PingOne

Release Notes

New features and improvements in PingOne MFA Integration Kit.

PingOne MFA Integration Kit 2.6 (January 2025)

Enforce Device Selection will be deprecated in the next release

Info P14C-66231

The Enforce Device Selection field will be deprecated in the next release of the PingOne MFA Integration Kit because it duplicates the behavior of the Method Selection field in the PingOne MFA policy.

Enforce Device Selection is still usable in version 2.6, but make sure to set the Method Selection configuration in the MFA policy to Always Display Devices. Otherwise, for example, the user might receive multiple OTPs.

Before upgrading to the next version, check your MFA policy to make sure that Method Selection is configured to reflect the desired behavior.

Insert an authentication policy into the CIBA flow

New P14C-67740

To insert an authentication policy into the CIBA flow based on runtime parameters, pass the extended contract parameter pingone-mfa-acr into an empty PingOne authentication policy that’s used in the CIBA authentication policy.

A non-empty PingOne authentication policy always takes precedence over pingone-mfa-acr, so make sure that the PingOne authentication policy is empty.

Improved 429 error handling

Improved P14C-64515

Added clearer error messaging for rate-limiting 429 errors.

Include number of maximum allowed devices in API response

Improved P14C-64509

All API responses that include the devices field now include a new field, maxAllowedDevices, which indicates the maximum number of devices that can be paired for a user.

Added support for the prompt parameter for OIDC flows

Improved P14C-64927

Updated the adapter to pass the prompt parameter to PingOne.

As a prerequisite, you must make sure that PingFederate is tracking the prompt parameter in the authentication policy. You can find information about how to track the prompt parameter in Adding PingOne MFA to your authentication policy.

Improved error messaging for flow time-outs

Improved P14C-58274

Replaced the generic error message for flow time-outs. The new message makes it clearer that a flow time-out caused the error, not an invalid OTP.

Improved locked device experience

Improved P14C-55624

If the default device becomes locked, you can now return to the Device Selection page and select a different device to use for authentication.

Enhanced MFA policy field configuration

Improved P14C-66230

The MFA policy for registration field in the adapter configuration is now a list instead of a textbox. This expedites selecting the desired policy and prevents typos from invalidating the configuration.

Added extra validation when pairing a user’s first device

Security P14C-59819

Added validation to the device pairing flow when pairing a user’s first device to confirm that no other devices were added during the session.

Updated a method to double-check if pairing process was initiated

Security P14C-63038

Updated a method to double-check if the pairing process was initiated to address potential security concerns.

Security P14C-53794

Added tighter restrictions on cookie paths to address potential security concerns.

Updated third-party libraries

Security P14C-61311, P14C-66921, and P14C-62241

Updated third-party libraries and removed an unused package to address potential security concerns.

Fixed an issue with configuring incorrect proxy settings

Fixed P14C-57761

Fixed an issue that caused the PingOne MFA IdP Adapter to get stuck if you saved the adapter configuration with incorrect proxy settings. For example, the wrong host or IP address.

Fixed an issue with page presentation when bypassmfa is set to false

Fixed P14C-65478

Fixed an issue that caused the Device Pairing and OTP Required pages to present an error message after clicking Cancel, if bypassmfa was set to false. Now:

  • If you click Cancel on the Device Pairing page, the adapter presents the Device Selection page.

  • If you click Cancel on the OTP Required page, the adapter presents the Device Pairing page.

Fixed error messaging for expired OTPs

Fixed P14C-66403

Fixed an issue that caused expired OTP error responses to display an irrelevant error message.

Fixed error messaging for exceeding the one-time device user quota

Fixed P14C-66494

Fixed an issue that caused two different error messages to display after reaching the daily user quota for authentication attempts. The quota is set in the PingOne notification policy.

Fixed exception after reaching the notification limit for multiple device types

Fixed P14C-66815

Fixed an issue that caused an exception when authenticating after reaching the SSO notification limit for multiple device types. Also fixed error messaging differences between the device types.

