For a condensed list of all enhancements for this and previous releases, see the “Complete Change List by Released Version” section, which also contains references to additional documentation.

PingFederate now provides an optional configuration to evaluate attributes and other run-time variables for authorization purposes. This feature provides a way to extend access policy by conditionally allowing or disallowing the issuance of relevant security tokens for example, SAML assertion, STS tokens, OAuth access tokens, and session cookies. The Issuance Criteria configuration is available for all PingFederate flows, including:

• Browser SSO
• OAuth
• STS
• Attribute Query

PingFederate now provides full interoperability with Microsoft Office 365, including Exchange, Lync, SharePoint, and other Microsoft products.

PingFederate includes REST-based Web services for programmatic management of OAuth clients. The REST API is offered as an alternative to the OAuth client management functionality in the administrative console. The OAuth Client Management API allows you to create, retrieve, update, and delete OAuth clients. In addition, the OAuth Client Management in the administrative console has been enhanced to accommodate a large number of clients with search and pagination functionality.

The PingFederate OAuth Authorization Server has been enhanced with the following features:

• Compliance with OAuth 2.0 final specifications
• Optional expiration of OAuth persistent grants
• Multiple redirect URIs per client
• Optional restricted scope subsets per client
• Configurable consent page omission per client
• OAuth transaction events logged to audit log
• Mutual TLS authentication for OAuth clients

PingFederate now provides centralized Active Directory (AD) Domain and Kerberos Realm configuration for verifying authenticated users via adapters or token processors, including:

• PingFederate Integrated Windows Authentication (IWA) Integration Kit 3.0
• PingFederate Kerberos Token Translator 2.0

PingFederate now provides the capability to translate WS-Trust security tokens directly from a configured Token Processor to a Token Generator without requiring the issuance of SAML tokens in a connection. Incoming security token attributes from the token processor are mapped directly to attributes in the issued security token from the appropriate token generator.

Splunk is widely-used enterprise software that allows for monitoring, reporting, and analyzing consolidated log files. Splunk captures and indexes real-time data into a single searchable repository from which reports, graphs, and other data-visualizations can be generated.

PingFederate now provides the Splunk App for PingFederate—a custom Splunk application developed by Ping Identity to process audit log files generated by a PingFederate deployment. The Splunk App for PingFederate provides rich system monitoring and reporting, including the following views:

• Current transaction and system reports
• Service reports such as a daily usage report and IdP and SP provider reports per connection
• Trend reports such as weekly and monthly usage reports and trend analysis

• Upgraded the Jetty Web container for PingFederate and removed the underlying JBoss infrastructure

  NOTE If you are upgrading PingFederate and rely on underlying JBoss components that have not been documented or supported by Ping Identity (such as the JBoss JMX Console), please note that the components may no longer be available.

• Added the ability to input multi-line OGNL expressions in the OGNL text field
• Enhanced PingFederate logging to include OAuth and STS transaction events in the security audit log
• Optimized PingFederate administrative console performance for deployments with numerous connections and adapter instances
• Improved LDAP connection pooling options for LDAP data stores
• Enhanced the PingFederate SDK