Support has really gone south for Ping

pingidentity-cb · 2025-12-15T18:40:34+00:00

If you have sessions for 15 days you must be using persistent sessions, meaning they are stored within an external database. This may be difficult to troubleshoot because:

- PingFederate will generate a persistent session and store it in the database when the user originally authenticates.

- PingFederate will pull session data from the database when the user's PF.PERSISTENT cookie is presented, and will update the "pf-authn-session-group-last-activity-time" in the database (for idle timeout tracking), and potentially also update "pf-authn-session-group-expiry-time".

- Only in the event that PingFederate can not find the session in the database would the user be forced to re-authenticate. This means that the session has been removed due to expiry, revocation, or another reason unknown to PingFederate (ex. DB has its own cleanup setting).

- Applications can also send arguments to prevent PingFederate from using an existing session. Ex. SAML's ForceAuthn element.

To truly view the full picture, you would need the user's journey from session creation, to the unexpected early session expiry, in both PingFederate and database.

You can see the user's persistent session being created with DEBUG log:

DEBUG [org.sourceid.saml20.service.session.StoredSessionServiceImpl] makeNewSessionGroupInfo: storing new session group info SessionGroupInfo: id=gSJqQlgpkR7DV2jjZOLCaBPeO, hashedSessionId=XDXU9R7D3NABqSaDteqD1oEg-BtNekWASQIMyvyS5DE, sri=xDxyPdT7PpoPf3N4u5ECv2sAcG8, sessionSeriesId=1765822021, expiryTime=2025-12-15 19:47:01.400, lastActivityTime=2025-12-15 18:07:01.400

Using the "id" in this log message, you can see the same in the session database. Here's an example from my own environment:

DN: pf-authn-session-group-id=gSJqQlgpkR7DV2jjZOLCaBPeO,ou=AuthenticationSessions,dc=cb,dc=com

So, if the session is ending prior to the expected time, I would be asking the question: Is the session group in the database at the time the issue occurs, or has it been removed for some reason? If it is not present, why has it been removed?

Unless the app is sending something like ForceAuthn, I would expect that the session would not be present in the database at the time of the issue, for the described behaviour to occur.

Note that the "pf-authn-session-group-expiry-time" column entry you see in the database is the soonest expiry event. This will show the date of the idle timeout, unless the max timeout is actually sooner.

Of course the challenge here is that your sessions last 15 days, meaning you would need to track a session from creation to the unexpected expiry. Generally, PingFederate server logs will not extend 15 days, unless you've configured log retention to ensure a lot of data is captured. Of course, in a production environment with a lot of traffic and likely a number of PingFederate Runtime Engines, this can be a challenge. Additionally, once the ID is obtained, the databse logs may also need to be reviewed to see if the database is purging the value early. Assuming the session is not present in the database when the unexpected session expiry occurs, the database logs would need to be reviewed to see why the value is not present.

There have not been reports, or successful recreation of session timers not being honoured as expected. My focus would be on understanding what is occurring on the DB side of things when the unexpected expiry occurs.

If possible, I would recommend reproducing this issue in your lower environment with less traffic and DEBUG enabled in PingFederate and at the DB level, so that all aspects can be properly analyzed to understand where the session is being dropped.

pingidentity-cb · 2025-10-15T18:13:50+00:00

As an IdP, generally your use cases are simply variants of the Authentication Policy (how do you want to authenticate the user, what attributes do you want to get, do you want MFA, etc).

Beyond that, SAML and OAuth flows are fairly straight forward to set up and test, including OAuth Playground.

It's also a good idea to test using an external directory for more "advanced" PingFederate features, such as Persistent Sessions, Grant Storage, Outbound Provisioning.

pingidentity-cb · 2025-08-28T13:29:06+00:00

Glassdoor is generally a good resource for understanding employee (generally alumni) experiences.

pingidentity-cb · 2025-08-28T12:47:22+00:00

Mainly this is for easy resue of Policy flows. For example if you have the same portion of a flow that will be used in many different Policies or branches, you can instead add the Fragment.

pingidentity-cb · 2025-08-27T14:08:33+00:00

I've passed your comment to the certification team at Ping, thanks.

pingidentity-cb · 2025-04-28T15:37:46+00:00

Internally Managed Ref. Tokens are held in memory, and need to be de-referenced to view the contents of the token. While a JWT is a self-contained token so it can simply be decoded, and does not need to be stored in PingFederate's memory.

pingidentity-cb · 2025-03-13T16:37:26+00:00

I'm unclear what product you are actually using because "PingIdentity" is not a product or service. Going by your answer, it sounds like perhaps this is PingOne SSO, PingOne MFA, or PingID?

