device integrity check, the default has been increased from 5000ms to 12000ms.
-
Improved the user experience for adding additional authentication methods.
PingOne MFA Integration Kit 1.4.1 — June 2021
-
Fixed an issue that prevented the device pairing flow from working when the Mobile App option was disabled in the PingOne policy.
PingOne MFA Integration Kit 1.4 — June 2021
-
Added the ability to authenticate using voice.
-
Added the ability to override the notification template variant that PingOne shows for transaction approval flows.
-
Added the ability for a single CIBA authenticator instance to work with multiple PingOne applications. The authenticator now checks for an application identifier in the CIBA request.
-
Improved the adapter’s Authentication method management features:
-
Added the ability for users to manually add a wide variety of authentication methods. Enable this feature with the Allow Users to Add Additional Authentication Methods setting.
-
Added the ability to prompt users to set up MFA if they have no existing authentication methods. You can also allow users to skip the MFA setup. Enable this feature with the Prompt Users to Set Up MFA and Allow Users to Skip MFA Setup settings.
-
Added the ability for users to select a default authentication method. When a default is selected, the adapter skips the selection screen.
-
-
Deprecated the Application Client Secret field for PingFederate 10.2 and later.
PingOne MFA Integration Kit 1.3.2 — June 2021
-
Fixed an issue that, after upgrading the adapter, caused an error when using the administrative API to bulk import an earlier version of the adapter.
PingOne MFA Integration Kit 1.3.1 — April 2021
-
Fixed an issue that caused an error when no port was specified in the PingFederate base URL.
PingOne MFA Integration Kit 1.3 — March 2021
-
Added the ability to authenticate using timed one-time passcodes (TOTP) with mobile devices.
-
Added the ability to authenticate using FIDO2-bound biometrics and U2F security keys.
-
Added support for single logout from PingOne MFA when the user signs off in PingFederate.
-
Added support for the new account lockout error in PingOne MFA when a user fails multiple consecutive MFA attempts.
-
Added support for pre-populating adapter settings based on the selected PingOne environment. Available in PingFederate 10.2 or later.
-
Improved support for device nicknames, making them available for all authentication methods, on all templates, and in the JavaScript Widget for the PingFederate Authentication API.
-
Fixed an issue that caused an error when a user initiated mobile push for account recovery.
-
Fixed an issue that caused an error when setting the API Request Timeout value too low.
-
Fixed an issue that caused the API to return validation errors when upgrading the adapter.
PingOne MFA Integration Kit 1.2 — February 2021
-
Added the Provision Users and Authentication Methods setting, and related fields, to allow the adapter to provision new users to PingOne MFA and automatically add valid authentication methods for the user.
-
Added the Update Authentication Methods setting to allow the adapter to register new SMS and Email authentication methods in PingOne MFA.
PingOne MFA Integration Kit 1.1 — December 2020
-
Added support for the platform connection to PingOne introduced in PingFederate 10.2.
-
Added support for the PingOne MFA transaction approval flow.
-
Added support for the PingOne MFA mobile device authorization flow.
-
Added the ability to authenticate using third-party TOTP authenticators, such as Google Authenticator.
-
Added support for client-initiated back-channel authentication (CIBA). For information about CIBA, see Improving the Customer Experience with CIBA on the Ping Identity blog.
-
Added support for the JavaScript Widget for the PingFederate Authentication API.
-
Added error handling for the following scenarios:
-
The device ID is invalid
-
The OTP format is invalid
-
MFA is disabled for the user
-
The user is not found
-
The user has no devices paired and automatic pairing is not enabled
-
The user has no devices paired, automatic pairing is enabled, but the user is signing on via the web
-
-
Added an error page that supports customizable messages using a language pack file.
-
Improved API endpoint selection by replacing the PingOne API fields with a region list.
-
Fixed an issue that caused the Authenticating page to refresh periodically when the adapter polled PingOne for updates.
-
Fixed an issue that prevented users from changing their selected MFA device when the PingOne authentication policy used the Being a member of any of these populations or User Attributes requirements.
PingOne MFA Integration Kit 1.0 — September 2020
-
Initial release.
-
Added the ability to authenticate using SMS, email, and push.
-
Added the ability to automatically pair SMS and email authentication methods.
-
Added the ability to control which message pages (templates) are shown to the user.
-
Added the ability to control how the adapter handles sign-on attempts when errors occur.
-
Added the ability to override the PingOne policy received in the requested authentication context.
-
Added the ability to test the connection to PingOne MFA.
-
Added support for the PingFederate authentication API
-
Added settings for API connection and request timeouts.
-
Added settings to override the PingFederate system-default proxy settings.