PingOne MFA Integration Kit 2.5 (September 2024)

Added support for the PingOne FIDO Device Aggregation feature

New P14C-57629

Added support for the PingOne FIDO Device Aggregation feature. FIDO Device Aggregation is part of the FIDO policy in PingOne. When this feature is enabled and a user has multiple FIDO2 devices, the user will see only one passkey device on the device selection screen. This device is an aggregation of all the user’s FIDO2 devices. During authentication, the authenticator suggests the best-suited FIDO device to the user.

View PingOne mobile application name in authentication API response

New P14C-61861

You can now view the PingOne mobile application name in the PingFederate authentication API response.

View a OTP’s lifetime in the authentication API

New P14C-62073

The PingFederate authentication API response now includes a new field (called otpLifetime) for the OTP_REQUIRED status. The otpLifetime field shows how long the OTP will remain valid.

Include more information in the PingOne logs for adapter authentication attempts

Improved P14C-44523

The PingOne MFA IdP adapter now forwards application and device information for authentication attempts made through the adapter to PingOne. To view this information in the PingOne admin console:

  1. Go to Directory → Users and click on a user.

  2. Click the Services tab, select Authentication, and go to the Sessions section.

Use dynamic linking to give a unique identifier to a FIDO device pairing attempt

Improved P14C-62023

Added the ability to give a unique identifier to a FIDO device pairing attempt. Learn more on dynamic linking in the “Use dynamic linking to give a unique identifier to a FIDO device authentication attempt” release note entry in PingOne MFA Integration Kit 2.4 (August 2024).

Upgraded TLS support

Security P14C-57813

The PingOne MFA IdP adapter now supports only TLS 1.2 and later.

Fixed double AUTHENTICATION_REQUIRED response

Fixed P14C-51451

Fixed an issue that caused the AUTHENTICATION_REQUIRED response to be returned twice for some specific scenarios in the PingFederate authentication API.

Fixed an authentication API response for selectDevice when OTP limit is reached

Fixed P14C-56520

Fixed an issue that caused the authentication API to provide an incorrect error response when a user switched from a mobile device to an OTP-based device and reached the OTP limit (as defined in notification policies in the PingOne admin console). OTP-based devices include:

  • SMS

  • Voice

  • Email

  • WhatsApp

Fixed an issue with locked OTP-based devices in HTML templates

Fixed P14C-59939

Fixed an issue that caused the HTML template to allow users to keep entering OTPs (which wouldn’t actually be submitted) after they became locked out from a device. Now, when a user is locked out, the adapter displays a new screen to inform the user that the device is locked and present a Change Device button.

Fixed issues on the device selection screen

Fixed P14C-64209

Fixed an issue that caused the device selection screen to unmask the device’s information improperly when the user was returning to the device selection screen from the Add method screen and the bypassmfa configuration was set to true.

PingOne MFA Integration Kit 2.4.1 (August 2024)

Fixed pairing of test-devices in PingFederate clustered mode

Fixed STAGING-23420

Fixed an issue that prevented test-devices from being paired in PingFederate clustered mode.

Fixed MFA requirement when the MFA policy doesn’t permit the existing device

Fixed P14C-64779

Fixed an issue that caused the adapter to require the user to complete MFA to add an MFA device when the user’s existing MFA device was not allowed in the MFA policy.

PingOne MFA Integration Kit 2.4 (August 2024)

Use basic velocity template variables in the PingOne MFA templates

New P14C-57293

Made basic variables that are available in most PingFederate HTML templates available in the PingOne MFA templates.

Pair and authenticate a test device

New P14C-58742

Added the ability to pair a test device when adding a multi-factor authentication method and authenticating with it. A test device causes an OTP to be returned directly in the OTP_REQUIRED response.

Test devices are supported only when initiating OpenID Connect (OIDC) flow in the authentication API.

To pair and authenticate with a test device, you must:

  1. Add the pi.testDevice parameter to the OIDC request with a value of allow.

  2. Sign the request object with your OIDC client credentials.

  3. When submitting the device target in the authentication API request, add the testMode field to the request with a value of true.

    This applies to the following action models: submitEmailTarget, submitSmsTarget, or submitVoiceTarget. Learn more in Models, objects, and error codes.

