---
title: Limitations
description: This page lists current known issues and limitations of the Orchestration SDKs.
component: orchsdks
page_id: orchsdks:release-notes:limitations
canonical_url: https://developer.pingidentity.com/orchsdks/release-notes/limitations.html
revdate: Wed, 8 Apr 2025 12:47:20 +0100
keywords: ["Compatibility", "Features", "Source Code", "SDK"]
section_ids:
  all_platforms: All platforms
  orchestration_sdk_for_android: Orchestration SDK for Android
  environment: Environment
  symptoms: Symptoms
  cause: Cause
  solution: Solution
  orchestration_sdk_for_ios: Orchestration SDK for iOS
  orchestration_sdk_for_javascript: Orchestration SDK for JavaScript
---

# Limitations

This page lists current known issues and limitations of the Orchestration SDKs.

## All platforms

* The Orchestration SDKs ***do not*** support authentication chains nor modules.

## Orchestration SDK for Android

* Using auth tabs for social sign-on to Facebook might fail if the Facebook app is also installed.

  > **Collapse: Details**
  >
  > Using the Orchestration SDK for Android for social sign-on to Facebook using an auth tab might fail on devices where the Facebook app is installed.
  >
  > The authentication flow exits the browser before completion, resulting in a `BrowserCanceledException` response in the client Android application.
  >
  > ## Environment
  >
  > This issue only occurs in following environment:
  >
  > * You are using Facebook as an external identity provider.
  >
  > * The client device has the Facebook app installed.
  >
  > * You have not imported the native Facebook SDK for Android into the app project.
  >
  >   * The client app has fallen-back to using an auth tab in Chrome to perform the social sign-in.
  >
  > Learn more about configuring social sign-on in Android apps in the following pages:
  >
  > * [Configure Android apps for social sign-on with Journeys](../davinci/use-cases/external-idp/android/index.html)
  >
  > * [Configure Android apps for social sign-on with DaVinci](../journey/use-cases/external-idp/android/index.html)
  >
  > ## Symptoms
  >
  > The following symptoms are indicative of this issue occurring:
  >
  > * The client app launches the web browser to authenticate the user with Facebook, but closes it again immediately.
  >
  > * The user returns to the client application without being able to authenticate to Facebook.
  >
  > * In the client application, the value of `redirectUri` is `null`.
  >
  > * The Orchestration SDK for Android outputs the following console output:
  >
  >   ```text
  >   Result from AuthTab, resultCode: 0, redirectUri: null
  >   BrowserCanceledException: Browser was canceled
  >   ```
  >
  > ## Cause
  >
  > The Android Facebook app is able to intercept the authentication flow in an auth tab by using Android intent resolution.
  >
  > This causes the social sign-on flow to exit the auth tab prematurely, without returning the necessary redirect URI to the client application.
  >
  > Without the redirect URI, the client application assumes the user closed the auth tab and returns the `BrowserCancelledException`, causing social sign-on to fail.
  >
  > ## Solution
  >
  > The Orchestration SDK for Android supports Facebook's native SDK libraries, which handle social sign-on directly rather than redirecting the user in a web browser.
  >
  > This can provide a smoother, more integrated experience for your users than the redirect method.
  >
  > To support a native experience you add the native libraries as dependencies in your Android application:
  >
  > ```gradle
  > // Facebook native sign-on SDK for Android
  > implementation("com.facebook.android:facebook-login:18.1.3")
  > ```
  >
  > Learn more about embedding Facebook libraries for social sign-on at:
  >
  > * [DaVinci flows](../davinci/use-cases/external-idp/android/04_customize_the_user_experience.html#android-facebook-sdk)
  >
  > * [Authentication journeys](../journey/use-cases/external-idp/android/04_customize_the_user_experience.html#android-facebook-sdk)

* Displaying CAPTCHAs or using the Ping (ForgeRock) Authenticator module in your application requires the presence of the Google Play Services.

* The Authenticator module of the Orchestration SDK for Android only supports Firebase Cloud Messaging service as a Push Notification provider.

* Social sign-on with auth journeys requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.

* Biometric authentication is only supported on Android 7.0 or newer.

* Biometric authentication with auth journeys requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.

* Biometric authentication requires the use of Google Play Services.

* When a biometric dialog, such as the *provide fingerprint* dialog, is dismissed, the application may become unresponsive.

* Biometric authentication does not distinguish individual biometrics (fingerprints or faces), but is limited to any registered for the device's current user account.

* Orchestration SDK for Android apps do not function correctly if they are minimized to picture-in-picture mode in [Android custom tabs](https://developer.chrome.com/docs/android/custom-tabs).

  The Orchestration SDK is not able to detect being minimized until API support from Google is available in Android.

## Orchestration SDK for iOS

* Data encryption with Secure Enclave is only available for iOS 10+ devices with TouchID or FaceID.

* Social signon with auth journeys requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.

* The Google Sign-In SDK is only compatible with CocoaPods (Swift Package Manager is not supported).

* Sign In With Apple is only supported in iOS 13 and above.

* Biometric authentication with auth journeys requires PingAM 7.1 or the latest version of PingOne Advanced Identity Cloud.

* Biometric authentication does not distinguish between individual biometrics (fingerprints or faces), but is limited to the collection of biometrics registered for the device's current user account.

* For Biometric authentication, iOS only supports the ES256 signing algorithm, this is configured in the WebAuthn Registration node.

* For "usernameless" biometric authentication support in auth journeys, "limit registrations" must be disabled within the WebAuthn Registration node.

* Device Binding is not supported on iOS simulators. You must use a physical device to test Device Binding.

## Orchestration SDK for JavaScript

* The Orchestration SDK for JavaScript is currently unable to revoke PingOne-issued OIDC tokens when using Firefox and Safari, due to third-party cookie protection.

* When resources are protected by PingGateway, the Orchestration SDK for JavaScript can only support transactional authorization if PingAM and PingGateway are on the same origin.

* FireFox does not support Touch ID as a WebAuthn device on Mac therefore it limits some WebAuthn node configurations.

* The SDK requires polyfills to function in IE 11 and Legacy Edge.

* In WebKit for both macOS and iOS, the "Prevent Cross-site Tracking" option, which is enabled by default, can prevent the SDK from functioning when the app and PingAM are under different origins.

* Collecting location information requires the user's system preferences to allow browser access to location information.

* IndexedDB as a token storage strategy has a known issue with Firefox Private Mode. Use `localStorage` as an alternative.

* Social login with Apple requires the use of a form POST, so the "Redirect URL" cannot be an SPA as they are unable to handle a POST request.