An important balance of a strong product organization is the ability to consistently deliver new functionality while maintaining easy-to-use products. At Ping, we're highly focused on this. PingFederate 9.0 is a major update that will be released later this year. There are lots of new features, but we've also addressed simplification in major ways. In this release, we've focused on three major areas: 1) consumer authentication and self-service, 2) OAuth and OpenID Connect features to continue improving our support of modern identity and access management (IAM) use cases such as Open Banking and 3) simplifying large clusters of PingFederate and clusters that need to dynamically grow and shrink as demand changes. All of this makes up one of the most significant releases of PingFederate.
Consumer Authentication, Registration and Profile Management
Consumers expect an easy-to-use experience. It's almost invalid to measure it as an expectation--it just is. If the experience isn't simple and elegant, consumers will go elsewhere. This is why we felt it was important to improve the consumer experience around authentication and self-service registration and profile management.
In PingFederate 9.0, you'll see new capabilities around integrating password authentication with authentication from social providers and other third-party IdPs. You'll have the option to present a login form to users where they can choose if they want to authenticate with a password or via a social provider, or when they don't have an account, to self-service register. This all builds on PingFederate's authentication policies, a rich framework used to define a user's overall authentication requirement based on browser request context and individual authentication results. Authentication policies are heavily used by customers, so extending PingFederate for more consumer use cases will be simple.
Open Banking Compliance and Future Open Initiatives
The Open Banking initiative in the United Kingdom continues to make progress toward their January deadline. This is a major industry effort driving innovation in the financial industry. If you aren't employed by a bank, you may be wondering what it has to do with you. Although Open Banking currently targets a specific set of companies, the OpenID Connect profiles the initiative is adopting--and the way they enable users to control how services are authorized to access their data--is the model users will expect in other industries in the near future.
To support projects like Open Banking, we're actively adding many new enhancements to OAuth and OpenID Connect. This spans from additional security options like improving support for authenticating some OAuth clients using MTLS while authenticating others with private_key_jwt, or enabling net new use cases like support for Dynamic Client Registration, RFC7591 (https://tools.ietf.org/html/rfc7591). There are too many enhancements to list here, so look for the release notes for more details.
Simplifying Large Deployments with Adaptive Clustering
PingFederate's clustering is what distributes state in the cluster to allow customers to deploy multiple runtime nodes and to distribute load across those nodes using a load balancer. This is generally done to maintain required performance while under load and to ensure state resiliency in the event one or more nodes goes offline. PingFederate can track many different types of state, but you can generally think of this as things like how PingFederate associates one HTTP request from the user's browser to another, and how other data is temporarily stored and retrieved like reference style access tokens or SAML artifacts.
Clustering configuration in PingFederate is generally simple for smaller clusters--fewer than six nodes--but it gets more complex for larger clusters. The existing state management services in PingFederate enable very sophisticated configurations to properly manage state for larger clusters, but there are two areas we wanted to improve: simplifying configuration and improving cluster elasticity. We've nailed it with adaptive clustering.
Adaptive clustering is a new clustering option that's an alternative to the existing clustering option, now referred to as directed clustering. When upgrading to PingFederate 9.0, customers won't be required to change their clustering architecture, but the benefits to switching to adaptive clustering are clear. Adaptive clusters can support many nodes--tens, hundreds and even thousands--without complicated configuration to define things like sub-clusters and state servers. Adaptive clusters can also easily grow and shrink as demand changes, even when ten or more nodes need to come on or offline. These two things are generally difficult to support with directed clustering, which requires a static configuration to direct how the cluster manages state. Exactly how this is possible is an entire blog post on its own, but to summarize, adaptive clustering assigns all state information to addresses. Each node in the cluster is responsible for a set of addresses, with some overlap for redundancy. Any node that receives a browser request and needs to look up or store state information will be able to do so based on the address for that state data.
That's it for now. Look for PingFederate 9.0 later this year. We would like to make a preview available before general availability, so ask your account rep for more details.