Upgrading PingFederate
The following list is a high-level overview of the steps that you need to follow to upgrade PingFederate. Click each link to view the steps that you need to follow to complete the task.
Step 1: Download PingFederate
Download the latest build of the minor version and patch of PingFederate supported by your product, as indicated by its system requirements.
Step 2: Obtain PingFederate license
You can obtain a new PingFederate license by opening a technical support case via the PTC eSupport portal.
Step 3: Upgrade PingFederate
For upgrade instructions, see PingFederate upgrade documentation.
Step 4: Apply the patch on the upgraded PingFederate installation
After upgrading PingFederate, you need to apply the respective PingFederate patch on the upgraded PingFederate installation. The patch should be applied according to the instructions provided by PingFederate.
* 
To complete cross-domain support, you must apply similar changes to Tomcat. For more information, see the PTC Tech Support article.
Step 5: Configure PingFederate to always return scope
Create or edit the oauth-scope-settings.xml file that is available in the <PingFederate Installation Folder>/server/default/data/config-store location as follows:
<?xml version="1.0" encoding="UTF-8"?>
<z:config xmlns:z="http://www.sourceid.org/2004/05/config">
<z:item name="always-return-scope-for-authz-code">true</z:item>
</z:config>
Step 6: Restart PingFederate
Restart the PingFederate server.
Step 7: Deploy the PingFederate license file
1. From a Command Prompt window, browse to PingFederate/bin, and execute the run.bat on Windows or run.sh on Linux to start PingFederate.
It might take sometime to start PingFederate.
2. When the message PingFederate running is returned, open the PingFederate URL in the following format in your browser: https://<hostname.domain.com>:9999/pingfederate/.
3. In the Import License window, click Choose file and navigate to the license file.
4. Click Import.
5. When you are redirected to the PingFederate login page, enter your user name and password.
6. Verify the configuration settings in the administrative console to ensure that all configurations are working correctly.
Step 8: Cross-domain configuration for the SameSite cookie attribute
Make sure that the cross-domain configurations for the SameSite cookie attribute are applied to Tomcat. For more information, see the PTC Tech Support article.
Step 9: Reaccepting scopes in Grant page after the upgrade
When Upgrade is done from PingFederate 9.3 and earlier and up, administrators and end users will be prompted to accept the Scopes in the Grant page again.
Step 10: Deleting PingFederate Oauth Tokens Created by ThingWorx Flow after Upgrading PingFederate 9.3.3 to PingFederate 11.x
You must perform these steps if you have ThingWorx Flow installed and have connectors configured with PingFederate Central Auth Server (CAS) like ThingWorx resource server or Windchill resource server.
* 
If these steps are not implemented , all workflow executions using the PingFederate provider will fail.
1. Browse to TWX Composer > Subsystem > WorkflowSubsystem.
2. Run DeleteOAuthAccessToken service for the OAuth provider that represents the upgrade PingFederate. Run the service for all users. This is done by leaving User Name empty. You can find all OAuth provider names under the OAuth Providers tab in the ThingWorx Flow application.
3. Edit the connectors under the Connectors tab in ThingWorx Flow application where the connection type is OAuth Named User. This recreates the token for these connectors for the selected named user.
Was this helpful?