Use dynamic linking to give a unique identifier to a FIDO authentication attempt

New P14C-58753

Added the ability to use a custom challenge when authenticating with FIDO (webAuthn) devices. This enables you to attach meaningful information to the authentication of a FIDO device.

To provide a custom challenge for FIDO authentication, you must:

  1. Add the pi.webAuthn.challenge parameter to the OIDC request with the custom challenge as the value.

  2. Sign the request object with your OIDC client credentials.

Rename device during pairing

Improved P14C-52773

Added the ability to give a device a unique nickname during device pairing:

  • Use the PingOne administrative console to configure this setting in the PingOne MFA policy.

  • After you configure the ability to rename devices, users will be presented with a new screen before authentication ends. The user can either enter a nickname and click Done to complete the process, or click Skip if they do not want to give the device a nickname.

  • If you are using the authentication API, a new state (UPDATE_NICKNAME) and two new actions (updateDeviceNickname and skipUpdateDeviceNickname) are available. Learn more in Models, objects, and error codes.

View remaining OTP attempts in HTML templates and authentication API responses

Improved P14C-57444

Added the ability to view the number of one-time passcode (OTP) attempts remaining after entering an invalid OTP.

  • In authentication API responses, the attemptsRemaining field displays this information.

  • In HTML templates that require an OTP, the following error message appears:

This passcode is invalid or has expired. You have  <number_of_attempts>  attempts remaining.

Bypass MFA for device management operations

Improved P14C-60088

Added the ability to bypass MFA when performing device management operations. Be cautious with using this attribute if you only have one adapter in the authentication policy. This results in bypassing MFA in the authentication flow entirely, and can lead to a security breach.

Additionally, the Bypass MFA For Device Pairing Attribute field is now the Bypass MFA For Device Management Attribute field.

Overwrite only specific authentication methods

Improved P14C-62072

Added the ability to overwrite only the devices that share a device type with a newly provided device if the adapter identifies new values for SMS, voice or email devices via Update Authentication Methods.

Additionally, the Overwrite Authentication Methods checkbox is now the Overwrite Authentication Methods Configurations list.

There are three Overwrite Authentication Methods Configurations settings:

  • None (default)

  • All (SMS, Voice, and Email)

  • Specific Methods

Fixed default method persistence

Fixed P14C-55013

Fixed an issue that caused Overwrite Authentication Methods (now Overwrite Authentication Methods Configurations) to change the default device designation. This was applicable when a new device of the same type as the default device was provided, and the default device was overwritten.

Fixed empty device nickname issue

Fixed P14C-58407

Fixed an issue that caused devices to save with an empty nickname instead of reverting to the default device name. This was applicable in configurations where Allow Users to Manage Authentication Methods was selected, if a user clicked Edit Name but cleared the field.

Fixed an issue with FIDO usernameless authentication flow ignoring the PingOne authentication policy

Fixed P14C-60584

Fixed an issue that caused the adapter to always use the default multi-factor authentication (MFA) policy in FIDO usernameless authentication flow instead of the PingOne MFA policy configured in the PingOne Authentication Policy field.

Fixed device registration limit issue with MFA bypass in the authentication API

Fixed P14C-61122

Fixed an issue that caused users who had already exceeded the device registration limit to proceed several steps into device registration flow before the flow failed instead of presenting the MAXIMUM_ALLOWED_METHODS_LIMIT error message at the beginning of the flow. This issue was relevant to configurations that had the Bypass MFA for Device Pairing Attribute checkbox (now Bypass MFA For Device Management Attribute) selected.

PingOne MFA Integration Kit 2.3.1 (March 21, 2024)

Security issue - skipMFA action

Security

A security vulnerability related to the skipMFA action has been fixed in this version.

Exception reported on CIBA transaction

Fixed STAGING-20713

When using PingFederate 11.3.1, there were cases where a push notification triggered by the CIBA authenticator was not received. This issue has been fixed.

PingOne MFA Integration Kit 2.3 (January 2, 2024)

Control default to first behavior at policy level instead of environment level

Info

In version 2.2.1 and earlier of the PingOne MFA Integration Kit, the first device in the list was set as the default device. In 2.3 and later, default device behavior depends on what Method Selection in the PingOne MFA policy is set to.