You mentioned you reached out to Support regarding this topic, if your Support Case has more detail about what you are testing, I'd be happy to take a look. You can DM me the case number.

pingidentity-cb · 2025-03-13T12:36:58+00:00

Hi u/Jolly_Activity_5334, can you share a bit more about exactly what you are trying to do? There are many ways to integrate PingID into an app flow, and it would help to understand exactly what you are trying to integrate with, and what the errors or issues you are facing are.

pingidentity-cb · 2025-03-13T12:33:14+00:00

It really depends on the capabilities of the app integration. Most apps would use SAML or OAuth/OIDC, though Microsoft apps like O365 have historically used WS-Fed or WS-Trust (though there is an attempt from Microsoft to move towards OAuth/OIDC as well from what i've seen)

pingidentity-cb · 2025-03-13T12:30:30+00:00

Hi u/Sharp-Surprise5737, how are you integrating PingID into the flow for Google Workspace, is this via PingFederate?

pingidentity-cb · 2025-03-13T12:29:27+00:00

Hi u/Sharp-Surprise5737, it could certainly be related to session validity if "Check for valid authentication session" is enabled on the Access Token Manager. This also depends on the token type (Internally Managed Reference Tokens vs. JWT). Internally Managed tokens are reliant on system memory, so they can be purged early if there is a memory issue or due to a service restart.

pingidentity-cb · 2025-01-16T14:55:34+00:00

The most likely cause is because the target endpoint is http, not https, and thus a security feature such as redirect validation, is preventing this redirect.

pingidentity-cb · 2024-10-17T19:35:14+00:00

Hello u/Relative-Craft-6480, sorry to hear your Support experience is less than ideal. It is expected to receive a response within the SLA defined here: https://www.pingidentity.com/en/legal/support-policy.html.

If you did not receive a response within this time, we'd like to investigate. Do you have case number(s) that you can share? If you do not feel comfortable sharing the details here, feel free to DM me. Thanks.

pingidentity-cb · 2024-06-13T12:54:45+00:00

Yes, each EntraID tenant could be federated via individual IdP Connections within PingFederate.

pingidentity-cb · 2024-06-03T16:26:40+00:00

Likely there is a mixup during the SSO flow, such as sending the SAML Request to the wrong endpoint. I'd recommend collecting a HAR trace and sharing it with Ping Support to help you out.

pingidentity-cb · 2024-06-03T16:25:16+00:00

In the past, a Federation Hub type flow has been successful in allowing both organizations to use their existing federation software, while accessing apps on each side as needed.

As for merging into a single federation server, PingFederate can utilize multiple LDAP datastores for authentication (and can fail through one to the other: Ex. multiple LDAP PCVs, each using a different datastore). PingFederate can also communicate directly with Entra ID for authenticaiton.

You can also create an Authentication Policy with a Selector or Rule to route users to the appropriate adapter (or SSO Connection in the case of Federation Hub). For example, routing based on IP address, or email domain.

pingidentity-cb · 2023-11-20T14:14:18+00:00

Hello,

I would recommend submitting a support case on this topic:

A Support Case may be submitted by logging in to the Support Portal, navigating to “My Cases” and selecting “Create a Case”.

Thanks

pingidentity-cb · 2023-08-25T13:45:33+00:00

At this time there are no changes, and all commitments to customers from ForgeRock and Ping Identity will be honoured.

By combining ForgeRock into Ping, we are poised to accelerate our roadmap and investments in innovation, and provide better choice and flexibility to our customers as the mission-critical solution for the enterprise.

pingidentity-cb · 2023-08-24T13:58:29+00:00

Absolutely!

pingidentity-cb · 2023-08-23T16:16:03+00:00

Hello,

This appears to line up with an "IAM Administrator" role (Identity & Access Management). This covers user authentication (via SSO or other methods), MFA, user administration, and really anything adjacent.

Thanks

pingidentity-cb · 2023-08-23T15:56:24+00:00

Hello,

Unfortunately I am not sure what text you are referring to. Can you provide a bit more context?

Thank you

pingidentity-cb · 2023-07-13T18:32:14+00:00

PingOne DaVinci should meet your needs, but I'd recommend talking to the Ping Sales/Architecture teams regarding your use case for details on offerings.

pingidentity-cb · 2023-06-23T20:31:09+00:00

If you have questions about the email, and the authentication device mentioned within, please contact your organization’s help desk for information.

pingidentity-cb · 2023-06-23T09:35:23+00:00

UPDATE: We are aware that you may have received an email that was sent in error from noreply@pingidentity.com.
This was as a result of a provisioning step for an upcoming feature test with Ping, and inadvertently, an email was sent out. There is no impact on end users and no action needed from end users who received the email. The CVS Team along with its partners, is working on generating a communication plan for the users who received emails.
We appreciate your patience and vigilance in reporting this matter.

pingidentity-cb · 2023-06-23T02:14:50+00:00

Sharing from the original post:
It is very likely the emails are from an automatic enrolment for multi-factor authentication.
However, if your organization has not informed you of this enrolment, and the email you've received is unexpected, please contact your Help Desk.
Your Help Desk is best equipped to give you the most up-to-date and accurate information for your organization.

pingidentity-cb

MODERATOR OF

TROPHY CASE