These enhancements and issue fixes are included in PingAccess 6.2, released in December
2020.
Enhancements
- Added virtual resources
- You can configure virtual resources which do not correspond to a literal resource in an application. When an end user attempts to access a virtual resource, PingAccess generates a response that you configure. You can use virtual resources to create redirects or to support single-page applications. See Adding application resources for more information.
- Added customized authentication challenge responses
- You can configure customized authentication challenge responses to provide better support for single-page applications. See Authentication and Configuring authentication challenge policies for more information.
- Added an integration with Splunk
- You can integrate PingAccess with Splunk, making monitoring and reporting data available through Splunk. See Writing audit logs for Splunk for more information.
- Added an administrative mode where Admin Authentication configuration is read-only
- You can configure users with a new role, which gives administrative users full access to almost every feature except for changing the authorization configuration. This lets you give administrators broad access but prevents accidental lockout. See Configuring API authentication and Configuring admin UI SSO authentication for more information.
- Added ability to specify HTTP methods for resources
- You can include HTTP methods when defining an application resource. See Adding application resources for more information.
- Added ability to map identity JWT as bearer token
- Within a JWT identity mapping, you can now include the JWT in the authorization request header field as a bearer token. See Creating JWT identity mappings for more information.
- Added local access token validation for Admin API access
- You can configure the Admin API to validate JWT access tokens issued by the admin token provider, letting you use an admin token provider that does not support token introspection. See Configuring API authentication for more information.
- Added RS256 as a JWT signing algorithm
- You can now use RS256 with a 2048-bit key size as a signing algorithm for JSON web tokens. This option is now the default for auth tokens.
- Added ability to configure username attribute for Admin SSO
- When you configure Admin SSO, you can now select the attribute to use as the username. See Configuring admin UI SSO authentication for more information.
- Added environment name
- You can configure a name for your PingAccess environment, which is displayed in the menu bar. See Changing the Environment Name for more information.
- Added server-side wildcard support for cross-origin request rules
- When you configure a cross-origin request rule to use a wildcard, you can replace the
Access-Control-Allow-Originresponse header with the value in the request's Origin header. See Adding a cross-origin request rule for more information. - Added proxied PingFederate configuration option
- You can configure PingAccess to proxy a PingFederate runtime that's being used as a token provider, making configuration of PingFederate less error-prone when PingAccess is proxying to PingFederate. See Configuring a proxied PingFederate runtime for more information.
- Added exclusion list capability for header identity mappings
- You can configure an identity mapping to include all attributes as headers except for those you specify, reducing the number of steps it takes to add new attributes to identity mappings - just add the attribute at the token provider. See Creating header identity mappings for more information.
- Added administrative token provider option
- You can use a separate token provider for accessing the PingAccess UI and Admin API, letting you provide for account segregation. See Configuring an admin token provider for more information.
- Added OAuth client rule
- You can create rules that grant or deny access based on one or more OAuth Client IDs, making it easier to restrict access based on the Client ID without resorting to Groovy. See Adding OAuth client rules for more information.
- Added scopes to one-time authorization rules
- You can include standard or custom scopes in the OIDC backchannel authentication request to more clearly communicate the details of the request to the end-user through the CIBA request. See Adding one-time authorization rules for more information.
- Improved metadata usage in identity mappings
- The attribute name fields in identity mappings now expose information from the
transaction's metadata, letting you select from known attributes such as
pi.sri. See Creating header identity mappings and Creating JWT identity mappings for more information. - Added support for client certificate authentication with self-signed certificates
- PingAccess now supports client certificate authentication with self-signed certificates, providing additional flexibility in certificate handling. See Defining engine listeners and Configuring virtual host trusted certificate groups for more information.