To replicate default to first behavior in 2.3 and later, set Method Selection to User Selected Default.

Language customization for notifications

Improved

  • To customize the language for notifications, you no longer have to provide pi.template as a JSON object to change the locale when defining the contract for the adapter. You can just specify the locale using pi.template.locale. See Transaction approval setup.

  • If you have not specified a locale with pi.template or pi.template.locale, notifications will use the default browser’s language. This requires that the relevant language be enabled in both PingOne and PingFederate.

Use of dynamic variables in pairing flows

Improved STAGING-19855

Previously, the values provided in the pi.template object for notification customization were used only in authentication flows. Now, customization (including dynamic variables) is applied also to pairing flows, one-time device flows, and change device flows.

User-provided nicknames for devices

New

When authenticating, users who are authorized to manage their devices can now edit the nicknames used for their various authentication devices. This capability is also supported in the PingFederate authentication API (action is called updateDeviceNickname).

Use of custom proxies in MFA adapter

Fixed STAGING-18848

Previously, if you defined a custom proxy for an adapter, the host specified with Custom proxy host was not used for OAuth tokens (the token endpoint). These requests used the system default proxy instead, causing the request to fail. This issue has been fixed.

Event tracking IDs in PingOne Audit log

Improved STAGING-19417

In the PingOne Audit log, events triggered by the MFA adapter now include IDs that can be used to locate events in the PingFederate log. The trackingid field from PingFederate is represented in the PingOne Audit log as sessionId. If you are using version 11.3 or higher of PingFederate, then the transactionid field from PingFederate is also included in the PingOne Audit entry, appearing there as transactionId.

Limiting email and SMS pairing info to directory values

New STAGING-19722

By default, when pairing an email or SMS device, users can enter the email address or phone number. However, the adapter configuration now includes an option called Allow only predefined values for phone or email devices. This option allows you to limit the values to the email addresses and phone numbers stored for the user. If you enable this option, the relevant email address or phone number is already filled in when the user tries to add a device, and the user cannot modify the address/phone number.

PingOne MFA Integration Kit 2.2.1 (September 2023)

Specify a PingOne registration policy

New P14C-51600

Added the ability to specify a PingOne MFA policy to use for device pairing. For more information, see the PingOne Registration Policy field.

Make sure to use a registration policy that is compatible with your authentication policy or policies.

Previously, the adapter would always use the default MFA policy for PingOne pair device API calls. Because there wasn’t a configuration option for the MFA policy used in pair device API calls, you couldn’t pair the type of device that you specified in your PingOne Authentication Policy if it wasn’t also included in the default MFA policy. The ability to configure a registration policy fixes this issue.

Configure usernameless authentication flow using a FIDO2 device

New P14C-53908

Added support for FIDO2 to the FIDO usernameless authentication flow.

Fixed security vulnerability

Security P14C-53455

Fixed a security vulnerability that allowed for the creation of new devices.

Fixed persistent Device Selection screen

Fixed P14C-53963

Fixed an issue that caused the pf-authn-js-widget to display the Device Selection screen even when the flow status wasn’t device_selection_required.

Fixed passkey icon in Safari browsers

Fixed P14C-54482

Fixed an issue that prevented the passkey icon from displaying correctly in Safari browsers.

PingOne MFA Integration Kit 2.2 (July 2023)

Use passkeys for second-factor authentication

New

Added the ability to use passkeys as a second-factor authentication method.

Remove authentication methods

Improved

Added support for removing authentication methods. If the Allow Users To Manage Additional Authentication Methods check box is selected, users can now remove authentication methods when they sign on.

Fixed CIBA Authenticator compatibility with PingFederate 11.3

Fixed

Fixed an issue that prevented the PingOne MFA CIBA Authenticator from being compatible with PingFederate 11.3.

PingOne MFA Integration Kit 2.1 (May 2023)

PingID SDK adapter migration

New

Added support for the PingID SDK adapter migration scenario. Supported flows:

  • Device authorization

  • Authentication

  • Registration

  • CIBA authentication

Parameter attributes

New

Added support for the following dynamic parameter attributes:

  • pingIdSdkAdapterContext

  • pingIdSdkSkipSuccessScreens

  • pingIdSdkSkipErrorScreens

  • pingIdSdkSkipTimeoutScreens

FIDO usernameless authentication flow

New

Added the ability for the adapter to dynamically skip FIDO usernameless authentication flow.

PingOne authentication

Improved

Added support for additional methods to dynamically provide the PingOne authentication policy.

PingOne MFA Integration Kit 2.0 (November 2022)

FIDO usernameless authentication flow

New

Added support for FIDO usernameless authentication flow.

JIT device updates

New

Added support for JIT overwrite of PingOne MFA devices.

OTP flow

Fixed

Fixed error message and response to handle retry failure due to unsuccessful OTP attempts and display the appropriate cool down period.

Authentication API

Fixed

Fixed a defect in the authentication API to prevent selection of different devices when the adapter is configured so.

SSL CRL

Fixed

Fixed a defect with SSL CRL lookup when the adapter instance is configured to use system defaults with PingFederate server configured behind proxy.

PingOne MFA Integration Kit 1.9 (July 2022)

Stateless one-time device flow

New

Added support for statless one-time device OTP flow.

PingOne MFA Integration Kit 1.8 (June 2022)

Use authentication codes in authentication API flows

New

Added support for authentication API flows that use authentication codes. For information about flows, see Authentication API Support.

Log browser and device information

New

Added support for audit logging of browser and selected device information

Passwordless login authentication API flows

Improved

Improved support for passwordless login authentication API flows.

FIDO device pairing flow

Fixed

Fixed an issue with the FIDO device pairing flow.

Failover mode

Fixed

Fixed an issue that caused failover mode to not work.

PingOne MFA Integration Kit 1.7 (April 2022)

Force users to select a device during sign on

New

Added support for enforcing device selection during authentication. See the Enforce Device Selection setting in PingOne MFA IdP Adapter settings reference.

PingOne MFA Integration Kit 1.6.1 (February 2022)

User Not Found Failure Mode

Fixed

Fixed an issue that caused an error when User Not Found Failure Mode was set to Bypass Authentication.

Template flow fails when a user sets a default device

Fixed

Fixed an issue that caused the template flow to fail when a user sets a default device.

Previous releases

The following is the change history for the PingOne MFA Integration Kit.

PingOne MFA Integration Kit 1.6 — January 2022

  • Added support for passwordless login using FIDO browser management.

  • Added the ability to display additional platform information when a user pairs a new biometric device.

  • Added the ability to provision users and add authentication methods separately.

  • Fixed an issue that caused an error for users on iOS or Safari when attempting authentication or pair using FIDO.

  • Fixed an MFA vulnerability. See security bulletin SECADV029.

PingOne MFA Integration Kit 1.5.2 — November 2021

  • Fixed an issue that prevented pairing security keys and biometrics when the authentication API or JavaScript Widget was hosted on an external domain.

PingOne MFA Integration Kit 1.5.1 — September 2021

  • Fixed an issue that caused an error when the PingOne MFA IdP Adapter was used with other adapters in a password reset flow.

  • Fixed an issue that could cause an error when pairing devices for users identified with a PingOne user ID.

PingOne MFA Integration Kit 1.5 — August 2021

  • Added support for the PingOne device integrity check. For details, see Authentication method management.

    If you’re upgrading from PingOne MFA Integration Kit 1.4.1 or earlier and want to use the device integrity check feature, update the API Request Timeout in your adapter configuration. To provide time for the device integrity check, the default has been increased from 5000ms to 12000ms.

  • Improved the user experience for adding additional authentication methods.

PingOne MFA Integration Kit 1.4.1 — June 2021

  • Fixed an issue that prevented the device pairing flow from working when the Mobile App option was disabled in the PingOne policy.

PingOne MFA Integration Kit 1.4 — June 2021

  • Added the ability to authenticate using voice.

  • Added the ability to override the notification template variant that PingOne shows for transaction approval flows.