Resolved issues
| Ticket ID | Description |
|---|---|
| N/A | Fixed potential security issues. |
| PA-13005 | Updated the Collect Support Data (CSD) tool to use the
--sanitize flag by default. |
| PA-13034 | Fixed an issue that caused one-time authorization rules to be unusable in some environments where PingFederate is protected by PingAccess. |
| PA-13158 | Fixed an issue that sometimes caused a read timeout during rule evaluation for HTTP Request Parameter rules or Groovy rules that read the body content. |
| PA-13183 | Fixed an issue that treated invalid transfer encoding values as valid instead of sending a 400 response. |
| PA-13182 | Fixed an issue that caused rule set types to display incorrectly in the policy list for an application or resource. |
| PA-13136 | Fixed an issue that caused the PingAccess Sideband API integration to incorrectly format access tokens for PingDataGovernance. |
| PA-13216 | Fixed an issue that sometimes caused PingAccess to generate incorrect responses when parsing invalid query strings or URL-encoded form data. |
| PA-13153 | Fixed an issue that caused API calls to endpoints where the ID is a UUID to fail if there was an empty query parameter. |
| PA-13151 | Fixed an issue that caused a memory leak when the
coreThreadPoolSize was set to a large
value. |
| PA-13004 | Updated AWS CloudHSM library to version 3.1.2. |
| PA-12878 | Added a Keep Alive Timeout setting to the Site creation user interface. |
| PA-13223 | Fixed an issue that prevented PingAccess from responding correctly to requests with an incorrect content type if HAR logs were enabled. |
| PA-10922 | Fixed an issue that prevented PingAccess from communicating with PingFederate if PingFederate was configured to use HTTP for runtime endpoints and configured as the token provider. |
| PA-13172 | Fixed an issue that caused only HTTPS warnings to be returned during configuration import. |
| PA-13147 | Fixed an issue that failed to display a warning message when attempting to configure Admin SSO to use single logout if PingOne for Customers is configured as the token provider and it does not advertise an end session endpoint. |
| PA-13323 | Fixed an issue that displayed spurious warning messages when saving resources with the same path patterns but different query parameters. |
| PA-13222 | Fixed an issue that caused upgrades to fail if a past upgrade had incorrectly left a backup file in place. |
| PA-13201 | Fixed an issue that prevented disabled resources from being enabled through the UI. |
| PA-13154 | Fixed an issue that caused duplicate logging for READ_COMPLETE and
WRITABILITY_CHANGED events. |
| PA-12716 | Fixed an issue that caused the ACME status to incorrectly display for chain certificates when a leaf certificate was ACME-managed. |
| PA-12979 | Fixed an issue that showed an incorrect ACME status for key pairs if the certificate request was issued by an ACME server that is not currently the default, and prevented updates to such key pairs. |
| PA-13175 | Fixed an issue that restricted the attributes available for exclusion lists in JWT identity mappings. |
| PA-13138 | Fixed an issue that caused PingFederate scopes to be used for web session and Admin SSO fields when PingOne for Customers is configured as the token provider. |
| PA-13137 | Fixed an issue that prevented an incompatibility warning from displaying if a site with a token mediator site authenticator is configured when PingOne for Customers is configured as the token provider. |
| PA-13257 | Fixed an issue that caused incomplete calls to the /applications/:id
or /applications/:id/resources/:id endpoints to
generate unclear log entries and error messages. |
| PA-13229 | Fixed an issue that allowed multiple applications to exist with the same virtual host and context root if the paths were not set to case-sensitive. |
| PA-13337 | Fixed an issue that caused PingAccess to fail to respond to requests with invalid content types if HAR logging was enabled. |
| PA-13333 | Fixed an issue that prevented web session management cookies from being cleared correctly if the cookie name contained more than one period. |
| PA-13362 | Fixed an issue that prevented PingAccess upgrades from version 6.0 or later if OAuth key rolling was enabled and the key ID index had wrapped. |
| PA-13161 | Added a UI indicator for key pairs that displays the name of any associated HTTPS listener. |
| PA-13427 | Fixed an issue that prevented access to the PingAccess UI using the Chrome browser included in Catalina if PingAccess was using a self-signed certificate. |
| PA-13551 | Fixed an issue that prevented nonce cookies from being deleted due to an incorrectly-included domain field. |
| PA-13200 | Fixed an issue that hid the Add Resource option while manual resource ordering was being configured. |
| PA-13499 | Fixed an issue that prevented unknown methods from being added to application resources through the user interface. |
| PA-13353 | Fixed an issue that gave the pa.jwk file write
permission after an upgrade. |
| PA-13441 | Fixed an issue that caused an incorrect value for the
proxyRoundTripMS value in logs. |
| PA-13160 | Fixed an issue that prevented a configuration exported from a standalone PingAccess system from being used on a clustered console system. |
| PA-12634 | Fixed an issue that sometimes preserved duplicate key pairs created during an upgrade. |
| PA-13567 | Fixed an issue that prevented PingAccess from determining the
realm if the X-Forwarded-Proto contained uppercase
characters. |
| PA-13579 | Fixed an issue that prevented a cross-origin request rule from being applied to both the web policy and the API policy of a Web + API application. |
| PA-13504 | When PingAccess adds a PingAccess cookie to a response, it now also adds headers indicating that the response should not be cached. |
| PA-13605 | Fixed an issue that caused errors if a signing algorithm using lowercase values was provided through the admin API. |
| PA-13593 | Fixed an issue that caused importation of a PingAccess configuration to fail in some cases if the configuration file included key pairs with plain text passwords. |
| PA-13738, PA-13694 | Fixed an issue that displayed some invalid UI options for Auditor users. |
| PA-13544 | Fixed an issue that caused non-ASCII characters in query strings to be parsed incorrectly. |
| PA-13721 | Fixed an issue that replaced the + character with a space in CIBA
rules. |
| PA-13600 | Fixed an issue that allowed multiple rows to be designated as the subject row in a identity mapping inclusion list. |