  • Added the ability for a single CIBA authenticator instance to work with multiple PingOne applications. The authenticator now checks for an application identifier in the CIBA request.

  • Improved the adapter’s Authentication method management features:

    • Added the ability for users to manually add a wide variety of authentication methods. Enable this feature with the Allow Users to Add Additional Authentication Methods setting.

    • Added the ability to prompt users to set up MFA if they have no existing authentication methods. You can also allow users to skip the MFA setup. Enable this feature with the Prompt Users to Set Up MFA and Allow Users to Skip MFA Setup settings.

    • Added the ability for users to select a default authentication method. When a default is selected, the adapter skips the selection screen.

  • Deprecated the Application Client Secret field for PingFederate 10.2 and later.

PingOne MFA Integration Kit 1.3.2 — June 2021

  • Fixed an issue that, after upgrading the adapter, caused an error when using the administrative API to bulk import an earlier version of the adapter.

PingOne MFA Integration Kit 1.3.1 — April 2021

  • Fixed an issue that caused an error when no port was specified in the PingFederate base URL.

PingOne MFA Integration Kit 1.3 — March 2021

  • Added the ability to authenticate using timed one-time passcodes (TOTP) with mobile devices.

  • Added the ability to authenticate using FIDO2-bound biometrics and U2F security keys.

  • Added support for single logout from PingOne MFA when the user signs off in PingFederate.

  • Added support for the new account lockout error in PingOne MFA when a user fails multiple consecutive MFA attempts.

  • Added support for pre-populating adapter settings based on the selected PingOne environment. Available in PingFederate 10.2 or later.

  • Improved support for device nicknames, making them available for all authentication methods, on all templates, and in the JavaScript Widget for the PingFederate Authentication API.

  • Fixed an issue that caused an error when a user initiated mobile push for account recovery.

  • Fixed an issue that caused an error when setting the API Request Timeout value too low.

  • Fixed an issue that caused the API to return validation errors when upgrading the adapter.

PingOne MFA Integration Kit 1.2 — February 2021

  • Added the Provision Users and Authentication Methods setting, and related fields, to allow the adapter to provision new users to PingOne MFA and automatically add valid authentication methods for the user.

  • Added the Update Authentication Methods setting to allow the adapter to register new SMS and Email authentication methods in PingOne MFA.

PingOne MFA Integration Kit 1.1 — December 2020

  • Added support for the platform connection to PingOne introduced in PingFederate 10.2.

  • Added support for the PingOne MFA transaction approval flow.

  • Added support for the PingOne MFA mobile device authorization flow.

  • Added the ability to authenticate using third-party TOTP authenticators, such as Google Authenticator.

  • Added support for client-initiated back-channel authentication (CIBA). For information about CIBA, see Improving the Customer Experience with CIBA on the Ping Identity blog.

  • Added support for the JavaScript Widget for the PingFederate Authentication API.

  • Added error handling for the following scenarios:

    • The device ID is invalid

    • The OTP format is invalid

    • MFA is disabled for the user

    • The user is not found

    • The user has no devices paired and automatic pairing is not enabled

    • The user has no devices paired, automatic pairing is enabled, but the user is signing on via the web

  • Added an error page that supports customizable messages using a language pack file.

  • Improved API endpoint selection by replacing the PingOne API fields with a region list.

  • Fixed an issue that caused the Authenticating page to refresh periodically when the adapter polled PingOne for updates.

  • Fixed an issue that prevented users from changing their selected MFA device when the PingOne authentication policy used the Being a member of any of these populations or User Attributes requirements.

PingOne MFA Integration Kit 1.0 — September 2020

  • Initial release.

  • Added the ability to authenticate using SMS, email, and push.

  • Added the ability to automatically pair SMS and email authentication methods.

  • Added the ability to control which message pages (templates) are shown to the user.

  • Added the ability to control how the adapter handles sign-on attempts when errors occur.

  • Added the ability to override the PingOne policy received in the requested authentication context.

  • Added the ability to test the connection to PingOne MFA.

  • Added support for the PingFederate authentication API

  • Added settings for API connection and request timeouts.

  • Added settings to override the PingFederate system-default proxy settings.